How can I configure my Amazon VPC to privately connect to my S3 bucket without using authentication?

3 minute read

I want to create a private connection from my Amazon Virtual Private Cloud (Amazon VPC) to an Amazon Simple Storage Service (Amazon S3) bucket. However, I don't want to use authentication, such as AWS Identity and Access Management (IAM) credentials. How do I create this type of private connection?

Short description

You can access an S3 bucket privately without authentication when you access the bucket from an Amazon Virtual Private Cloud (Amazon VPC). However, make sure that the VPC endpoint used points to Amazon S3.

Follow these steps to set up VPC endpoint access to the S3 bucket:

1.    Create a VPC endpoint for Amazon S3.

2.    Add a bucket policy that allows access from the VPC endpoint.


Before you begin, you must create a VPC that you'll access the bucket from.

Create a VPC endpoint for Amazon S3

1.    Open the Amazon VPC console.

2.    Using the Region selector in the navigation bar, set the AWS Region to the same Region as your S3 bucket.

3.    From the navigation pane, choose Endpoints.

4.    Choose Create Endpoint.

5.    For Service category, verify that "AWS services" is selected.

6.    For Service Name, select the "s3" service name and "Gateway" type. For example, the service name in the US East (N. Virginia) Region is

7.    For VPC, select your VPC.

8.    For Configure route tables, select the route tables based on the associated subnets that you want to be able to access the endpoint from.

9.    For Policy, verify that Full Access is selected.

10.    Choose Create endpoint.

11.    Note the VPC Endpoint ID. You'll need this endpoint ID for a later step.

Add a bucket policy that allows access from the VPC endpoint

Update your bucket policy with a condition that allows users to access the S3 bucket when the request is from the VPC endpoint that you created.

To allow those users to download objects ( s3:GetObject), use a bucket policy like this one:

   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:GetObject",
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],
       "Condition": {
         "StringEquals": {
           "aws:sourceVpce": "vpce-1a2b3c4d"

For the value of aws:sourceVpce, make sure to enter the VPC endpoint ID of the endpoint that you previously created.

Important: This policy allows access from the VPC endpoint, but it doesn't deny all access from outside the endpoint. If a user from the same account is authenticated, this policy still allows the user to access the bucket from outside the VPC endpoint. For a more restrictive bucket policy, use a policy that explicitly denies access to any requests from outside the endpoint.

Related information

Gateway endpoints for Amazon S3

AWS OFFICIALUpdated 2 years ago