Scribd
Upload
24 views12 pages

AWS S3 Access Point

aws

Uploaded by

natthecoolguy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views12 pages

AWS S3 Access Point

aws

Uploaded by

natthecoolguy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

AWS S3 Access Points

Reading Time: ~60 minutes


https://aws.amazon.com/s3/features/access-points/

What is S3 Access Points?


• Every S3 access point is associated with an S3 bucket.
• Allows many access points per bucket, provisioning access to shared data sets.
• Provides a customized path into a bucket, with a unique hostname and access policy that enforces the
specific permissions.
• Every S3 access point contains a unique DNS name.
• Max. 1,000 S3 access points per AWS account.

When to use S3 Access Points?


• Large, shared data sets: Using Access Points, you can decompose one large bucket policy into
separate, discrete access point policies for each application that needs to access the shared data set. This
makes it simpler to focus on building the right access policy for an application, while not having to
worry about disrupting what any other application is doing within the shared data set.
• Restrict access to VPC: An S3 Access Point can limit all S3 storage access to happen from a Virtual
Private Cloud (VPC). You can also create a Service Control Policy (SCP) and require that all access
points be restricted to a Virtual Private Cloud (VPC), firewalling your data to within your private
networks.
• Test new access policies: Using access points you can easily test new access control policies before
migrating applications to the access point, or copying the policy to an existing access point.
• Limit access to specific account IDs: With S3 Access Points you can specify VPC Endpoint policies
that permit access only to access points (and thus buckets) owned by specific account IDs. This
simplifies the creation of access policies that permit access to buckets within the same account, while
rejecting any other S3 access via the VPC Endpoint.
• Provide a unique name: S3 Access points allow you to specify any name that is unique within the
account and region. For example, you can now have a “test” access point in every account and region.

Whether creating an access point for data ingestion, transformation, restricted read access, or unrestricted
access, using S3 Access Points simplifies the work of creating and maintaining access to shared S3 buckets.

https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html

Rules for Naming S3 Access Points


Access point names must meet the following conditions:
• Must be unique within a single AWS account and Region
• Must comply with DNS (domain name system) naming restrictions
• Must begin with a number or lowercase letter
• Must be >= 3 characters and <= 50 characters
• Cannot begin or end with a dash
• Cannot contain underscores, uppercase letters, or periods
• Lowercase letters and numeric digits only. No underscore. No dot/period.

AWS S3 Access Point by Dr. Yao Page 1


Background Information for the following Example/Exercise
The following screenshots show that mis341.gmu.edu S3 bucket is being used to host a static web page/site and
can be accessed using the url or end point: https://s3.amazonaws.com/mis341.gmu.edu/mis341.htm
This is termed as Static website hosting or bucket hosting.

The name of the landing html page is mis341.htm

AWS S3 Access Point by Dr. Yao Page 2


Copy and paste the url https://s3.amazonaws.com/mis341.gmu.edu/mis341.htm to a web browser:

This S3 bucket, mis341.gmu.edu, must be configured to allow public access:

Block public access needs to be turned off.

Bucket policy needs to set as:

AWS S3 Access Point by Dr. Yao Page 3


The following screenshots show that the user testUser has no permission to access to S3 bucket.

Sign on as testUser and click S3.

https://494438480755.signin.aws.amazon.com/console

Account ID: 494438480755

AWS S3 Access Point by Dr. Yao Page 4


Example/Exercise: Create S3 Access Point via Management Console
Sign onto AWS. Select S3. Select and click on a bucket, in this case, mis341.gum.edu. Click Access points tab.

Click Create access point. Enter a name for the access point. Select Internet.

Click Block all public access

AWS S3 Access Point by Dr. Yao Page 5


Under Access point policy, enter

Enter the following as the Access point policy

{
"Version":"2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::494438480755:user/testUser"
},
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:us-east-1:494438480755:accesspoint/mis314access/object/testUser/*"
}]
}

Account ID Access point name IAM user name

AWS S3 Access Point by Dr. Yao Page 6


Click Create access point

Click
Then, click Use this access point

AWS S3 Access Point by Dr. Yao Page 7


General syntax for using the S3 access point from the software applications is:
https://[access_point_name]-[accountID].s3-accesspoint.[region].amazonaws.com

https://cmis341acess-494438480755.s3-accesspoint.us-east-1.amazonaws.com/

S3 Bucket vs. S3 Access Point


• An S3 bucket is the logical storage container for objects (filed and folders).
• An S3 bucket access point provides access to the S3 bucket and its contents.
• An S3 bucket may have many S3 access points.
• An access point is a separate Amazon resource created for a bucket with an Amazon Resource Name
(ARN) in the format of
https://[access_point_name]-[account ID].s3-accesspoint.[region].amazonaws.com

Policy vs. S3 Access Point

As a comparison and a review, the following example/exercise (1) creates a policy to allow access to mis341
bucket and (2) attaches the policy to testUser, allowing testUser to access mis341 bucket.

In AWS Console Management, go to IAM and click Policies. Then, click Create policy.

AWS S3 Access Point by Dr. Yao Page 8


Click Select a service.

Look for and select S3.

Click List and Read under Access level

Click

Click Add ARN for bucket

AWS S3 Access Point by Dr. Yao Page 9


ARN for cmis341 bucket is arn:aws:s3:::mis341.gmu.edu

To find the ARN for a bucket, click the bucket to bring up the pop-up property window.
Click Copy Bucket ARN

Click Add ARN for object

Click Any

AWS S3 Access Point by Dr. Yao Page 10


Enter a policy name and the description. Click Create policy

In IAM Dashboard, select Users and click testUser

Click Add permissions

Click Attach existing policies directly

AWS S3 Access Point by Dr. Yao Page 11


Find and select mis341 policy

Click Next: Review

Click Add permissions

Sign on as IAM user testUser to verify that the user can access mis341 bucket.

AWS S3 Access Point by Dr. Yao Page 12

You might also like