I want to access my Amazon Simple Storage Service (Amazon S3) bucket privately without using authentication, such as AWS Identity and Access Management (IAM) credentials. How can I do that? 

You can access an S3 bucket privately without authentication when you access the S3 bucket from an Amazon Virtual Private Cloud (Amazon VPC) that has an endpoint to Amazon S3.

Follow these steps to set up VPC endpoint access to the S3 bucket:

  1. Create a VPC endpoint for Amazon S3.
  2. Add a bucket policy that allows access from the VPC endpoint.

Before you begin, you must create a VPC that you'll access the bucket from.

Create a VPC endpoint for Amazon S3

  1. Open the Amazon VPC console.
  2. Using the Region selector in the navigation bar, set the AWS Region to the same region as the VPC that you want to use.
  3. From the navigation pane, choose Endpoints.
  4. Choose Create Endpoint.
  5. For Service category, verify that AWS services is selected.
  6. For Service Name, select the service name that includes "s3". For example, the service name in the US East (N. Virginia) Region is com.amazonaws.us-east-1.s3.
  7. For VPC, select the VPC that you want to use.
  8. For Configure route tables, select the route tables based on the associated subnets that you want to be able to access the endpoint.
  9. For Policy, verify that Full Access is selected.
  10. Choose Create endpoint.
  11. Take note of the VPC Endpoint ID. You need this ID for a later step.

Add a bucket policy that allows access from the VPC endpoint

Update your bucket policy with a condition that allows users to access the S3 bucket when the request is from the VPC endpoint that you created. To allow those users to download objects, you can use a bucket policy that's similar to the following:

Note: For the value of aws:sourceVpce, enter the VPC endpoint ID of the endpoint that you created.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:GetObject",
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::awsexamplebucket/*"],
       "Condition": {
         "StringEquals": {
           "aws:sourceVpce": "vpce-1a2b3c4d"
         }
       }
     }
   ]
}

Important: This policy allows access from the VPC endpoint, but it doesn't deny all access from outside the endpoint. If a user from the same account is authenticated, this policy still allows the user to access the bucket from outside the VPC endpoint. If you need a more restrictive bucket policy, then use a policy that explicitly denies access to any requests from outside the endpoint. 


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-03-06