Unable to Access S3 Endpoints from HIS-pms-Prod-Main VPC

[kumarabhinav19]

Describe the bug S3 endpoints are inaccessible from the HIS-pms-Prod-Main VPC, preventing the use of RHEL package management tools like yum.

To Reproduce Launch an instance within the HIS-pms-Prod-Main VPC using the healthcare config and utilize the package manager, such as yum, to update or install software packages.

Expected behavior Able to access S3 endpoints and download/install any packages.

Please complete the following information about the solution:

• [ ] Version: [v1.4.3]

• [ ] Region: [all regions]

• [ ] Was the solution modified from the version published on this repository?

• [ ] If the answer to the previous question was yes, are the changes available on GitHub?

• [ ] Have you checked your service quotas for the services this solution uses?

Screenshots

Additional context AMIs such as AL2023 come with a default repository list configured to an s3 endpoint mirror When performing operations like yum update or installing packages, the system attempts to connect to this mirror, leading to errors.

[bo1984]

Hi @kumarabhinav19 , thank you for using the Landing Zone Accelerator on AWS solution. I believe I see the issue with the config, can you provide the policy set on the S3 Gateway endpoint in your account? To fix this, you'd need to launch an endpoint in your VPC, just modify this line to this configuration:

gatewayEndpoints:
      defaultPolicy: Default
      endpoints:
        - service: s3

Before I submit a bug report for the config, I'd like to confirm that this fix resolves your issue.

[kumarabhinav19]

Hi @bo1984, thank you for your quick response,

Yes, I have implemented the solution by adding the following configuration to the Prod VPC :

gatewayEndpoints:
      defaultPolicy: Default
      endpoints:
        - service: s3
        - service: dynamodb

This resolved the issue, allowing us to use 'yum' without any problems. However, it's crucial to note that this solution adheres to healthcare regulations, specifically HIPAA compliance. To ensure this, I incorporated the configuration into the network inspection NAT route tables. This setup aligns with the central ingress/egress networking strategy we've established, complemented by the central Network Firewall integrated into our solution.

By omitting this configuration from both the local VPCs (Prod and non-prod), we've ensured that traffic doesn't bypass the firewall. While this might seem like a minor adjustment, it's essential to guarantee compliance during audits. Additionally, the policy set on the S3 Gateway endpoint remains at its default, as provided by AWS.

I have also raised a PR for the same.