Why can't I connect to my S3 bucket using interface VPC endpoints?

Last updated: 2022-03-31

I can't connect to my Amazon Simple Storage Service (Amazon S3) bucket using interface Amazon Virtual Private Cloud (Amazon VPC) endpoints. How can I troubleshoot this?

Short description

To troubleshoot this error, check the following:

  • Verify the policy associated with the interface VPC endpoint and the S3 bucket.
  • Verify that your network can connect to the S3 endpoints.
  • Verify that your DNS can resolve to the S3 endpoints IP addresses.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Verify the policy associated with the interface VPC endpoint and the S3 bucket

By default, an S3 bucket doesn't have a policy associated with it when you create a bucket. A policy associated with an S3 interface endpoint during the time of creation allows any action to any S3 bucket by default. For information on viewing the policy associated with your endpoint, see View your interface endpoint.

Verify that your network can connect to the S3 endpoints

Check connectivity between the source and the destination. For example, check the network access control list (ACL) and the security group associated with the S3 interface endpoints to confirm that traffic is allowed to the interface endpoint.

Use the following telnet command to test connectivity between the AWS resource or from an on-premises host and the S3 endpoint. In the following command, replace S3_interface_endpoint_DNS with the DNS of your S3 interface endpoint.

telnet bucket.S3_interface_endpoint_DNS 443
Trying a.b.x.y...
Connected to bucket.vpce-0a1b2c3d4e5f6g-m7o5iqbh.s3.us-east-2.vpce.amazonaws.com

You can also test telnet connectivity using a test Amazon Elastic Compute Cloud (Amazon EC2) instance. Test the connectivity in the subnet where you have the endpoint from the source (on-premises host or another instance) to verify that layer 3 connectivity exists from the source to the destination AWS resource. Make sure that you use the same security group in the test instance that's associated with the S3 interface endpoint. Testing this connectivity helps to determine if the issue is with the security group or the network ACL.

Verify that the DNS can resolve to the S3 endpoints

Make sure that you can resolve the interface endpoint DNS from the source. You can use tools such as nslookup, dig, and so, on to do this. The following example uses dig. In the following command, replace S3_interface_endpoint_DNS with the DNS of your S3 interface endpoint.

dig *s3_interface_endpoint_DNS@local_nameserver

Note: Amazon-provided DNS server is the .2 IP address of the VPC CIDR. Your on-premises host is the local name server of the host listed in the /etc/resolv.conf file.


Did this article help?


Do you need billing or technical support?