Skip to content

S3 Access Points

Links: 102 AWS DVA Index

Access Points

  • Suppose we have users from different departments and they want to access different buckets.
    • We can have complex bucket policies to enable this but this would become difficult to manage.
  • We push the security management from S3 bucket policies to the access point.
    • Each access point will have its own security
  • By using access points we define different ways to access our bucket.
    • attachments/Pasted image 20230211184409.jpg
  • We have policies attached to each access point.
  • Because of access points we have a very simple bucket policy.
    • It simplifies security to our bucket.
  • Each Access Point has:
    • Its own DNS name (Internet Origin or VPC Origin)
    • An access point policy (similar to bucket policy) - manage security at scale
  • We have two policies, bucket policy and the access point policy.

S3 Access Points - VPC Origin

  • We can define the access point to be accessible only from within the VPC.
  • You must create a VPC Endpoint to access the Access Point (Gateway or Interface Endpoint)
  • The VPC Endpoint Policy must allow access to the target bucket and Access Point
In total to use this there are 3 policies (VPC Endpoint policy, S3 Access Policy, and S3 Bucket Policy)

attachments/Pasted image 20230211184752.jpg

S3 Object Lambda

  • It uses S3 Access points.
  • Use AWS Lambda Functions to change the object before it is retrieved by the caller application.
    • This means there is no need of having multiple versions of our data in different buckets.
    • Only one S3 bucket is needed, on top of which we create S3 Access Point and S3 Object Lambda Access Points.
  • Use Cases:
    • Redacting personally identifiable information for analytics or non-production environments.
      • attachments/Pasted image 20230211185434.jpg
    • Converting across data formats, such as converting XML to JSON.
    • Resizing and watermarking images on the fly using caller-specific details, such as the user who requested the object.

Multi-Region Access Point

  • Provide a global endpoint that span S3 buckets in multiple AWS regions
  • Dynamically route requests to the nearest S3 bucket (lowest latency)
  • Bi-directional S3 bucket replication rules are created to keep data in sync across regions
    • attachments/Pasted image 20230305112223.jpg
  • Failover Controls - allows you to shift requests across S3 buckets in different AWS regions within minutes (Active-Active or Active-Passive)

Last updated: 2023-03-05