Nat – AWS private subject cannot hit S3 using VPC endpoint

amazon-vpcamazon-web-servicesnat;

I have a private subnet in my VPC. I've sshed into this instance from a public subnet. Using a nat gateway, I'm able to run aws s3 ls and see all my buckets with no issues.

Once I delete the nat gateway from my route table associated with my private subnet and add my VPC endpoint that opens full access to s3, I still can't list my buckets. What are some of the things I could be doing wrong?

The network ACL I have associated with both of my subnets is totally open.

Best Answer

This is a very good resource for troubleshooting VPC Endpoint to S3 issues. https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

The TL;DR troubleshooting steps are:

DNS resolution must be enabled in your VPC
Be sure there's a route to Amazon S3 using the gateway VPC endpoint
Ensure the available outbound rules allow traffic to Amazon S3
Do Network ACL rules allow inbound from TCP ports 1024-65535 and outbound to S3
Review the endpoint policy. Check if the policy blocks access to the S3 bucket or to the IAM user affected by the connectivity issues.
Check the bucket policy allows access from the gateway VPC endpoint and the VPC that you want to connect.
Be sure the users associated with the IAM user or role have the correct permissions to access Amazon S3
Make sure your AWS CLI configuration is correct.

Best Answer

Related Solutions

AWS VPC ACL for private subnets

Nat – can’t connect aws VPC private instance to internet through NAT

Related Topic