How exactly do I allow on-prem client app to access S3 objects when VPC is using direct connect?

Question

When a client app is on prem and an AWS is setup with Direct Connect with the corporate on-prem network, how exactly can the client app gain access to the s3 objects? For example, suppose a client app simply wants to obtain jpg images which live in an S3 bucket. What type of configuration do I need to make to the S3 bucket permissions? What configuration do I need to do at the VPC level?

I'd imagine that since Direct Connect is setup, this would greatly simplify an on prem app gaining access to an S3 bucket. Correct? Would VPC endpoints come in to play here?

Also, 1 constaint here : the client app is not within my control: the client app simply needs a URL it can reach for the image. It cannot easily be changed to support sending credentials in the request, unfortunately. This may be a very important constraint worth mentioning.

Any insight is appreciated. Thank you so much.

Answer 1

you might want to consider these

https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/

https://aws.amazon.com/premiumsupport/knowledge-center/s3-private-connection-no-authentication/

And for troubleshooting, try this

https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

If you need to access S3 over DirectConnect,

S3-DirectConnect

//BR

P.S. let me know if that's work for you.. :)

Answer 2

I had very similar issue to solve, also searching like you on how to force client to use direct connect to download content from S3.

In my case, the client is one on-prem load-balancer facing internet that needed to serve content hosted on S3 (CloudFront was not possible).

2 articles already mentioned are important to take into account but not sufficient:

1. Direct connect for virtual private interface https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-direct-connect/ => Needed to setup all the VPC endpoint and routing between onprem and AWS.

2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#accessing-bucket-and-aps-from-interface-endpoints => Explain partially how to access bucket using VPC-Endpoints

The missing information from the latest AWS page is what URL structure you need to use to connect to your S3 endpoint, here is the structure I discovered working:

https://bucket.[vpc-endpoint-id].s3.[region].vpce.amazonaws.com/[bucket-name]/[key]

With that scheme, you can address any object on one S3 bucket using S3 VPC endpoint using normal web request.

We use that concept to serve securely files hosted on S3 bucket via our on-prem load-balancer and specific domain name using our Direct-Connect capacity.

The LB just rewrite the URL and get the files directly from the S3 bucket. The real client doesn't know either the file is served from S3 in backend in reality.