The Problem They Solve: Simplifying Data Access at Scale
For a large, shared S3 bucket accessed by hundreds of applications or teams, managing a single, monolithic bucket policy becomes incredibly complex, difficult to audit, and error-prone. A small mistake in the central policy could inadvertently grant or deny access for the wrong application.
S3 Access Points solve this problem by allowing you to create hundreds of unique entry points to the bucket, each with its own small, targeted policy. This decentralizes access management, making it easier to grant specific permissions for each use case.
How Access Points Work
1. Unique Hostname
When you create an access point, AWS assigns it a unique DNS hostname. Instead of using the standard bucket name in a request, your application uses the access point's hostname.
-
Standard Bucket Hostname:
my-bucket.s3.us-east-1.amazonaws.com -
Access Point Hostname:
my-access-point-name-accountid.s3-accesspoint.us-east-1.amazonaws.com
2. Access Point Policies
Each access point has its own resource policy, written in the same JSON format as a bucket policy.
-
This policy only applies to requests made through its specific access point hostname.
-
It allows you to define fine-grained permissions, such as allowing a specific IAM user to only perform
GetObjectactions on a certain prefix (folder).
3. Interaction with Bucket Policies
The access point policy does not replace the bucket policy; they work together. For a request made through an access point to be successful, it must be permitted by all of the following:
-
The user's IAM Identity Policy
-
The S3 Access Point Policy
-
The S3 Bucket Policy
This allows you to use the main bucket policy for broad, bucket-wide rules (e.g., "deny all non-HTTPS requests") while using access point policies for specific application permissions.
Key Features & Use Cases
-
Fine-Grained Access Control: Grant specific permissions to different applications or teams without modifying the central bucket policy. For example, give one application read-only access and another read-write access to different prefixes within the same bucket.
-
Secure Shared Datasets: Ideal for data lakes where multiple teams and services need to access a central bucket. Each team can be given an access point with permissions tailored only to the data they are allowed to see.
-
Simplified Audits: Auditing permissions is much easier when you can review small, self-contained access point policies instead of a single, thousand-line bucket policy.
Network Origin Control
This is a powerful security feature of S3 Access Points. You can configure an access point to be accessible only from a specific network origin.
-
VPC Only: You can restrict an access point so that it only accepts requests from a specified Virtual Private Cloud (VPC). This effectively creates a private network perimeter around your S3 data, ensuring it cannot be accessed from the public internet, even if the bucket policy or user permissions would otherwise allow it.
-
Internet: The default setting, which allows access from anywhere on the internet, subject to the policy permissions.
Access Point Policy vs. Bucket Policy
| Feature | Bucket Policy | S3 Access Point Policy |
| :--- | :--- | :--- |
| Scope | Applies to all requests made directly to the bucket. | Applies only to requests made through that specific access point. |
| Purpose | Best for broad, bucket-wide rules that apply to all access. | Best for fine-grained permissions tailored to a single application or team. |
| Management | Can become very large and complex for shared buckets. | Stays small, focused, and easy to manage. |
| Network Control| N/A | Can restrict access to a specific VPC. |