Amazon S3 Sink Connector for Confluent Cloud with AWS Egress Access Point

This topic presents the steps for configuring the Amazon S3 Sink connector in Confluent Cloud with AWS PrivateLink and Egress Access Point.


The following is a list of prerequisites for configuring the Amazon S3 Sink connector with an Egress Access Point:

  • A Confluent Cloud Dedicated cluster was set up and is running within an AWS PrivateLink network.
  • A source topic was created to sink data into the S3 bucket.
  • S3 bucket was set up and running within the same region and cloud as the Confluent Cloud cluster.


For additional security, you can add a S3 bucket policy to restrict access to only Confluent’s VPC Endpoint ID associated with the Egress Access Point. For details, see Restricting access to a specific VPC endpoint.

Step 1. Create an Egress Access Point

  1. In the Confluent Cloud Console, go to EnvironmentNetwork, and select the associated Privatelink network you want to use.

  2. In the Egress Access Points tab, click Create access point.

  3. Specify the following, and click Save.

    • Name: The name for the Access point
    • PrivateLink service name: Your S3 service name (com.amazonaws.<region>.s3)
    • Create an access point with high availability: Select for high availability setup.
  4. Retrieve the VPC endpoint DNS name.

    1. Wait for the Access Point is successfully provisioned when the status changes to “Ready”.
    2. Note down the VPC endpoint DNS name to be used for S3 connector setup.

Step 2. Create the S3 Sink connector

  1. In the Confluent Cloud Console, go to your associated Dedicated cluster.

  2. In the left navigation menu, click Connectors.

  3. Click the Amazon S3 Sink connector card.

  4. Select the source topic.

  5. Specify the Kafka authentication mechanism.

  6. Specify the authentication details for S3.

    • Store URL: Replace * with bucket in the VPC endpoint DNS name that you retrieved when you created the Egress Access Endpoint in the previous step, and specify that value.

      For example, if the VPC endpoint DNS name is *, specify

  7. Specify configuration details for the connector.

  8. Specify sizing (number of tasks) for the connector.

  9. Review and launch the connector.

When the connector is successfully launched, the connector status becomes “Running”.