Hands-On Demo: Creating S3 and VPC Endpoints

In this hands-on session where we will explore the creation of S3 and VPC endpoints. In this demonstration, we’ll cover two types of VPC endpoints: gateway style and interface style. Additionally, we’ll showcase how you can access S3 through these endpoints. Let’s dive right in!

Gateway Style VPC Endpoint

Gateway endpoints provide access to Amazon S3 through your Virtual Private Cloud (VPC). They enable secure and private communication between your VPC and S3. Here’s how to create one:

1. Access the AWS Management Console: Log in to your AWS account and navigate to the AWS Management Console.
2. Create a Gateway Endpoint:
   • Click on “Services” and select “Virtual Private Cloud (VPC).”
   • In the left-hand navigation pane, choose “Endpoints.”
   • Click on the “Create Endpoint” button.
3. Configure the Endpoint:
   • Make sure you are in the correct AWS region where you want to provision the endpoint.
   • Type “S3” in the search bar and select the “Gateway Style” endpoint for S3.
4. Select the VPC:
   • Choose the appropriate VPC for your use case.
5. Configure Routing:
   • Configure a routing table in your VPC to direct traffic to the S3 gateway endpoint. This involves setting a routing rule with the destination as the S3 DNS name (e.g., usc1.s3.amazonaws.com) and targeting the gateway VPC endpoint.
6. Endpoint Policies:
   • Customize endpoint policies using the S3 resource account condition key. These policies define what actions are allowed through the gateway endpoint (e.g., list, put, get objects).
7. Create the Endpoint:
   • Provide a name for your gateway endpoint (e.g., “Demo Gateway Endpoint”) and click “Create Endpoint.”
8. Verify Routing: Check your routing table to ensure that the routing rule for the S3 gateway endpoint has been added.

Interface Style VPC Endpoint

Interface endpoints allow access to S3 using private IPs directly from on-premises or in a cross-region application. Here’s how to set up an interface style VPC endpoint:

1. Navigate to the Endpoint Creation Page: Go back to the AWS Management Console and access the endpoint creation page.
2. Create an Interface Endpoint:
   • Ensure you are in the correct region.
   • Type “S3” in the search bar and select the “Interface Style” endpoint for S3.
3. Configure Security Groups:
   • Define the security groups that will control access to the interface endpoint. You may use existing security groups configured to allow access to IAM users.
4. Endpoint Policies:
   • Similar to the gateway endpoint, you can customize endpoint policies for the interface endpoint. Paste the same endpoint policies used for the gateway endpoint.
5. Create the Endpoint:
   • Provide a name for your interface endpoint (e.g., “Demo Interface Endpoint”) and click “Create Endpoint.”
6. Activation Time: Interface endpoints may take a few seconds to become available. Check the status of your endpoint in the AWS Management Console.
7. DNS Names: Under the details page, you will find the regional-level DNS names and zone-specific DNS names specific to the Elastic Network Interfaces (ENIs) in different Availability Zones.

Accessing S3 via Endpoints

Now that you have created both types of VPC endpoints, let’s see how to access S3 objects through them.

Using Interface Style Endpoint

1. Check the IP addresses of the endpoint-specific names for the interface style endpoint.
2. Use the DNS name of the interface endpoint in the AWS CLI to list objects in your S3 bucket.

Using Gateway Style Endpoint

1. Access S3 through the standard S3 regional DNS name. The traffic will route via the gateway endpoint due to the routing rule set earlier.
2. Use the standard S3 commands in the AWS CLI to interact with S3 objects via the gateway endpoint.

Congratulations! You have successfully created and configured S3 and VPC endpoints, and you now know how to access S3 objects securely using these endpoints.