AWS Cloud Operations & Migrations Blog

Best practices: AWS Outposts in a multi-account AWS environment: Part 2

This post is written by Karl Schween, Principal Solutions Architect at AWS.

This post is part two of two part series ‘Sharing AWS Outposts in a multi account AWS environment’ providing you guidance and considerations for sharing AWS Outposts and Amazon S3 on Outposts in a multiple AWS Account environment.

AWS Outposts is a fully managed service that extends AWS infrastructure, services, and tools to virtually any data center, co-location space, or on-premises facility for a truly consistent hybrid experience. With AWS Outposts, you can run some AWS services locally and connect to a broad range of services available in the local AWS Region. Amazon S3 on Outposts delivers object storage to your on-premises AWS Outposts environment to meet local data processing and data residency needs. Using the S3 APIs and features, S3 on Outposts makes it easy to store, secure, tag, retrieve, report on, and control access to the data on your Outpost. Outposts supports workloads and devices requiring low latency access to on-premises systems, local data processing, data residency, and application migration with local system interdependencies.

In this post, you will learn different models for sharing Amazon S3 on Outposts with your workload account to align with your operating model. You will learn how to create an AWS RAM resource share for ‘S3 on Outposts’ applying shared S3 on Outposts resource for your workload.

In part one, ‘Sharing AWS Outposts in a multi account AWS environment: Part 1’, you learnt the benefits of using multiple accounts for Outposts, where to place Outposts inside your AWS Organizations organization and approaches to share Outpost resources across your AWS accounts. You learnt different models for sharing Outpost resources with your workload account to align with your operating model.

This post uses AWS Command Line Interface (CLI) examples. To utilize these, you must first install and configure the AWS CLI. For more information, see Installing the AWS CLI.

Amazon S3 on Outposts

With Amazon S3 on Outposts, you can create S3 buckets on your AWS Outposts and store and retrieve objects on premises for applications that require local data access, local data processing, and data residency. When sharing Amazon S3 on Outposts, your resource management can be streamlined to help reduce operational overhead, provide consistency for sharing resources, and provide visibility into shared accounts usage. By using AWS RAM, you share the ‘S3 on Outposts’ resource to let your builders create, manage, and access Amazon S3 on Outposts buckets and objects from their workload account.

When sharing, consider the S3 on Outposts specifications, including that the S3 on Outposts bucket owner account is always the owner of all of the objects in the bucket, and only the S3 on Outposts bucket owner account can perform operations on the bucket. S3 on Outposts requires an Outpost subnet. You can use an Outpost subnet shared with your consumer account or create the Outpost subnet in an Amazon VPC in your consumer account.

S3 on Outposts access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations. When you create an access point for an S3 on Outposts bucket, you create the access point in the same account where you created the S3 on Outposts bucket. You can’t use an access point created in a different account to the one where you created the bucket.

S3 on Outposts endpoints route requests to an S3 on Outposts access point. You can create one Outpost endpoint per Amazon VPC, and this endpoint can be assigned to only one Outpost subnet. Endpoints for the same Outpost can be created only from Amazon VPCs that have non-overlapping CIDR blocks. To allow Amazon S3 API actions to S3 on Outposts buckets and objects, you must configure ingress rules on port 443/tcp in the security group assigned to the endpoint.

If you receive the response ‘The Outposts endpoint couldn’t be created’ when creating an endpoint using the AWS CLI s3outposts create-endpoint command, then check for existing Outposts endpoints across all of the accounts that the Outpost is shared with for overlapping VPC CIDR blocks. If you receive the response ’Endpoint with this VPC id already exists’, then check for existing endpoints for the VPC using the AWS CLI s3outposts list-endpoints command.

After you create an S3 on Outpost bucket in your consumer account using a shared Outpost subnet, you will use the endpoint already created for the Amazon VPC owned by the account sharing the Outpost subnet. When creating the bucket using the shared Outpost subnet with the Amazon S3 console, you can expect to see the message ‘Outposts endpoint unknown for shared resource <your-vpc-id>’. Viewing the bucket in the console, you will notice the Outpost access point associated Outpost endpoint is listed as ‘Endpoint unknown’. This is expected, as the Outpost endpoint is in the account that owns the shared Outpost Subnet.

Using Amazon CloudWatch Amazon S3 on Outposts CloudWatch metrics, you can monitor S3 on Outposts in the owner account. To list the available metrics, you can use the AWS CLI list-metrics command specifying the namespace “AWS/S3Outposts”. From the owner account, you can view the metric AccountUsedBytes to determine the total size of all of the objects for a specified consumer account. From the consumer account, you can view the metric BucketUsedBytes to determine the total size of all of the objects for the given bucket. Furthermore, you can view the metric OutpostFreeBytes to determine the count of free bytes of S3 on Outposts capacity.

To create an AWS RAM resource share for ‘S3 on Outposts’

The following AWS CLI example creates a resource share named MyS3onOutpostsShare. Replace <your-region>, <outpost-owner-account-id>, <outpost-id>, <outpost-consumer-account-id>, <your-tag-key>, and <your-tag-value> with your own information.

PROMPT> aws ram create-resource-share \
--name MyS3onOutpostsShare \
--permission-arns arn:aws:ram::aws:permission/AWSRAMDefaultPermissionS3Outposts \
--resource-arns arn:aws:s3-outposts:<your-region>:<outpost-owner-account-id>:outpost/<outpost-id> \
--no-allow-external-principals \
--principals <outpost-consumer-account-id> \
--tags key=<your-tag-key>,value=<your-tag-value>

You can view the ‘S3 on Outposts’ resource AWS RAM default permission details using the AWS CLI get-permission command specifying the permission ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionS3Outposts

When removing a consumer account from an S3 on Outposts share, make sure that you first remove any S3 on Outposts access points, buckets, and the endpoint from the consumer account.

To authorize security group ingress for an S3 on Outposts endpoint

The following example uses AWS CLI commands to update the security group associated with network interfaces created for the S3 on Outposts endpoint. After you have created the endpoint, you authorize port 443/tcp ingress for a security group associated with an AWS service that will access the S3 on Outposts buckets and objects using the Amazon S3 API.

  1. List the endpoints associated with the Outpost using the following AWS CLI list-endpoints command.
PROMPT> aws s3outposts list-endpoints
  1. Describe one of the Endpoint network interfaces using the following AWS CLI describe-network-interfaces command. Replace <network-interface-id> with one “NetworkInterfaceId” value found in the previous step.
PROMPT> aws ec2 describe-network-interfaces --network-interface-ids <network-interface-id>
  1. Add a rule to the Endpoint security group that allows TCP port 443 access from your own security group using the AWS CLI authorize-security-group-ingress command. Replace <endpoint-security-group> with the “GroupId” value found in the previous step. Replace <source-security-group> with the ID of the security group for an AWS service accessing S3 on Outposts buckets and objects. Include the –group-owner option, and replace <workload-account-id> with the account ID if the security group is in a different account to the Endpoint security group.
PROMPT> aws ec2 authorize-security-group-ingress \
--group-id <endpoint-security-group> \
--protocol tcp \
--port 443 \
--source-group <source-security-group> \
--group-owner <workload-account-id>

Applying shared S3 on Outposts resource for your workload

Let’s apply the sharable S3 on Outposts resource described earlier using different models based on where you create and manage your Outpost subnet and associated Amazon VPC. In addition to the Outpost subnet you create for launching AWS services on the Outpost, you can choose to use a different Outpost subnet for your S3 on Outposts. Consider a separate Outposts subnet for your S3 on Outposts if you want to share only with a workload account that won’t launch other AWS services on the Outpost. You may also choose to have a boundary of responsibility and ownership between sharing Outpost capacity for launching other AWS services and sharing S3 on Outposts.

Network-prod account-owned Amazon VPC

Consider this model for sharing an S3 on Outposts resource when you centralize management of your Amazon VPC and share one or more subnets with another account. In this model, you create and manage an Outpost subnet centrally and share with your workload (Outpost consumer) account. After you create the Outpost subnet in the network-prod account, create an S3 on Outposts endpoint in this subnet, thereby making an association with the VPC. The endpoint routes requests to an S3 on Outposts access point that you create in your workload account for your S3 on Outposts bucket.

The following diagram shows an S3 on Outposts resource sharing configuration when you have a centralized Amazon VPC.

 S3 on Outposts resource sharing configuration when you have a centralized Amazon VPC.

To configure shared S3 on Outposts for your workload account

  1. Create an AWS RAM resource share owned by the Outpost owner account for the Outpost resource ‘Outposts’. Add the Outpost with S3 on Outposts capacity you want to share. Specify your network-prod and workload account IDs as the principals that you want as consumers.
  2. Create an AWS RAM resource share owned by the Outpost owner account for the Outpost resource ‘S3 on Outposts’. Add the S3 on Outposts resource associated with the Outpost you specified in Step 1. Specify your network-prod and workload account IDs as the principals that you want as consumers
  3. Create an Outpost subnet in the network-prod account VPC. You can create the Outpost subnet using the AWS CLI create-subnet command specifying the ARN of the Outpost that you’re sharing in Step 1.
  4. Create an S3 on Outposts endpoint on the Outpost specifying the subnet that you created in Step 3.
  5. Authorize the endpoint security group inbound (ingress) for port 443/tcp to the security group of an AWS service where you will use to access S3 on Outposts buckets and objects using the Amazon S3 API.
  6. Create an AWS RAM resource share owned by the network-prod account for the resource ‘Subnets’. Add the Outpost subnet that you created in Step 3. Specify the workload account ID as the principal that you want as a consumer.
  7. Create an S3 on Outposts bucket in your workload account.
  8. Create an access point for the S3 on Outposts bucket in your workload account, specifying the VPC ID for the subnet shared in Step 6.
  9. Create and access S3 on Outposts buckets and objects using the Amazon S3 API.

Workload account-owned Amazon VPC

Consider this model for sharing an S3 on Outposts resource when you delegate management of your Amazon VPC to an individual account. For this model, you create and manage an Outpost subnet inside of your workload (Outpost consumer) account. After you create the Outpost subnet in the workload account, you create an S3 on Outposts endpoint in this subnet, thereby making an association with the VPC. The endpoint routes requests to an S3 on Outposts access point that you create in your workload account for your S3 on Outposts bucket.

The following diagram shows an S3 on Outposts resource sharing configuration when you have a workload account owned Amazon VPC.

S3 on Outposts resource sharing configuration when you have a workload account owned Amazon VPC.

To configure shared S3 on Outposts for your workload account

  1. Create an AWS RAM resource share owned by the Outpost owner account for the Outpost resource ‘Outposts’. Add the Outpost with S3 on Outposts capacity that you want to share. Specify your workload account ID as the principal that you want as a consumer.
  2. Create an AWS RAM resource share owned by the Outpost owner account for the Outpost resource ‘S3 on Outposts’. Add the S3 on Outposts resource associated with the Outpost that you specified in Step 1. Specify your workload account ID as the principal that you want as a consumer.
  3. Create an Outpost subnet in the workload account VPC. You can create the Outpost subnet using the AWS CLI create-subnet command specifying the ARN of the Outpost that you’re sharing in Step 1.
  4. Create an S3 on Outposts endpoint on an Outpost specifying the subnet that you created in Step 3.
  5. Authorize the endpoint security group ingress for port 443/tcp to the security group of an AWS asset where you will access S3 on Outposts buckets and objects using the Amazon S3 API.
  6. Create an S3 on Outposts bucket in your consumer account.
  7. Create an access point for the S3 on Outposts bucket in your workload account, specifying the VPC ID for the subnet created in Step 3.
  8. Create and access S3 on Outposts buckets and objects from your consumer account using the Amazon S3 API.

Outpost owner account-owned Amazon VPC

Consider this model for sharing an S3 on Outpost resource when you want to manage your Amazon VPC for your Outpost subnet in your Outpost owner account. In this model, you create and manage an Outpost subnet in the Outpost owner account, and share with your workload (Outpost consumer) account. After you create the Outpost subnet in the Outpost owner account, you create S3 on Outposts endpoint in this subnet, making an association with the VPC. The endpoint routes requests to an S3 on Outposts access point that you create in your workload account for your S3 on Outposts bucket.

The following diagram shows S3 on Outposts resource sharing configuration when you have an Outpost owner account Amazon VPC.

S3 on Outposts resource sharing configuration when you have an Outpost owner account Amazon VPC.

To configure shared S3 on Outposts for your workload account

  1. Create an Outpost subnet in the Outpost owner account VPC. You can create the Outpost subnet using the AWS CLI create-subnet command specifying the ARN of the Outpost that you’re sharing in Step 3.
  2. Create an S3 on Outposts endpoint on an Outpost specifying the subnet that you created in Step 1.
  3. Create an AWS RAM resource share owned by the Outpost owner account for the Outpost resource ‘Outposts’. Add the Outpost with S3 on Outposts capacity that you want to share. Specify your workload account ID as the principal that you want as a consumer.
  4. Create an AWS RAM resource share owned by the Outpost owner account for the Outpost resource ‘S3 on Outposts’. Add the S3 on Outposts resource associated with the Outpost that you specified in Step 3. Specify your workload account ID as the principal that you want as a consumer.
  5. Create an AWS RAM resource share owned by the Outpost owner account for the resource ‘Subnets’. Add the Outpost subnet that you created in Step 1. Specify your workload account ID as the principal that you want as consumer.
  6. Authorize the endpoint security group ingress for port 443/tcp to the security group of an AWS asset where you will access S3 on Outposts buckets and objects using the Amazon S3 API.
  7. Create an S3 on Outposts bucket owned by the workload account.
  8. Create an access point for the S3 on Outposts bucket in your consumer account specifying the VPC ID for the subnet shared in Step 3.
  9. Create and access S3 on Outposts buckets and objects from your consumer account using the Amazon S3 API.

Conclusion

In this post, I have showed you how to share Amazon S3 on Outposts for your workload inside your AWS Organizations organization. You have learned about different deployment models for sharing an S3 on Outposts resource. Using the AWS CLI, you have seen examples to create AWS RAM resource shares for an S3 on Outposts resource.

Author:

Karl Schween

Karl Schween is a Principal Solutions Architect at Amazon Web Services. He helps customers craft highly-scalable, flexible, and resilient cloud architectures that address their business problems.