Because S3 byte names are globally unique and accessible via http using a unique URL, it is not possible to isolate S3 at the network level, and this requires access control using Bucket policies, IAM policies, or access control lists. You can also use Bucket Policies to whitelist Source Ip, which can access your buckets.
{ "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket/*", "Condition": { "IpAddress": {"aws:SourceIp": "54.240.143.0/24"}, "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} } } ] }
The access control system available in S3 provides security when accessing S3. In addition, data in the path is encrypted using https, and in addition, you can also use encryption at rest for objects located in S3 to further enhance security.
In addition, there are several ways to establish connections with S3 based on access restrictions at S3 client access points (for example, on a local network, VPC private / public subnet, etc.).
- Access to S3 via the Internet, if there are no restrictions on access.
- Use VPC Endpoints for S3 if you are accessing S3 from AWS VPCs.
- Connect a direct connection from On Premise to AWS data centers to access S3 through a dedicated private network connection.
Unfortunately, since S3 does not provide a network segmentation function, it is not possible to use a VPN connection with S3, restricting access at the network level.