Private S3 access over VPN
Uploading data from personal device to S3 over VPN using private link.
Problem Statement
Employees using their company issued laptops or personal devices need to upload or download data to/from S3 bucket over a secure channel with appropriate AuthN / AuthZ configured. Roaming devices with variable network bandwidth have challenges accessing cloud data while using corporate VPN that traditionally tend to route requests through office locations or data centers.
AWS Solution architecture
Some key AWS services used for the solution here include #AWS Client VPN #VPC Endpoint #Privatelink #S3 #Glacier
AWS Client VPN Configure AWS Client VPN to VPC by associating dedicated subnets to route traffic internally in AWS. Disable split tunnel access so all traffic is routed through AWS. To test configuration refer to steps for certificate based MTLS configuration documented below.
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html
Establish IDP integration with this AWS client VPN to enable proper AuthN of the employees, in above picture shown Okta for example.
Private S3 bucket Configure a VPC endpoint (VPCE) associated with your VPC. Create a new S3 bucket with private link established to VPCE and edit bucket policy to Deny all PUT requests unless the requests are coming over VPCE.
Test verify below results
Not connected to AWS Client VPN
aws s3 ls s3://mybucket → SUCCESS
aws s3 cp text.txt s3://mybucket → FAILConnect to AWS Client VPN
aws s3 ls s3://mybucket → SUCCESS
aws s3 cp text.txt s3://mybucket → SUCCESS