Simplifying S3 Access with an Interface VPC Endpoint and Route 53
The S3 interface VPC endpoint requires specifying the --endpoint-url option when accessing S3. However, to simplify access and avoid specifying this option repeatedly, Route 53 private hosted zones can be used.
S3 VPC Endpoint
Create an interface VPC endpoint with the following command:
aws ec2 create-vpc-endpoint \ --vpc-id $YOUR_VPC_ID \ --vpc-endpoint-type Interface \ --service-name com.amazonaws.$YOUR_REGION.s3 \ --subnet-ids $YOUR_PRIVATE_SUBNET_IDS \ --security-group-ids $YOUR_SECURITY_GROUP_IDSVerify the creation of the endpoint and retrieve its DNS entries:
aws ec2 describe-vpc-endpoints \ --filters Name=service-name,Values=com.amazonaws.$YOUR_REGION.s3 \ --query "VpcEndpoints[*].DnsEntries"[ [ { "DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com", "HostedZoneId": "xxxxxxxxxxxxxx" }, { "DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx-ap-northeast-1a.s3.ap-northeast-1.vpce.amazonaws.com", "HostedZoneId": "xxxxxxxxxxxxxx" } ]]Confirm S3 access using the VPC endpoint’s URL:
The --region option must be specified.
aws s3 ls \ --region <YOUR_REGION> \ --endpoint-url http://vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.comRoute 53 Private Hosted Zone
To simplify S3 access, create a Route 53 private hosted zone with the following command:
aws route53 create-hosted-zone \ --name s3.$YOUR_REGION.amazonaws.com \ --vpc VPCRegion=$YOUR_REGION,VPCId=$YOUR_VPC_ID \ --caller-reference "$(date)"Add an A (ALIAS) record pointing to the VPC endpoint using the Route 53 console.
Click Create record.
Select A as the record type and choose Alias to VPC endpoint as the routing target.
After configuring the hosted zone, you can access S3 without specifying the --endpoint-url option:
The --region option must be specified.
aws s3 ls --region ap-northeast-1