S3/DynamoDB Traffic to Gateway Endpoint

Opportunity Name:


S3/DynamoDB Traffic to Gateway Endpoint


AWS Resource Type:


AWS PrivateLink VPC Endpoints


Opportunity Description:


This opportunity creates S3/DynamoDB Gateway Endpoints in VPCs with NAT gateways, eliminating NAT gateway data transfer costs for S3 and DynamoDB traffic.


Criteria for identifying the opportunity:


By default, VPC-attached compute resources such as EC2 instances, ECS containers, and Lambda functions typically access S3 and DynamoDB service endpoints via the Internet.

This often requires a NAT gateway to provide a public IP address, which incurs data processing costs for each GB of traffic transferred. AWS offers S3 and DynamoDB Gateway endpoints for free, which route traffic directly from your VPC over a private connection, bypassing the NAT gateway.


This opportunity is applied to VPCs that match the following criteria:

  • VPC has attached NAT gateway(s)

  • VPC does not currently have S3 or DynamoDB gateway endpoints


Potential savings (range in % on annual basis):


Cost savings are dependent on your specific S3 and DynamoDB usage patterns. You can expect to save $0.045 for each GB transferred to/from S3/DynamoDB in the US East 1 region (see pricing for NAT gateway data processing charges in other regions).


What happens when the Fixer is executed?


An S3 and/or DynamoDB gateway endpoint is attached to all identified route tables in the target VPC. Once complete, all S3/DynamoDB traffic is automatically routed via the gateway endpoints.


Is it possible to rollback once CloudFix implements the fixer?


Yes - you can manually delete S3/DynamoDB gateway endpoints. Once deleted, S3/DynamoDB traffic will be routed via the Internet.


Can CloudFix implement the fix automatically once I accept the recommendation?




Does this fix require downtime?


No, however existing connections to S3/DynamoDB may be disconnected, interrupting any in-progress data transfers.

All AWS SDKs include retry behavior, which ensures S3/DynamoDB clients can automatically recover from any disconnections.


Additional Resources:



Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request