Submit feedback on
Missing S3 Gateway Endpoint for Intra-Region EC2 Access
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Missing S3 Gateway Endpoint for Intra-Region EC2 Access
Mike Graff
Service Category
Storage
Cloud Provider
AWS
Service Name
AWS S3
Inefficiency Type
Inefficient Configuration
Explanation

When EC2 instances within a VPC access Amazon S3 in the same region without a Gateway VPC Endpoint, traffic is routed through the public S3 endpoint and incurs standard internet egress charges — even though it remains within the AWS network. This results in unnecessary egress charges, as AWS treats this traffic as data transfer out to the internet, billed under the S3 service.

By contrast, provisioning a Gateway Endpoint for S3 allows traffic between EC2 and S3 to flow over the AWS private backbone at no additional cost. This configuration is especially important for data-intensive applications, such as analytics jobs, backups, or frequent uploads/downloads, where the cumulative data transfer can be substantial.

Because the egress cost is billed under S3, it is often misattributed or overlooked during EC2 or networking reviews, leading to silent overspend.

Relevant Billing Model
  • S3 charges for **data transfer out to the internet**, even for intra-region transfers, **unless** a Gateway VPC Endpoint is used
  • **Data transfers from S3 to EC2 in the same region**, without a Gateway Endpoint, are billed as **internet egress**
  • The cost appears on the bill under **Amazon S3** as **Data Transfer Out**, despite EC2 initiating the request
  • Gateway VPC Endpoints for S3 are **free to use** and avoid these egress charges
Detection
  • Identify environments with significant S3 data transfer out costs in the billing report
  • Review whether EC2 instances in the same region are reading from or writing to S3 buckets
  • Evaluate whether a Gateway VPC Endpoint for S3 is provisioned in the relevant VPCs
  • Determine whether the absence of the endpoint is contributing to avoidable egress charges
  • Check if the traffic pattern is internal (e.g., S3-to-EC2 backup jobs or intra-app data movement)
Remediation
  • Deploy a Gateway VPC Endpoint for S3 in VPCs that generate large intra-region S3 traffic
  • Update route tables and access policies to route S3 traffic through the endpoint
  • Validate that EC2-to-S3 traffic is using the private path and no longer incurring egress charges
  • Incorporate Gateway Endpoint provisioning into default network infrastructure templates
Relevant Documentation
Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences