Amazon S3 | Access Points
S3 Access Points are a
feature that simplifies managing access to shared S3
buckets by allowing twtech to create customized access policies for
specific applications or users—without modifying the underlying
bucket policy.
They are particularly useful in
large-scale or multi-tenant environments where multiple users or systems
interact with the same bucket.
Why twtech Uses S3 Access Points
|
Benefit |
Description |
|
Granular access control |
Assign distinct permissions to
different users/apps for the same bucket. |
|
Simplified policies |
Avoid complex bucket policies by
splitting them into multiple targeted access points. |
|
Named access URLs |
Each access point has a unique
hostname. |
|
Support for VPC |
You can create VPC-only access
points for private access within AWS. |
Basic Concepts
Access Point Name & Alias
- Every access point has a unique name (per AWS Region
and account).
- Example alias:
# pgsql
twtech-access-point-123456xxxxx.s3-accesspoint.us-east-2.amazonaws.com
Associated Bucket
- Each access point is tied to one S3 bucket.
Access Point Policy
- Similar to a bucket policy but applies only to
requests made through that access point.
Example Use Case
Scenario: A data lake in an S3 bucket is used by analytics, ML, and
backup systems.
Solution: Create:
- One access point for analytics (read-only to a prefix)
- One for ML training (read/write to /ml-data/)
- One for backups (write-only)
Each access point can have its own
IAM-style policy controlling what users can do and to which parts of the
bucket.
Sample Access Point Policy (Read-only to a
prefix)
# json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS":
"arn:aws:iam::11112xxxxxxx:user/AnalyticsUser" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:us-east-2:11112xxxxx:accesspoint/twtech-ap-name/object/data/*"
}
]
}
VPC-Only Access Points
twtech can create an access point
restricted to a VPC, ensuring that traffic never leaves AWS's internal
network. This is useful for security and compliance.
Example:
# bash
aws
s3control create-access-point \
--account-id 111122xxxxxxxx \
--name twtech-vpc \
--bucket twtech-shared-bucket \
--vpc-configuration VpcId=vpc-0abc123dexxxxxxxxx
Accessing Data via Access Points
twtech cannot use standard S3 URLs like
https://s3.amazonaws.com/twtech-s3bucket/key.
Instead, use:
# pgsql
https://my-access-point-1234xxxxxxxx.s3-accesspoint.us-east-2.amazonaws.com/twtech-object-key
Or for VPC:
# pgsql
https://twtech-access-point-1234xxxxxxx.s3-accesspoint.us-east-2.vpce.amazonaws.com
Comparison: Access Point vs Bucket Policy
|
Feature |
S3 Bucket Policy |
S3 Access Point |
|
Scope |
Whole bucket |
Specific usage patterns |
|
Complexity |
Grows with more users/apps |
Isolated per use case |
|
IAM integration |
Full |
Full |
|
VPC restriction |
No |
Yes |
Good to Know
- twtech can have up to 1,000 access points per Region
per account.
- Use AWS S3 Object Lambda + Access Points to process data on the fly before users receive it.
No comments:
Post a Comment