Amazon S3 Access Points

Easily manage access for shared datasets on Amazon S3

Overview

Amazon S3 Access Points simplify managing data access for any application or AWS service that works with S3. With S3 Access Points, customers with shared datasets, including data lakes, media archives, and user-generated content, can easily control and scale data access for hundreds of applications, teams, or individuals by creating individualized access points with names and permissions customized for each. You can also use S3 Access Points to access file data stored on Amazon FSx for OpenZFS file systems as if it were in S3, allowing you to use it with applications and services that work with S3 without application changes or moving data out of file storage.

Use cases

  • Scale access policies for large shared datasets: Using S3 Access Points, you can break down one large bucket policy into separate, discrete access point policies for each application that needs to access the shared dataset. This makes it simpler to focus on building the right access policy for an application, while not having to worry about disrupting what any other application is doing within the shared dataset.
  • Provide a unique name: S3 Access Points allow you to specify any name that is unique within the account and Region. For example, you can now have a “test” access point in every account and Region.
  • Use file data stored in FSx for OpenZFS with applications and services that work with S3: Access your file data stored in FSx for OpenZFS file systems as if it were in an Amazon S3 bucket, allowing you to work with your data using a broad range of artificial intelligence, machine learning, and analytics services and applications that work with S3—all without any refactoring or needing to take your data out of a file system.
  • Restrict access to VPC and specific account IDs: An S3 Access Point can limit all S3 storage access to happen from a Virtual Private Cloud (VPC). You can also create a Service Control Policy (SCP) that requires that all access points be restricted to a VPC, firewalling your data to within your private networks. You can also specify VPC endpoint policies that limit access to only access points (and thus buckets) owned by specific account IDs. This simplifies the creation of access policies that permit access to buckets within the same account, while rejecting any other S3 access via the VPC endpoint.
  • Establish and test individual access policies: Using access points, you can establish and individually test application-specific access control policies before migrating applications to the access point or copying the policy to an existing access point.