Which solution will permit the artifact consumers to download artifacts without modifying the existing automation scripts?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company is migrating its on-premises build artifact server to an AWS solution.The current system consists of an Apache HTTP server that serves artifacts to clients on the local network, restricted by the perimeter firewall.The artifact consumers are largely build automation scripts that download artifacts via anonymousHTTP, which the company will be unable to modify within its migration timetable.The company decides to move the solution to Amazon S3 static website hosting.The artifact consumers will be migrated to Amazon EC2 instances located within both public and private subnets in a virtual private cloud (VPC).

Which solution will permit the artifact consumers to download artifacts without modifying the existing automation scripts?

Create a NAT gateway within a public subnet of the VPC. Add a default route pointing to the NAT gateway into the route table associated with the subnets containing consumers. Configure the bucket policy to allow the s3:ListBucket and s3:GetObject actions using the condition IpAddress and the condition key aws:SourceIp matching the elastic IP address of the NAT gateway.

Create a VPC endpoint and add it to the route table associated with subnets containing consumers. Configure the bucket policy to allow s3:ListBucket and s3:GetObject actions using the condition StringEquals and the condition key aws:sourceVpce matching the identification of the VPC endpoint.

Create an IAM role and instance profile for Amazon EC2 and attach it to the instances that consume build artifacts. Configure the bucket policy to allow the s3:ListBucket and s3:GetObjects actions for the principal matching the IAM role created.

Create a VPC endpoint and add it to the route table associated with subnets containing consumers. Configure the bucket policy to allow s3:ListBucket and s3:GetObject actions using the condition IpAddress and the condition key aws:SourceIp matching the VPC CIDR block.

Explanations:

This option utilizes a NAT gateway for internet access, but the existing automation scripts cannot be modified. Since the scripts are anonymous HTTP requests, they would not have the necessary credentials to access the S3 bucket. Bucket policies using IP conditions require the consumer to connect with specific IP addresses, which would not work for anonymous requests from EC2 instances.

Creating a VPC endpoint allows the EC2 instances in both public and private subnets to access the S3 bucket directly without needing public internet access. The bucket policy can be set to allow actions based on the VPC endpoint, enabling the existing automation scripts to access artifacts without requiring modification.

While creating an IAM role and instance profile allows EC2 instances to access S3, this option requires modifying the existing automation scripts to use IAM credentials, which the company cannot do within the migration timetable. Therefore, it would not permit anonymous access as required.

Similar to option A, this approach relies on IP-based conditions in the bucket policy, which requires the consumers to connect from specific IPs. Since the automation scripts cannot be modified and are designed for anonymous access, this solution would not work as intended.

2025-10-18

1 Comment

  1. Patricia
    Author

    Based on what I know, the answer is:
    Create a VPC endpoint and add it to the route table associated with subnets containing consumers. Configure the bucket policy to allow s3:ListBucket and s3:GetObject actions using the condition StringEquals and the condition key aws:sourceVpce matching the identification of the VPC endpoint.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 − two =