I’m using a gateway VPC endpoint to connect to an S3 bucket from an EC2 instance in the Amazon Virtual Private Cloud (Amazon VPC), but it’s not working. How do I troubleshoot this?

You might experience connectivity issues due to network access or security rules that allow the connection to Amazon Simple Storage Service (Amazon S3) from the Amazon VPC. Check the following resources and configurations to diagnose and troubleshoot your connectivity issues:

  • DNS settings in your VPC
  • Route table settings to Amazon S3
  • Security group outbound rules
  • Network ACL rules
  • Gateway VPC endpoint policy
  • S3 bucket policy
  • IAM policy

DNS settings in your VPC

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
  3. In the resource list, choose the Amazon VPC that has the issues connecting to Amazon S3.
  4. In the Summary view, confirm that DNS resolution is set to yes. If you need to update the setting to yes, see Updating DNS Support for Your VPC.

Note: If you're using your own DNS server, be sure that the DNS requests to AWS services such as Amazon S3 are resolved correctly to AWS-maintained IP addresses. For more information about using DNS, see Using DNS with your VPC.

Route table settings to Amazon S3

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Route Tables.
  3. Choose the route table associated with the VPC subnet that has Amazon S3 connectivity issues.
  4. In the Routes view, be sure there's a route to Amazon S3 using the gateway VPC endpoint. For more information about configuring your route table for gateway endpoints, see Routing for Gateway Endpoints.

Security group outbound rules

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Network & Security, choose Security Groups.
  3. In the resource list, choose the security group associated with the instance that you're using to connect to Amazon S3.
  4. In the Outbound view, check that the available outbound rules allow traffic to Amazon S3.

Note: The default outbound rule allows all outbound traffic. If the security group doesn't have the default outbound rule, and instead has more restrictive rules, then be sure to add one of the following outbound rules:

Network ACL rules

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Security, choose Network ACLs.
  3. In the resource list, choose the network ACL associated with the VPC subnet that is experiencing Amazon S3 connectivity issues.
  4. In the Inbound Rules view, verify that the rules allow inbound return traffic from Amazon S3 on ephemeral ports 1024-65535.
  5. In the Outbound Rules view, verify that the rules allow traffic to Amazon S3.

Note: By default, network ACLs allow all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for Amazon S3. For more information, see Network ACLs.

Gateway VPC endpoint policy

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Endpoints.
  3. In the resource list, choose the endpoint associated with the VPC subnet that is experiencing Amazon S3 connectivity issues.
  4. In the Policy view, review the endpoint policy. Check if the policy is blocking access to the S3 bucket or the IAM user affected by the connectivity issues. Edit the policy as needed to enable access. For more information about using endpoint policies, see Using Endpoint Policies for Amazon S3.

S3 bucket policy

  1. Open the Amazon S3 console.
  2. Choose the S3 bucket with connectivity issues.
  3. In the Permissions view, choose Bucket Policy.
  4. Review the bucket policy and be sure it allows access from the gateway VPC endpoint and the VPC that you want to connect. Edit the policy as needed. For more information about using S3 bucket policies with endpoints, see Using Amazon S3 Bucket Policies.

Note: Your bucket policy can restrict access only from a specific public IP or an elastic IP associated with an instance in an Amazon VPC. You can't restrict access based on private IPs associated with instances. For more information about restricting access to your S3 bucket, see Restricting Access to Specific IP Addresses.

IAM policy

  1. Open the AWS IAM console.
  2. Choose the IAM user or role used to access the S3 bucket from the instance.
  3. In the Permissions view of either the user or the role, review the attached policies to make sure the associated users have the right permissions to access Amazon S3. For more information on IAM policies and how to restrict access, see How to Restrict Amazon S3 Bucket Access to a Specific IAM Role and An Example Walkthrough: Using user policies to control access to your bucket.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-12-14