-3

We need to setup S3 bucket replication from a SaaS provider (in a different tenant and account, but same S3 region) to our S3 bucket to capture logs from the SaaS application.

We have a bucket policy in place preventing access unless it came from a VPC endpoint.

Will we need to whitelist IP addresses of the SaaS provider on this bucket policy?

Improve this question
2
  • Please note that S3 buckets do not exist 'inside' a VPC. They can be access via endpoints on the Internet or via VPC Endpoints. When you mention "our S3 buckets are NOT accessible outside of our VPC", are you saying that you have created an S3 VPC Endpoint and the S3 bucket has a Bucket Policy that prevents access unless it comes from the VPC Endpoint?
    – John Rotenstein
    Commented Jul 8 at 2:08
  • fair point. thank you. yes, the bucket does not exist IN a VPC, they can only be accessed from within a VPC. there is a bucket policy in place that prevent access unless it comes from within the VPC endpoint.
    – Ryan Crawcour
    Commented Jul 9 at 3:06

1 Answer 1

Reset to default
0

You do not need to "open the bucket".

The replication will be done across the AWS backplane. Since you are in the same AWS Region, nothing goes across the Internet.

Regardless, your data is encrypted while being replicated.

Improve this answer
Recognized by AWS
1
  • yes. we have a KMS key that is used by the guess account IAM user to ensure the replicated objects are encrypted when they land in our bucket. there is another role that has decrypt rights only, for pushing those logs to our SIEM.
    – Ryan Crawcour
    Commented Jul 9 at 3:08

Not the answer you're looking for? Browse other questions tagged or ask your own question.