Getting Started / Hands-on / ...

Getting started with Amazon S3 Multi-Region Access Points

TUTORIAL

Introduction
CREATE AMAZON S3 BUCKETS
create s3 multi-region access point
configure s3 replication
Failover Configuration
IAM Permissions
use your multi-region access point
vpc endpoints
monitor s3 replication and requests
clean up resources

Module 5: IAM Permissions

You will learn how to delegate access control to access points.

Overview

To access your data in S3 through your Multi-Region Access Point, you need a user with permission to read and write objects to your new S3 buckets, or with permission to assume a role with access.

Assigning the AWS managed policy AmazonS3FullAccess permission to this user may be appropriate for a test account being used to complete this guide, and if you have this or AdministratorAccess you may wish to skip ahead to step 6.

Typically, it is more appropriate to use bucket and access point policies to provide more granular control. In this module, you will follow the recommended process to delegate access control to access points.

 Time to complete

20 minutes

Implementation

5.1 - Configure a bucket to delegate permissions to access points

  • In the AWS console, choose the arrow at the top right of the screen, and copy your 12- digit account number to a notepad (you will need this later).
  • Navigate to the Amazon S3 console, in the left-hand navigation, choose Buckets and open it in a new tab. Then, select one of the buckets you previously created.
  • In the Properties tab of the bucket, copy the ARN of the bucket to a notepad.

5.2 - Bucket policy

  • In the Permissions tab of the bucket, scroll to the Bucket policy section, which will be blank. Select Edit.
  • Copy and paste the following bucket policy, inserting your bucket ARN and Multi-Region Access Point ARN, as noted earlier from the access point properties, in the relevant sections (replacing the text inside the <angle brackets>).
    • This policy allows all users access to the bucket and its contents, provided the access is via your new access point.
    • Note: For an application or user to be able to access objects through an access point, both the access point and the underlying bucket must permit the request. With access control delegated to the access point, you will configure granular permissions there. Block public access still applies, therefore only authenticated access will be permitted.
{
    "Version": "2012-10-17",
    "Statement" : [
    {
        "Effect": "Allow",
        "Principal" : { "AWS": "*" },
        "Action" : "*",
        "Resource" : [ 
            "<BucketARN>", 
            "<BucketARN>/*"
        ],
        "Condition": {
            "StringEquals" : { "s3:DataAccessPointArn" : "<MultiRegionAccessPoint_ARN>"}
        }
    }]
}

5.3 - Repeat for your other buckets

  • Then, select Save changes.
  • Repeat the previous steps to apply the policy template to all the other buckets you created for this guide, updating the bucket ARN accordingly for each.

5.4 - (Optional) Configure access point permissions

  • If you wish to restrict access to your Multi-Region Access Point, follow this optional step.
    • Switch back to the browser tab with your Multi-Region Access Point open. If you need to re-open this, in the Amazon S3 console, choose Multi-Region Access Points. Then, select the name of your Multi-Region Access Point to configure additional settings.
  • From the properties of your new Multi Region Access Point, select the Permissions tab and scroll to the Multi-Region Access Point policy section, which will be blank. Select Edit.
  • Copy and paste the following bucket policy, inserting your account ID, user name, and Multi-Region Access Point ARN in the relevant sections (replacing the text inside the <angle brackets>). This policy example provides the named user with permission to use this access point to carry out all supported Amazon S3 operations.
{
  "Version":"2012-10-17",
  "Statement": [
    {
       "Effect": "Allow",
       "Principal": {
          "AWS":"arn:aws:iam::123456789012:user/JohnDoe"
       },
       "Action":[
          "s3:ListBucket",
          "s3:GetObject"
       ],
       "Resource":[ 
          "MultiRegionAccessPoint_ARN",
          "MultiRegionAccessPoint_ARN/object/*"
       ]
     }
  ]
}

Conclusion

In this module, you learned how to delegate access control to access points.

You are now ready to use your Multi-Region Access Point to access data in your buckets.

Start Module Six

Using Your Multi-Region Access Point