Secure S3 Bucket Access Over Direct Connect Private VIF

Problem Statement

• The AWS recommended and native solution to access S3 buckets (via Direct Connect (DX) from on-prem location) is to use Public VIF
• Accessing S3 bucket over DX Public VIF can pose serious security threats to enterprises
• AWS advertises the entire S3 Public subnet range (one or all the regions) to on-prem which implies that …
  • All on-prem users can upload to any S3 bucket, including to their personal S3 buckets on their own personal accounts, leading to confidential data leakage
• Potentially higher utilization of DX circuit (non-compliant data) that could choke the DX and may incur higher charges ($$$)

Solution

The solution proposed here not only works for the traffic coming from on-prem location but also allows secure connectivity to S3 traffic coming from other AWS VPCs or other public clouds as well (Multi-Cloud scenario)

Following are the high level steps to implement this solution

• Create a dedicated S3 VPC (as spoke)
• Create S3 end-point in the S3 VPC
• Deploy Aviatrix Global Transit and attach the S3 VPC (as spoke) to it
• Deploy Aviatrix S3 Gateway in dedicated S3 VPC
• Enable private S3 feature in Aviatrix Controller
  • The Controller automatically configures the AWS NLB and load balances multiple AVX S3 GW for high availability, redundancy and performance
• Apply the security policy to allow S3 access from specific CIDRS
  • Controller enforce zero-trust S3 security policy
  • The CIDRs specified in the policy are allowed to access S3 (rest are blocked by default)
• Create on-prem DNS private zone to point the S3 bucket FQDN to private IP

Production Topology

Following is the enterprise topology to solve the this business challenge

Traffic Flow

• Business requirement is that on-prem corporate resources, such as laptop/desktop, can access the S3 Bucket in AWS
  • This access must be encrypted over DX link at line rate
  • The encryption should allow maximum utilization of 10G DX cuircuit
• There is an optional Aviatrix CloudN hardware appliance in the topology
  • CloudN HPE (High Performance Encryption appliance) provide end-to-end and line-rate encryption of all the traffic crossing over the AWS DX link
  • The traffic over DX link is not encrypted by default device that is why it is important to use CloudN appliance without compromising the throughput (Cloud Native IPSec encyrption is limited to 1.25 Gbps only)
• S3 bucket traffic goes from on-prem DX link to Aviatrix Transit GW (AVX-TR-GW)
  • This is possible because the on-prem DNS server is configured to send S3 bucket traffic towards S3 VPC
• The S3 VPC (AVX-SPK-GW) is attached to AVX-TR-GW as a spoke
• S3 bucket traffic goes to AVX-S3-GW (AVX-SPK-GW)
• AVX-S3-GW inspect the traffic and if the policy allows it, then it forwards the traffic to S3 end-point configured inside the S3 VPC

For deployment details and more screen shot please check out this blog here

Additional Resources

https://docs.aviatrix.com/HowTos/sfc_faq.html