Easily Manage Shared Data Sets with Amazon S3 Access Points
Storage that is secure, scalable, durable, and highly available is a fundamental component of cloud computing. That’s why Amazon Simple Storage Service (S3) was the first service launched by AWS, back in 2006. It has been a building block of many of the more than 175 services that AWS now offers. As we approach the beginning of a new decade, capabilities like Amazon Redshift, Amazon Athena, Amazon EMR and AWS Lake Formation have made Amazon S3 not just a way to store objects but an engine for turning that data into insights. These capabilities mean that access patterns and requirements for the data stored in buckets have evolved.
Today we’re launching a new way to manage data access at scale for shared data sets in Amazon S3: Amazon S3 Access Points. S3 Access Points are unique hostnames with dedicated access policies that describe how data can be accessed using that endpoint. Before S3 Access Points, shared access to data meant managing a single policy document on a bucket. These policies could represent hundreds of applications with many differing permissions, making audits, and updates a potential bottleneck affecting many systems.
With S3 Access Points, you can add access points as you add additional applications or teams, keeping your policies specific and easier to manage. A bucket can have multiple access points, and each access point has its own AWS Identity and Access Management (IAM) policy. Access point policies are similar to bucket policies, but associated with the access point. S3 Access Points can also be restricted to only allow access from within a Amazon Virtual Private Cloud (VPC). And because each access point has a unique DNS name, you can now address your buckets with any name that is unique within your AWS account and region.
Creating S3 Access Points
Let’s add an access point to a bucket using the S3 Console. You can also create and manage your S3 Access Points using the AWS Command Line Interface (CLI), AWS SDKs, or via the API. I’ve selected a bucket that contains artifacts generated by a AWS Lambda function, and clicked on the access points tab.
Let’s create a new access point. I want to give an IAM user Alice permission to
PUT objects with the prefix
Alice. I’m going to name this access point
alices-access-point. There are options for restricting access to a Virtual Private Cloud, which just requires a Virtual Private Cloud ID. In this, I want to allow access from outside the VPC as well, so after I took this screenshot, I selected Internet and moved onto the next step.
S3 Access Points makes it easy to block public access. I’m going to block all public access to this access point.
And now I can attach my policy. In this policy, our Principal is our user Alice, and the resource is our access point combined with every object with the prefix
/Alice. For more examples of the kinds of policies you might want to attach to your S3 Access Points, take a look at the docs.
After I create the access point, I can access it by hostname using the format
https://[access_point_name]-[accountID].s3-accesspoint.[region].amazonaws.com. Via the SDKs and CLI, I can use it the same way I would use a bucket once I’ve updated to the latest version. For example, assuming I were authenticated as Alice, I could do the following:
$ aws s3api get-object --key /Alice/object.zip --bucket arn:aws:s3:us-east-1:[my-account-id]:alices-access-point download.zip
Access points that are not restricted to VPCs can also be used via the Amazon S3 Console.
Things to Know
- S3 Access Points is available now in all AWS Regions, at no cost.
- By default each account can create 1,000 access points per region.
- You can use S3 Access Points with AWS CloudFormation.
- If you use AWS Organizations, you can add a Service Control Policy (SCP) requiring all access points are restricted to a VPC.
When it comes to software design, keeping scopes small and focused on a specific task is almost always a good decision. With S3 Access Points, you can customize hostnames and permissions for any user or application that needs access to your shared data set. Let us know how you like this new capability, and happy building!— Brandon