What is S3 Gateway Endpoints?

Imgur

Let’s consider a scenario

How could your Lambda function access the content in the S3 bucket?

If you want a service to access the content in the S3 bucket, it usually go through VPC endpoint. S3 supports two types of VPC endpoint,each of which is Gateway endpoint and Interface endpoint

The diffeences between two types of VPC endpoints are listed below

S3 Gateway Endpoints S3 Interface Endpoints
Use S3 Public IP Address Use Private IP Address in VPC to access S3
Use the same S3 DNS Name Name must include VPC Endpoint ID [3]
cannot access internally can access internally
cannot access from other AWS region can access from other AWS region by using VPC peering or AWS Transit gateway
Free In chrarge

So if your scenario is that a Lambda function want to access the content in S3 bucket in the same region, it is great to utilize the Gateway Endpoint

Consideration of S3 Gateway Endpoint

It is worth to mestion that there are several things you need to consider before choosing S3 Gateway Endpoints, make sure you go through the section in the official documentation

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#gateway-endpoint-considerations-s3

Private DNS

When you are trying yo create Gateway Endpoint or Interface Endpoint for your S3, you can decide creating private DNS for cost down.

This is implement by Route53 Resolver
For detail you can check:https://docs.aws.amazon.com/zh_tw/Route53/latest/DeveloperGuide/resolver.html

Steps for building Gateway Endpoint

  • Go to AWS Console to create the endpoint

VPC / Endpoints / Create Endpoint

Imgur

  • Choose AWS services , and com.amaazonaws.us-east-1.s3

Imgur

  • Then, press create endpoints

Associate Route Table

  • Make sure the route table that assoicate to the gateway endpoint is clean.

    If you don’t have on, then make one.

Imgur

Configure policy

  • For testing purposes, I choose Full Access

Imgur

  • Then, press create endpoint

Check the routing

After establishing the endpoint, you can check if the default route of route table is well configured

Imgur

Next, we must configure a Lambda function for accessing S3 bucket.

Configure Lambda Function

If you put a Lambda funciton into a VPC, it will attach to 2 subnets by defaults.

Make sure two subnet have default route to S3 Gateway Endpoints.

Imgur
Imgur

  • Create Lambda function, and enable the VPC

Imgur

  • Lambda Code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
import json
import boto3

def lambda_handler(event, context):
    print("CREATE CLIENT")
    s3 = boto3.client("s3")
    print("START REQUEST")
    resp = s3.list_objects(Bucket="testbucket4-s3gateway-endpoint")
    print(resp)

    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda!')
    }

In this Lambda code, Lambda will try to list the objects in the bucket, can print out the information of response object in the log.

  • Configure policy of Lambda execution role

I simply attach AWS Managed Policy AmazonS3FullAccess to the execution role for testing

Notice, you should not give full access to your Lambda function in production mode, make sure giving adequient permssion to the role.

Imgur

Check invocations

  • Press test button in the Lambda console, you’ll noticee the lambda get invoked successfully

Imgur

  • Then you need to check the invocation logs in CloudWatch

Imgur

You can see that the object information were listed and printed out in the invocation logs.

Reference

[1] https://docs.aws.amazon.com/zh_tw/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3
[2] https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
[3] https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#accessing-s3-interface-endpoints