Firewall – How to restrict outbound EC2 to only access S3

amazon ec2amazon s3firewalloutboundrules

I want to restrict the outbound security group from an EC2 instance. The instance only needs to access an S3 bucket. I just learned that S3 uses port HTTPS (443). I could just put that rule in place to allow any connection to any ip as long as it is HTTPS, but is it possible to just allow the EC2 instance to access the S3? Is there any ip connected to the S3 bucket or can I set one?

Best Answer

is it possible to just allow the EC2 instance to access the S3? Is there any ip connected to the S3 bucket or can I set one?

S3 uses many IPs. I suspect it would be difficult to nail down a list of them all. Additionally, there is no IP-to-bucket mapping, and it is not possible for you to specify an IP for a bucket. S3 is a managed service that AWS runs, and they have sole full control over their IP address usage for the service.

If you need to filter at this level, the easiest thing to do is to use a forward proxy (like squid) with a default deny ACL and then allowing only access to the S3 domain.

Best Answer

Related Solutions

Firewall – Are EC2 security group changes effective immediately for running instances

EC2 instance is blocking all outbound connections, how to diagnose/fix

Related Topic