How to Verify S3 Gateway Endpoints with Traceroute and VPC Flow Logs
AWS provides S3 Gateway Endpoints to allow Amazon S3 traffic to stay within its network, avoiding unnecessary data transfer charges and improving security. But AWS doesn’t make it particularly easy to verify that the traffic is actually flowing through these endpoints. The official recommendation is to use traceroute, a network diagnostic tool that maps the route packets take. While this method works, it’s a manual process that doesn’t integrate well with monitoring tools like CloudWatch.
To check whether traffic is using an S3 Gateway Endpoint, AWS suggests running a TCP-based traceroute. This sends packets to the S3 regional endpoint over a specific port and displays the network hops along the way. If the output only shows a single hop to the S3 endpoint, it confirms that the request is using the Gateway Endpoint. If there are multiple hops, the traffic is likely flowing over the internet or a NAT Gateway, potentially incurring additional costs.
Here’s how to run a traceroute for an S3 bucket in us-east-1:
sudo traceroute -T -p 443 s3.us-east-1.amazonaws.com
If the response shows multiple hops, the request is not using the S3 Gateway Endpoint. If only the final destination appears, then the traffic is correctly routed through the endpoint. While effective, this approach requires manual execution every time you need to verify traffic flow.
A more scalable alternative is to use VPC Flow Logs. Flow Logs provide visibility into network traffic within a VPC and can confirm whether S3 requests are going through the Gateway Endpoint without requiring manual testing. To use this method, enable VPC Flow Logs on the relevant VPC and filter for traffic directed at Amazon S3.
Here’s an example filter to find S3 traffic using Flow Logs:
filter vpc-flow-logs where dstAddr like "s3.%amazonaws.com"
If the logs show requests to S3 with private IP addresses, the traffic is using the Gateway Endpoint. If the destination is a public IP, the traffic is leaving AWS’s internal network.
The biggest drawback to both of these methods is that they require additional setup and manual intervention. AWS already provides CloudWatch metrics for Interface Endpoints, but not for Gateway Endpoints. If AWS integrated Gateway Endpoint traffic metrics into CloudWatch, this entire verification process could be simplified to a single dashboard.
For now, traceroute remains the quickest way to check whether traffic is staying inside AWS, but VPC Flow Logs offer a more automated solution. Until AWS improves visibility for Gateway Endpoints, a combination of both methods is the best approach.
