Amazon S3 Access Grants

Manage S3 permissions for directory users and groups

Overview

Amazon S3 Access Grants map identities in directories such as Active Directory, or AWS Identity and Access Management (IAM) Principals, to datasets in S3. This helps you manage data permissions at scale by automatically granting S3 access to end-users based on their corporate identity. Additionally, S3 Access Grants log end-user identity and the application used to access S3 data in AWS CloudTrail. This helps to provide a detailed audit history down to the end-user identity for all access to the data in your S3 buckets.

Benefits

S3 Access Grants build on top of AWS Identity Center’s Trusted Identity Propagation capability and allow S3 to authenticate and authorize directly against directory users and groups. By integrating with AWS Identity Center, S3 Access Grants support a wide range of popular identity providers such as Entra ID, Okta, Ping, OneLogin, and more.
With enhanced integrations with CloudTrail, end-user access to S3 via S3 Access Grants is auditable in CloudTrail down to the directory user identity.
You can use S3 Access Grants to scale your S3 permissions to enforce granular S3 permissions. With S3 Access Grants, you can define S3 access in an intuitive grant style up to 100,000 grants per Region per account, only giving users and applications the S3 data they need.
You might have a data lake stack that includes S3 along with other popular analytics products like Amazon Redshift, Databricks, and Snowflake. S3 Access Grants integrate with Immuta and Informatica so you can centrally manage your S3 permissions.

Customers and partners

  • Immuta

    Immuta helps organizations unlock value from their data by providing an integrated platform for sensitive data discovery, access control enforcement, and access behavior analysis and remediations.

    AWS Storage Blog: How to enforce Amazon S3 Access Grants with Immuta

    The Immuta Data Security Platform allows our customers to simplify, centralize, and enforce access control policies across cloud data platforms. With the new S3 Access Grants capability built in, Immuta customers can now define S3 permissions and leverage Immuta’s ‘write once, apply everywhere’ approach with attribute-based access control (ABAC), drastically reducing the number of policies required. With this approach, you can democratize and increase data usage while meeting global compliance standards.

    Mo Plassnig, Chief Product Officer - Immuta
  • Informatica

    Informatica Intelligent Data Management Cloud, built on AWS is an AI powered end-to-end data management platform that connects, manages, and unifies data across any multi-cloud hybrid system, democratizing data and enabling AWS customers to modernize and redefine their data and AI strategies and experiences.

    AWS Storage Blog: Streamline data sharing and access control with Informatica Cloud Data Marketplace and Amazon S3 Access Grants

    The integration between Informatica's Data Access Management and Cloud Data Marketplace capabilities, together with Amazon S3 Access Grants, will further simplify self-service access to data in data lakes built on Amazon S3. It will enable different personas within an enterprise data community to easily share and deliver data products with Informatica’s marketplace into Amazon S3, with centrally managed security and privacy controls in place, and in accordance with modern data governance principles.

    Brett Roscoe, SVP, Product Development - Informatica
  • Booking.com

    Booking.com is one of the world’s leading online travel platforms, connecting travelers with the widest selection of places to stay, experiences and attractions as well as a range of transportation options from flights, car rentals and taxis.

    We are on a journey to migrate Booking.com’s multi-petabyte on-prem analytics and machine learning ecosystem to a set of cloud native products and services built on top of AWS. With Amazon S3 Access Grants, we aim to enforce strong governance over the entirety of our data lake for both structured and unstructured data, irrespective of the technology the data consumers of the platform choose to access and modify the data on S3. The APIs and data model of S3 Access Grants make it easy to build automation to manage S3 access at scale, while hiding a lot of the complexity for end-users, who simply receive a standard STS token to access and modify only the data they need.

    Luca Falsina, Principal Software Engineer I, and Abhro Bhaduri, Senior Product Manager, Data and Machine Learning Platform - Booking.com

Solving large-scale data access challenges with Amazon S3

As you build a data lake or shared datasets on Amazon S3, managing access is essential. You need strong guardrails that protect your data. Within your organization, you require granular access control for your data with strong controls around authentication, authorization, encryption, and auditing. Watch this video to learn about common and successful patterns for implementing your access controls at varying levels of granularity and scale to maintain tight control over your data.

Amazon EMR and S3 Access Grants

Amazon EMR integrates with Amazon S3 Access Grants, enabling you to scale job-based S3 access for Apache Spark jobs across all Amazon EMR deployment options and enforce granular S3 access for better security posture.

Ready to get started?