Protect access to Amazon S3 buckets with Cloudflare Zero Trust
This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. You can combine Cloudflare Access and AWS VPC endpoints. Enterprise may also use Cloudflare Gateway egress policies with dedicated egress IPs.
flowchart TB
    cf1[/Agentless and WARP </br>Zero Trust users/]--Access policy-->cf2{{Cloudflare}}
    cf2--Cloudflare Tunnel-->vpc1
    subgraph VPC
    vpc1[EC2 VM]-->vpc2[VPC endpoint]
    end
    vpc2-->s3_1
    subgraph S3 service
    s3_1([S3 bucket])
    end
    i1[/Users outside </br> Zero Trust/]-. "S3 access denied" .->s3_1
- S3 bucket to be protected by Cloudflare Zero Trust
- AWS VPC with one EC2 virtual machine (VM) hosting the Cloudflare Tunnel daemon
- S3 bucket and AWS VPC configured in the same AWS region ↗
- In the AWS dashboard ↗, go to Services > Networking & Content Delivery > VPC.
- Under Virtual private cloud, go to Endpoints.
- Select Create endpoint and name the endpoint.
- Choose AWS services as the service category.
- In Services, search and select the S3 service in the same region of the VPC. For example, for the AWS region Europe (London) - eu-west-2, the corresponding S3 service is named com.amazonaws.eu-west-2.s3with a type of Gateway.
- In VPC, select your VPC that contains the EC2 VM hosting the Cloudflare tunnel daemon.
- In Route tables, select the route table associated with the VPC.
- In Policy, choose Full access.
- Select Create endpoint.
After you create the VPC endpoint, a new entry in the VPC route table with the target being your VPC endpoint. The entry will have the format vpce-xxxxxxxxxxxxxxxxx.
- Go to Services > Storage > S3.
- In Amazon S3, go to Buckets > <your-S3-bucket> > Permissions.
- Disable Block all public access.
- In Bucket policy, add the following policy:
{  "Version": "2012-10-17",  "Id": "VPCe",  "Statement": [    {      "Sid": "VPCe",      "Effect": "Allow",      "Principal": "*",      "Action": "s3:*",      "Resource": [        "arn:aws:s3:::<your-S3-bucket01>",        "arn:aws:s3:::<your-S3-bucket01>/*"      ],      "Condition": {        "StringEquals": {          "aws:SourceVpce": "<your-vpc-endpoint>"        }      }    }  ]}Your bucket policy will allow your VPC to access your S3 bucket.
- Return to Amazon S3, then go to Buckets > <your-S3-bucket01> > Properties.
- In Static website hosting, select Edit.
- Enable Static website hosting.
- Specify the Index and Error documents for the S3 bucket.
- Select Save changes.
A bucket website endpoint will be available at http://<your-S3-bucket01>.s3-website.<aws-region>.amazonaws.com. Because of the bucket policy, this website endpoint will only be accessible from the VPC with the VPC endpoint configured.
- In Zero Trust ↗, go to Access > Tunnels
- Select your Tunnel, then select Configure.
- Go to Public Hostname, then select Add a public hostname.
- Enter a subdomain your organization will use to access the S3 bucket. For example, s3-bucket.<your-domain>.com.
- Under Service, choose HTTP for Type. In URL, enter <your-S3-bucket01>.s3-website.<aws-region>.amazonaws.com.
- In Additional application settings > HTTP Settings, input the HTTP Host Header as <your-S3-bucket01>.s3-website.<aws-region>.amazonaws.com.
- Select Save hostname.
Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname.
- Go to Access > Applications.
- Select Add an application.
- Select Self-hosted.
- Enter a name for the application.
- Select Add public hostname and enter the public hostname used by your Tunnel. For example, s3-bucket.<your-domain>.com.
- Add Access policies to determine which users and applications may access your bucket. You can optionally create a service token policy to automatically authenticate access to your S3 bucket.
- Follow the remaining self-hosted application creation steps to publish the application.
Users and applications that successfully authenticate via Cloudflare Access can access your S3 bucket at https://s3-bucket.<your-domain>.com.
flowchart TB
    cf1[/WARP users/]--Egress policy-->cf2{{Cloudflare}}
    cf2--Egress with dedicated IP-->i1[Internet]
    i1-->s3_1
    subgraph S3 Service
    s3_1([S3 bucket])
    end
    i2[/Users outside </br> Zero Trust/]-. "IPs denied" .->s3_1
- Cloudflare Zero Trust account with dedicated egress IPs
- S3 bucket to be protected by Cloudflare Zero Trust
- In the AWS dashboard ↗, go to Services > Storage > S3.
- Go to Buckets > <your-S3-bucket02> > Permissions.
- Disable Block all public access.
- In Bucket policy, add the following policy:
{  "Version": "2012-10-17",  "Id": "SourceIP",  "Statement": [    {      "Sid": "SourceIP",      "Effect": "Allow",      "Principal": "*",      "Action": "s3:*",      "Resource": [        "arn:aws:s3:::<your-S3-bucket02>",        "arn:aws:s3:::<your-S3-bucket02>/*"      ],      "Condition": {        "IpAddress": {          "aws:SourceIp": "<your-dedicated-ip>/32"        }      }    }  ]}- Return to your bucket, then go to Properties.
- In Static website hosting, select Edit.
- Enable Static website hosting.
- Specify the Index and Error documents for the S3 bucket.
- Select Save changes.
A bucket website endpoint will be available at http://<your-S3-bucket02>.s3-website.<aws-region>.amazonaws.com. Because of the bucket policy, the website endpoint will only be accessible to traffic sourced from the dedicated egress IP specified.
- In Zero Trust ↗, go to Gateway > Egress policies. Select Add a policy.
- Create a policy that specifies which proxied traffic Gateway should assign a dedicated egress IP to. For more information, refer to Egress policies.
- In Select an egress IP, choose Use dedicated Cloudflare egress IPs. Select the dedicated egress IP defined in your bucket policy.
- Select Create policy.
Traffic proxied by Gateway and assigned your specified egress IP can access your S3 bucket at http://<your-S3-bucket02>.s3-website.<aws-region>.amazonaws.com.