Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Access S3 Endpoints from HIS-pms-Prod-Main VPC #277

Open
5 tasks
kumarabhinav19 opened this issue Oct 9, 2023 · 2 comments
Open
5 tasks

Unable to Access S3 Endpoints from HIS-pms-Prod-Main VPC #277

kumarabhinav19 opened this issue Oct 9, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@kumarabhinav19
Copy link

kumarabhinav19 commented Oct 9, 2023
edited
Loading

Describe the bug
S3 endpoints are inaccessible from the HIS-pms-Prod-Main VPC, preventing the use of RHEL package management tools like yum.

To Reproduce
Launch an instance within the HIS-pms-Prod-Main VPC using the healthcare config and utilize the package manager, such as yum, to update or install software packages.

Expected behavior
Able to access S3 endpoints and download/install any packages.

Please complete the following information about the solution:

  • Version: [v1.4.3]

  • Region: [all regions]

  • Was the solution modified from the version published on this repository?

  • If the answer to the previous question was yes, are the changes available on GitHub?

  • Have you checked your service quotas for the services this solution uses?

Screenshots
image

Additional context
AMIs such as AL2023 come with a default repository list configured to an s3 endpoint mirror
When performing operations like yum update or installing packages, the system attempts to connect to this mirror, leading to errors.
@kumarabhinav19 kumarabhinav19 added the bug Something isn't working label Oct 9, 2023
kumarabhinav19 added a commit to kumarabhinav19/landing-zone-accelerator-on-aws that referenced this issue Oct 9, 2023
@kumarabhinav19
updated prefix list for prod & non-prod VPCs
27f0b57 
PR for awslabs#277
@kumarabhinav19 kumarabhinav19 mentioned this issue Oct 9, 2023
Open
@bo1984
Copy link

bo1984 commented Oct 9, 2023

Hi @kumarabhinav19 , thank you for using the Landing Zone Accelerator on AWS solution. I believe I see the issue with the config, can you provide the policy set on the S3 Gateway endpoint in your account? To fix this, you'd need to launch an endpoint in your VPC, just modify this line to this configuration:

gatewayEndpoints:
      defaultPolicy: Default
      endpoints:
        - service: s3

Before I submit a bug report for the config, I'd like to confirm that this fix resolves your issue.

@kumarabhinav19
Copy link
Author

Hi @bo1984, thank you for your quick response,

Yes, I have implemented the solution by adding the following configuration to the Prod VPC :

gatewayEndpoints:
      defaultPolicy: Default
      endpoints:
        - service: s3
        - service: dynamodb

This resolved the issue, allowing us to use 'yum' without any problems. However, it's crucial to note that this solution adheres to healthcare regulations, specifically HIPAA compliance. To ensure this, I incorporated the configuration into the network inspection NAT route tables. This setup aligns with the central ingress/egress networking strategy we've established, complemented by the central Network Firewall integrated into our solution.

By omitting this configuration from both the local VPCs (Prod and non-prod), we've ensured that traffic doesn't bypass the firewall. While this might seem like a minor adjustment, it's essential to guarantee compliance during audits. Additionally, the policy set on the S3 Gateway endpoint remains at its default, as provided by AWS.

I have also raised a PR for the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bo1984 @kumarabhinav19