Amazon S3 Access Points

Managing access to your S3 buckets should be pretty easy using Amazon S3’s bucket policy. But as the number of your users and data grows, this easily becomes a complicated task. Provisioning access policies (who and where to access these objects) to these users could be a messy thing to do.

AWS added this feature called Access Points on S3 to resolve this current problem. Access Points can simplify things in terms of provisioning access to different users. With this feature, each user can have a dedicated access point on a bucket and each of these access points has its own policy. This is quite helpful when you have large data sets on a bucket that are accessed by different users and/or applications. An Access Point can also be restricted to a particular VPC which is very useful if you have tight data security requirements. 

Creating Access Points for your Bucket

For this demo, we want to grant download and upload access to our IAM user named QA to access our bucket. I have here a bucket named ‘s3-ap-demo’ in the Singapore region, this bucket was set up to accept only requests coming from an access point. By default, you can create up to 1000 access points on your account per region.  To create an access point, go to Bucket > Access Points then Create Access Point.

amazon s3 access point1

Here you’ll notice that you have an option to choose a network access type: Virtual Private Network if you want to restrict your access point to a VPC, or Internet if you want users outside your VPC to have access as well.

amazon s3 access point2
You can also manage public access configuration. We’ll just leave it as default to prevent all public access.

amazon s3 access point2

Here we can now create our Access Point Policy. For this example, we want to have our QA IAM account to have the GetObject and PutObject permission. Resource will be the ARN of our Access Point. Please note the following format for the resource:

arn:aws:s3:<region>:<accountid>:accesspoint/<accesspointname>/object/<your prefix>/*

You can also use the AWS Policy generator here or take a look at the policy examples here.

amazon s3 access point4After that, you may click “Save” and a confirmation message will appear.

amazon s3 access point5Now let’s login to our QA IAM User account and let’s try to download and upload some objects to the QA folder. 

amazon s3 access point9

As expected, we are not allowed to download/upload directly since we set this up to accept requests only from the Access Point.

amazon s3 access point6amazon s3 access point7

Now let’s try this again using an access point. Go to Bucket > Access Point then select the Access Point that we just created.

amazon s3 access point8

The access point enables us to download and upload files successfully on our folder.

amazon s3 access point10Uploaded test.txt file.

amazon s3 access point11Take note that the bucket can now be accessed in this format.

https://<accesspointname>-<accountid>.s3-accesspoint.<region>.amazonaws.com

Final Thoughts

Amazon S3 Access Points simplifies things by giving access permissions to users who are accessing a large number of data sets. But this is not the only use case of Access Points. We also discussed restricting an access point to a VPC. Likewise, you can use this to test your new policies. Lastly, this great feature is free!

 

Sources:

https://aws.amazon.com/s3/features/access-points/
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html

Pass your AWS Certifications on your First Try with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Tutorials Dojo Study Guide and Cheat Sheets eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

FREE Intro to Cloud Computing for Beginners

FREE AWS Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts