AWS CDK: guide with Configuring a VPC Endpoint for S3 Access in TypeScript
I'm sure I'm missing something obvious here, but I'm currently working on an AWS CDK project in TypeScript and running into issues while trying to configure a VPC endpoint for S3 access. I want to ensure that my Lambda function can access S3 without going through the public internet, but despite following the documentation, I'm getting a `403 Forbidden` behavior when trying to access an S3 bucket from my Lambda. Here’s a snippet of my CDK code: ```typescript import * as cdk from 'aws-cdk-lib'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as s3 from 'aws-cdk-lib/aws-s3'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as s3Notifications from 'aws-cdk-lib/aws-s3-notifications'; const vpc = new ec2.Vpc(this, 'MyVpc', { maxAzs: 2 }); const s3Bucket = new s3.Bucket(this, 'MyBucket', { blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, }); const vpcEndpoint = new ec2.InterfaceVpcEndpoint(this, 'S3VpcEndpoint', { vpc, service: ec2.InterfaceVpcEndpointAwsService.S3, }); const myLambda = new lambda.Function(this, 'MyLambda', { runtime: lambda.Runtime.NODEJS_14_X, handler: 'index.handler', code: lambda.Code.fromAsset('lambda'), vpc, }); s3Bucket.grantRead(myLambda); ``` I’ve double-checked that the Lambda function is in the same VPC, and I also made sure that the security group associated with the Lambda function allows outbound traffic. However, I still receive the `403 Forbidden` behavior when the Lambda tries to read from the S3 bucket. I suspect it might be related to the bucket policy or the VPC endpoint configuration, but I’m not sure what to include. So far, I've tried adding a bucket policy that allows access from the VPC endpoint, but that didn’t resolve the scenario. Here’s the policy I attempted: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::MyBucket/*", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-xxxxxxxx" } } } ] } ``` I replaced `vpce-xxxxxxxx` with the actual VPC endpoint ID created by the CDK. Could someone guide to figure out what might be wrong? Is there a best practice for setting VPC access to S3 in CDK? Any guidance would be appreciated! This is part of a larger web app I'm building. What am I doing wrong? I'm working on a service that needs to handle this.