Amazon S3 Access Points

Managing access to your S3 buckets should be pretty easy using Amazon S3’s bucket policy. But as the number of your users and data grows, this easily becomes a complicated task. Provisioning access policies (who and where to access these objects) to these users could be a messy thing to do.

AWS added this feature called Access Points on S3 to resolve this current problem. Access Points can simplify things in terms of provisioning access to different users. With this feature, each user can have a dedicated access point on a bucket and each of these access points has its own policy. This is quite helpful when you have large data sets on a bucket that are accessed by different users and/or applications. An Access Point can also be restricted to a particular VPC which is very useful if you have tight data security requirements. 

Creating Access Points for your Bucket

For this demo, we want to grant download and upload access to our IAM user named QA to access our bucket. I have here a bucket named ‘s3-ap-demo’ in the Singapore region, this bucket was set up to accept only requests coming from an access point. By default, you can create up to 1000 access points on your account per region.  To create an access point, go to Bucket > Access Points then Create Access Point.

amazon s3 access point1

Here you’ll notice that you have an option to choose a network access type: Virtual Private Network if you want to restrict your access point to a VPC, or Internet if you want users outside your VPC to have access as well.

amazon s3 access point2
You can also manage public access configuration. We’ll just leave it as default to prevent all public access.

amazon s3 access point2

Here we can now create our Access Point Policy. For this example, we want to have our QA IAM account to have the GetObject and PutObject permission. Resource will be the ARN of our Access Point. Please note the following format for the resource:

Tutorials dojo strip

arn:aws:s3:<region>:<accountid>:accesspoint/<accesspointname>/object/<your prefix>/*

You can also use the AWS Policy generator here or take a look at the policy examples here.

amazon s3 access point4After that, you may click “Save” and a confirmation message will appear.

amazon s3 access point5Now let’s login to our QA IAM User account and let’s try to download and upload some objects to the QA folder. 

amazon s3 access point9

As expected, we are not allowed to download/upload directly since we set this up to accept requests only from the Access Point.

amazon s3 access point6amazon s3 access point7

Now let’s try this again using an access point. Go to Bucket > Access Point then select the Access Point that we just created.

amazon s3 access point8

The access point enables us to download and upload files successfully on our folder.

amazon s3 access point10Uploaded test.txt file.

amazon s3 access point11Take note that the bucket can now be accessed in this format.

https://<accesspointname>-<accountid>.s3-accesspoint.<region>.amazonaws.com

Final Thoughts

Amazon S3 Access Points simplifies things by giving access permissions to users who are accessing a large number of data sets. But this is not the only use case of Access Points. We also discussed restricting an access point to a VPC. Likewise, you can use this to test your new policies. Lastly, this great feature is free!

 

Sources:

https://aws.amazon.com/s3/features/access-points/
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html

Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Written by: Lervin John Obando

Lervin is a Cloud Technology enthusiast and an AWS Community Builder whose expertise expands from Systems Administration, Database to Cloud Infrastructure. He is a Multi-Cloud Certified professional holding multiple certifications from AWS, Google, and Oracle. When he is not in front of his computer, you can find him spending time with his wife and dog.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?