If a database has to upload a backup to a private S3 bucket in the same region, it should never use internet access, but should take a private, internal route. This is called a VPC endpoint. With this kind of route, you can avoid passing through the internet to reach an AWS service, such as S3, DynamoDB, or CloudWatch, and gain speed, security, and cost savings (internet traffic has a cost). To see all of the services with a VPC endpoint, you can take a look at the official documentation at https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html.
Here, we will configure the first VPC endpoint available for the S3 service, as follows:
- Go to VPC | Endpoints | Create Endpoint:
- Leave the default AWS service and select the S3 service, as seen in the following screenshot:
-
Select the VPC that you are working on, and all of the route tables to modify:
- Now, you can see a new route rule, as shown in the following screenshot:
Keep in mind that this will work for all of the buckets created in the same VPC region. In this example, it is us-east-1, North Virginia.
In the AWS documentation for the Endpoints for Amazon S3 at https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints-s3.html, there is an interesting hardening rule for the S3 bucket policy, as follows:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-039f31bfec07367ea"
}
}
}
]
}
I have changed this by adding my VPC endpoint ID, vpce-039f31bfec07367ea instead of the one in the documentation. With this rule, the bucket my_secure_bucket will be only reachable from the VPCs that are associated with that endpoint.