Managing access to your S3 buckets should be pretty easy using Amazon S3’s bucket policy. But as the number of your users and data grows, this easily becomes a complicated task. Provisioning access policies (who and where to access these objects) to these users could be a messy thing to do.

AWS added this feature called Access Points on S3 to resolve this current problem. Access Points can simplify things in terms of provisioning access to different users. With this feature, each user can have a dedicated access point on a bucket and each of these access points has its own policy. This is quite helpful when you have large data sets on a bucket that are accessed by different users and/or applications. An Access Point can also be restricted to a particular VPC which is very useful if you have tight data security requirements. 

Creating Access Points for your Bucket

For this demo, we want to grant download and upload access to our IAM user named QA to access our bucket. I have here a bucket named ‘s3-ap-demo’ in the Singapore region, this bucket was set up to accept only requests coming from an access point. By default, you can create up to 1000 access points on your account per region.  To create an access point, go to Bucket > Access Points then Create Access Point.

Here you’ll notice that you have an option to choose a network access type: Virtual Private Network if you want to restrict your access point to a VPC, or Internet if you want users outside your VPC to have access as well.

You can also manage public access configuration. We’ll just leave it as default to prevent all public access.

Here we can now create our Access Point Policy. For this example, we want to have our QA IAM account to have the GetObject and PutObject permission. Resource will be the ARN of our Access Point. Please note the following format for the resource:

arn:aws:s3:<region>:<accountid>:accesspoint/<accesspointname>/object/<your prefix>/*

You can also use the AWS Policy generator here or take a look at the policy examples here.

After that, you may click “Save” and a confirmation message will appear.

Now let’s login to our QA IAM User account and let’s try to download and upload some objects to the QA folder. 

As expected, we are not allowed to download/upload directly since we set this up to accept requests only from the Access Point.

Now let’s try this again using an access point. Go to Bucket > Access Point then select the Access Point that we just created.

The access point enables us to download and upload files successfully on our folder.

Uploaded test.txt file.

Take note that the bucket can now be accessed in this format.

https://<accesspointname>-<accountid>.s3-accesspoint.<region>.amazonaws.com

Final Thoughts

Amazon S3 Access Points simplifies things by giving access permissions to users who are accessing a large number of data sets. But this is not the only use case of Access Points. We also discussed restricting an access point to a VPC. Likewise, you can use this to test your new policies. Lastly, this great feature is free!

Sources:

https://aws.amazon.com/s3/features/access-points/
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html