Private DNS name for S3 VPC endpoint

1

Good afternoon,

I have deployed an interface VPC endpoint for S3 and I would like to map it to my internal domain (e.g. s3.example.local). I have created a private PHZ and created an ALIAS record pointing to my VPC endpoint. This works; however I'm getting a TLS error because the certificate name doesn't match my internal name. I see the certificate assigned to the VPC endpoint is specific to the endpoint, so I was wondering if there was a way to somehow include a custom name into that certificate?

The other alternative I see would be to ignore SSL verification checks, but obviously I would like to avoid this.

Thanks! Fred.

fmereu
asked 2 years ago3604 views
2 Answers
1

You're correct, you can't assign a Private DNS name to the S3 interface endpoint. It's called out in the documentation. You have to either use the name or (as you suggest) disable SSL verification but that's not recommended.

Update: We've now released a feature that provides private DNS support for PrivateLink: https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/

profile pictureAWS
EXPERT
answered 2 years ago
0

Hi,

I was trying to access S3 from a VPC located in a different region (this because we don't want to go the public Internet for security reasons) and I believe there is a bit of lack of documentation on how to achieve this. We are already using the same approach for the other AWS services, but S3 is different, when you create then interface endpoint it returns you a wildcard and this does not allow to just create a standard Alias (A) record to the service. After a few tries I figure you can do a name redirection specifying a CNAME for *s3.<REGION>.amazonaws.com to <S3_INTERFACE_ENDPOINT_WILDCARD>, this allows you to access S3 Service over the VPC peering without the need to specify the --endpoint-url for all the commands.

In your case changing domain to something that is not native from AWS might still be a problem for the SSL cert, but as long as you link you DNS Resolver to this private DNS entry on AWS, you can use native naming convention without having to actually use AWS public endpoints to access the service.

Hope this helps!

BR, Michele

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions