Amazon S3 Access Points
Easily manage access for shared datasets on Amazon S3
Overview
Amazon S3 Access Points simplify managing data access for any application or AWS service that works with S3. With S3 Access Points, customers with shared datasets, including data lakes, media archives, and user-generated content, can easily control and scale data access for hundreds of applications, teams, or individuals by creating individualized access points with names and permissions customized for each. You can also use S3 Access Points to access file data stored on Amazon FSx file systems as if it were in S3, allowing you to use it with applications and services that work with S3 without application changes or moving data out of file storage.
Amazon FSx now supports Amazon S3 Access
You can now attach Amazon S3 Access Points to your Amazon FSx for NetApp ONTAP and FSx for OpenZFS file systems so that you can access your file data as if it were in S3. With this capability, your file data in FSx is accessible for use with the broad range of artificial intelligence, machine learning, and analytics services and applications that work with S3 while your file data continues to reside on the FSx file system.
Use cases
- Scale access policies for large shared datasets: Using S3 Access Points, you can break down one large bucket policy into separate, discrete access point policies for each application that needs to access the shared dataset. This makes it simpler to focus on building the right access policy for an application, while not having to worry about disrupting what any other application is doing within the shared dataset.
- Use file data stored in FSx with applications and services that work with S3: Access your file data stored in FSx for ONTAP or OpenZFS file systems as if it were in an Amazon S3 bucket, allowing you to work with your data using a broad range of artificial intelligence, machine learning, and analytics services and applications that work with S3,—all without any refactoring or needing to take your data out of a file system.
- Restrict access to VPC and specific account IDs: An S3 Access Point can limit all S3 storage access to happen from a Virtual Private Cloud (VPC). You can also create a Service Control Policy (SCP) that requires that all access points be restricted to a VPC, firewalling your data to within your private networks. You can also specify VPC endpoint policies that limit access to only access points (and thus buckets) owned by specific account IDs. This simplifies the creation of access policies that permit access to buckets within the same account, while rejecting any other S3 access via the VPC endpoint.
- Establish and test individual access policies: Using access points, you can establish and individually test application-specific access control policies before migrating applications to the access point or copying the policy to an existing access point.