Why can’t I connect to an S3 bucket using a gateway VPC endpoint?

Last updated: 2020-11-23

I’m using a gateway endpoint to connect to an Amazon Simple Storage Service (Amazon S3) bucket from an Amazon Elastic Compute Cloud (Amazon EC2) instance in the Amazon Virtual Private Cloud (Amazon VPC). However, the connection isn't working. How do I troubleshoot this?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Gateway VPC endpoint connectivity issues might be due to network access or security rules that allow the connection to Amazon S3 from the Amazon VPC. Check the following resources and configurations to diagnose and troubleshoot your connectivity issues.

Region configurations

You can only call Amazon S3 objects that are in the same Region as the Amazon S3 gateway VPC endpoint. Confirm that your objects and endpoint are in the same Region.

DNS settings in your VPC

Important: DNS resolution must be enabled in your VPC (see Gateway endpoint limitations). If you're using your own DNS server, be sure that DNS requests to AWS services resolve to IP addresses maintained by AWS.

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
  3. In the resource list, choose the Amazon VPC that has S3 connectivity issues.
  4. In the Summary view, set DNS resolution to yes.

Route table settings to Amazon S3

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Route Tables.
  3. Choose the route table associated with the VPC subnet that has S3 connectivity issues.
  4. Choose the Routes view.
  5. Confirm that there's a route to Amazon S3 using the gateway VPC endpoint.

Security group outbound rules

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Network & Security, choose Security Groups.
  3. In the resource list, choose the security group associated with the instance that you're using to connect to Amazon S3.
  4. In the Outbound view, confirm that the available outbound rules allow traffic to Amazon S3.

The default outbound rule allows all outbound traffic. If the security group has more restrictive rules than the default outbound rule, add one of the following:

For more information, see Modifying your security group.

Network ACL rules

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Security, choose Network ACLs.
  3. In the resource list, choose the network access control list (network ACL) associated with the VPC subnet that has S3 connectivity issues.
  4. In the Inbound Rules view, confirm that the rules allow inbound return traffic from Amazon S3 on ephemeral TCP ports 1024-65535.
  5. In the Outbound Rules view, confirm that the rules allow traffic to Amazon S3.
Note: By default, network ACLs allow all inbound and outbound IPv4 traffic. Network ACLs also allow all inbound and outbound IPv6 traffic, if applicable. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for Amazon S3.

Gateway VPC endpoint policy

Important: Endpoints currently don't support cross-Region requests. Be sure that your endpoint is in the same Region as your bucket. You can use the get-bucket-location command to find the location of your bucket.

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Endpoints.
  3. In the resource list, choose the endpoint associated with the VPC subnet that has S3 connectivity issues.
  4. Choose the Policy view.
  5. Review the endpoint policy. Check if the policy blocks access to the S3 bucket or to the AWS Identity and Access Management (IAM) user affected by the connectivity issues. If necessary, edit the policy to enable access for the S3 bucket or IAM user. For more information, see Using endpoint policies for Amazon S3.

S3 bucket policy

  1. Open the Amazon S3 console.
  2. Choose the S3 bucket with connectivity issues.
  3. Choose the Permissions view.
  4. Choose Bucket Policy.
  5. Be sure the bucket policy allows access from the gateway VPC endpoint and the VPC that you want to connect. Edit the policy to enable access from the gateway VPC endpoint and VPC. For more information, see Using Amazon S3 bucket policies.

Note: Your bucket policy can restrict access only from a specific public or elastic IP address associated with an instance in a VPC. You can't restrict access based on private IP addresses associated with instances. For more information, see Limiting access to specific IP addresses.

If you're using a proxy server, be sure to allow your VPC connections through. If you don't use a proxy server for S3, use the following command to bypass the proxy server when accessing your S3 bucket:

export no_proxy = mybucket.s3.us-west-2.amazonaws.com

Note: Be sure to replace "us-west-2" with your Region.

IAM policy

  1. Open the AWS IAM console.
  2. Choose the IAM user or role used to access the S3 bucket from the instance.
  3. Choose the Permissions view.
  4. Be sure that the users associated with the IAM user or role have the correct permissions to access Amazon S3. For more information, see How to restrict Amazon S3 bucket access to a specific IAM role and Controlling access to a bucket with user policies.

AWS CLI configuration

Configure the AWS CLI and set a default AWS Region. Use the aws configure command to specify a Default region name. Or, you can set the --region option in each AWS CLI command if:

  • You don't want to specify a default Region
    -OR-
  • You want to override the default Region

Did this article help?


Do you need billing or technical support?