Secure S3 Read-Only Access from a Private VPC Subnet Without Public Internet

First, define the IAM role for read-only access. In AWS IAM, create a role with the AmazonS3ReadOnlyAccess managed policy, or a custom policy that grants only the exact bucket and paths you need. Use least privilege. Attach the IAM role to the instance or task running inside your private subnet. This keeps static credentials out of your code.

Next, make the private subnet see S3 without opening it to the outside world. Use a VPC Endpoint for S3. The gateway-type endpoint routes S3 traffic over Amazon’s internal network. No NAT gateway required, no public IP. Add the correct route in your private subnet’s route table, target the S3 endpoint, and confirm DNS resolution inside the VPC.

If you must go through a proxy for security inspection or compliance logging, deploy a proxy inside the VPC. This can be a small EC2 instance or container handling outbound requests. Configure it to allow only S3 traffic and block all else. Lock down security groups so only your workloads can connect to the proxy, and the proxy can only reach the VPC endpoint or allowed AWS services.

Validate the whole chain. From within an instance in the private subnet, run AWS CLI s3 ls against your bucket. It should return results instantly, staying fully inside AWS’s network. Test with the proxy on and off to verify the routing. Use VPC Flow Logs to confirm no external internet traffic.

This design gives you AWS S3 read-only access in a private VPC subnet, with proxy deployment if needed, without touching the public internet. The stack is secure, simple, and compliant — ideal for production environments that demand tight network control.

Try it live in minutes with hoop.dev. See your private subnet connect to S3 read-only through a secure proxy without writing boilerplate, and get working results on your screen right now.