Shiva helps you troubleshoot
connectivity issues between
an S3 bucket and a VPC

Shiva_S3_Thumbnail

I’m using a gateway endpoint to connect to an Amazon Simple Storage Service (Amazon S3) bucket from an Amazon Elastic Compute Cloud (Amazon EC2) instance in the Amazon Virtual Private Cloud (Amazon VPC), but it’s not working. How do I troubleshoot this?

You might experience connectivity issues with your gateway VPC endpoint due to network access or security rules that allow the connection to Amazon S3 from the Amazon VPC. Check the following resources and configurations to diagnose and troubleshoot your connectivity issues:

DNS settings in your VPC

Important: DNS resolution must be enabled in your VPC (see Gateway Endpoint Limitations). If you're using your own DNS server, be sure DNS requests to AWS services resolve to AWS-maintained IP addresses.

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
  3. In the resource list, choose the Amazon VPC that has S3 connectivity issues.
  4. In the Summary view, be sure to set DNS resolution to yes. See Updating DNS Support for Your VPC.

Route table settings to Amazon S3

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Route Tables.
  3. Choose the route table associated with the VPC subnet that has S3 connectivity issues.
  4. Choose the Routes view.
  5. Be sure there's a route to Amazon S3 using the gateway VPC endpoint. See Routing for Gateway Endpoints.

Security group outbound rules

  1. Sign in to the Amazon EC2 console.
  2. In the navigation pane, under Network & Security, choose Security Groups.
  3. In the resource list, choose the security group associated with the instance that you're using to connect to Amazon S3.
  4. In the Outbound view, be sure the available outbound rules allow traffic to Amazon S3.

The default outbound rule allows all outbound traffic. If the security group doesn't have the default outbound rule, and instead has more restrictive rules, be sure to add one of the following outbound rules:

Network ACL rules

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Security, choose Network ACLs.
  3. In the resource list, choose the network ACL associated with the VPC subnet that has S3 connectivity issues.
  4. In the Inbound Rules view, be sure the rules allow inbound return traffic from Amazon S3 on ephemeral TCP ports 1024-65535.
  5. In the Outbound Rules view, be sure the rules allow traffic to Amazon S3.

Note: By default, network ACLs allow all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for S3.

Gateway VPC endpoint policy

  1. Sign in to the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Endpoints.
  3. In the resource list, choose the endpoint associated with the VPC subnet that has S3 connectivity issues.
  4. Choose the Policy view.
  5. Review the endpoint policy. Check if the policy blocks access to the S3 bucket or to the IAM user affected by the connectivity issues. Edit the policy to enable access for the S3 bucket or IAM user. See Using Endpoint Policies for Amazon S3.

S3 bucket policy

  1. Sign in to the Amazon S3 console.
  2. Choose the S3 bucket with connectivity issues.
  3. Choose the Permissions view,
  4. Choose Bucket Policy.
  5. Be sure the bucket policy allows access from the gateway VPC endpoint and the VPC that you want to connect. Edit the policy to enable access from the gateway VPC endpoint and VPC. See Using Amazon S3 Bucket Policies.

Note: Your bucket policy can restrict access only from a specific public IP address or an elastic IP address associated with an instance in an Amazon VPC. You can't restrict access based on private IP addresses associated with instances. See Restricting Access to Specific IP Addresses.

If you're using a proxy server, be sure to allow your VPC connections through. If you don't use a proxy server for S3, use the following command to bypass the proxy server when accessing your S3 bucket:

export no_proxy = mybucket.s3-us-west-2.amazonaws.com

IAM policy

  1. Sign in to the AWS IAM console.
  2. Choose the IAM user or role used to access the S3 bucket from the instance.
  3. Choose the Permissions view.
  4. Be sure the users associated with the IAM user or role have the correct permissions to access Amazon S3. See How to Restrict Amazon S3 Bucket Access to a Specific IAM Role and An Example Walkthrough: Using user policies to control access to your bucket.

AWS CLI configuration

Be sure to configure the AWS Command Line Interface (AWS CLI) and set a default AWS region. Use the command aws configure to specify a Default region name.

If you don't want to specify a default region or you want to override the default region, be sure to set the --region option in each AWS CLI command.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-12-14

Updated: 2018-08-31