I’ve seen some similar questions, and so far there doesn’t seem to be a way to do this, so this question is for further digging, or even a challenge for anyone to accomplish this.
The objective is to host a website from an S3 bucket, that is only accessible from within a VPC (e.g. using a VPN). And as a bonus, use a custom domain, instead of *.s3-website.eu-central-1.amazonaws.com
Using VPC Endpoint does not help, since they do not work with S3 websites, only REST endpoints.
Setting a bucket as a static website needs to allow public access and define a bucket policy to allow public access. Even if attempting to restrict it with a Constraint
to a VPC on the bucket policy, it does not work.
It is possible to set the bucket to private and create a Cloudfront Distribution with access to it via Origin Access Control (OAC). But after this, the Cloudfront Endpoint is public. I’m not sure if using WAF (/a/35518936/14643464) it is possible to restrict to request coming from inside a VPC (or from a VPCs CIDR)
1
From Controlling access from VPC endpoints with bucket policies – Amazon Simple Storage Service:
Restricting access to a specific VPC
You can create a bucket policy that restricts access to a specific VPC by using the
aws:SourceVpc
condition. This is useful if you have multiple VPC endpoints configured in the same VPC, and you want to manage access to your Amazon S3 buckets for all of your endpoints.The following is an example of a policy that denies access to
awsexamplebucket1
and its objects from anyone outside VPCvpc-111bbb22
. If the specified VPC isn’t used, the policy denies all access to the bucket. This statement doesn’t grant access to the bucket. To grant access, you must add a separate Allow statement. Thevpc-111bbb22
condition key doesn’t require an ARN for the VPC resource, only the VPC ID.
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::awsexamplebucket1",
"arn:aws:s3:::awsexamplebucket1/*"],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-111bbb22"
}
}
}
]
}
I don’t think you’d be able to do it with a custom domain, however.
5