3

I am looking to host a static website on AWS, using an S3 bucket.

I followed these steps.

The site is a usual directory with subdirectories:

app
│   index.html   
└───scripts
│   │   things.js
│   │   stuff.js
└───images
    │   img1.png
    │   img2.jpg

I want to make the website accessible only to people inside our VPC. I attached the following type of policy to the bucket holding the site files (adding my specific bucket name and VPC id):

{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
    {
        "Sid": "Access-to-specific-VPCE-only",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my_bucket*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "vpce-blahblahblah"
            }
        }
    }
]
}

I also setup a VPC endpoint, with the endpoint ID set as the value for aws:sourceVpce inside the bucket policy.

I setup the VPC endpoint following these steps.

But I still cannot access this site on my browser (I'm assuming that since I am accessing the AWS console with the same browser that AWS is aware I am inside the VPC).

<Error>
    <Code>AccessDenied</Code>
    <Message>Access Denied</Message>
    <RequestId>blahblahblah</RequestId>
    <HostId>blahblahblah</HostId>
</Error>
Cybernetic
  • 12,628
  • 16
  • 93
  • 132

1 Answers1

3

S3 static websites require public access. There is no such thing as a private S3 website in a VPC or accessible only through a VPC endpoint.

To make your S3 website work, you must set your bucket to public, or use CloudFront which also is accessible only through the internet. But at least your bucket can be private when you front it with CloudFront (though not the website itself).

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • So in order to restrict the web application to internal business users one must provide another security mechanism, such as a sign-in form backed by Amazon Cognito user pools, OAuth, or something similar. – Cybernetic Oct 29 '21 at 01:18
  • 1
    @Cybernetic Yes, if you want to use S3. Otherwise you can host your simple website on tiny instance (t2.nano) or ecs container, to make it private only. – Marcin Oct 29 '21 at 01:24
  • It looks like AWS Amplify has a good solution. Simply upload the web application files and set Access Control to "restricted", which fronts your web application with a username and password restriction. – Cybernetic Oct 29 '21 at 01:58
  • @Cybernetic Thanks for letting me know. Sadly I don't have much exposure to Amplify. – Marcin Oct 29 '21 at 02:05
  • 1
    The "Require Public Access" part is true, but the "no such thing as a private s3 website in a VPC" is incorrect. You can create an S3 Endpoint on your VPC, then use OP's bucket policy to restrict the source to only that VPC ID. You'd have to be calling it from a device that is in or routed through that VPC, so good for intranet sites using VPN/DirectConnect connections to AWS. – Matt D Nov 05 '21 at 11:50
  • @MattD Thanks for comment. But the issue is about s3 website endpoints, not regular s3 endpoint. The website endpoints are only for public access from internet. – Marcin Nov 05 '21 at 22:00