Saturday, June 28, 2025

Amazon S3 Access Points | Overview.

Amazon S3  Access Points - Overview.

Scope:

  • Intro,
  • Why Use S3 Access Points (Benefits),
  • Architecture,
  • Basic Concepts,
  • Sample Use Case,
  • Sample Access Point Policy (Read-only to a prefix),
  • VPC-Only Access Points,
  • Accessing Data via Access Points,
  • Comparison: Access Point vs Bucket Policy,
  • Key take-away

Intro:

  • S3 Access Points are a feature that simplifies managing access to shared S3 buckets by allowing twtech to create customized access policies for specific applications or users.
  • Without modifying the underlying bucket policy.
  • They are particularly useful in large-scale or multi-tenant environments where multiple users or systems interact with the same bucket.

Why twtech Uses S3 Access Points

Benefit

Description

Granular access control

Assign distinct permissions to different users/apps for the same bucket.

Simplified policies

Avoid complex bucket policies by splitting them into multiple targeted access points.

Named access URLs

Each access point has a unique hostname.

Support for VPC

twech can create VPC-only access points for private access within AWS.

 Architecture

Basic Concepts

 Access Point Name & Alias

  • Every access point has a unique name (per AWS Region and account).
  • Example alias:

#  pgsql

 

twtech-access-point-accountID.s3-accesspoint.us-east-2.amazonaws.com

 Associated Bucket

  • Each access point is tied to one S3 bucket.

 Access Point Policy

  • Similar to a bucket policy but applies only to requests made through that access point.

 Sample Use Case

Scenario: A data lake in an S3 bucket is used by analytics, ML, and backup systems.

Solution: Create:

  • One access point for analytics (read-only to a prefix)
  • One for ML training (read/write to /ml-data/)
  • One for backups (write-only)

NB:

  • Each access point can have its own IAM-style policy controlling what users can do and to which parts of the bucket.

 Sample Access Point Policy (Read-only to a prefix)

#  json

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": { "AWS": "arn:aws:iam::accountID:user/AnalyticsUser" },

      "Action": "s3:GetObject",

      "Resource": "arn:aws:s3:us-east-2:accountID:accesspoint/twtech-ap-name/object/data/*"

    }

  ]

}

 VPC-Only Access Points

  • twtech can create an access point restricted to a VPC.
  • This VPC-Only Access Point ensure that traffic never leaves AWS's internal network. 
  • This is useful for security and compliance.

Sample: VPC-Only Access Points

#  bash

aws s3control create-access-point \

  --account-id accountID \

  --name twtech-vpc \

  --bucket twtech-shared-bucket \

  --vpc-configuration VpcId=vpc-0abc123dexxxxxxxxx

 # Accessing Data via Access Points

  • twtech cannot use standard S3 URLs like:

https://s3.amazonaws.com/twtech-s3bucket/key.

  •  Instead, twtech uses:

#  pgsql

https://my-access-point-accountID.s3-accesspoint.us-east-2.amazonaws.com/twtech-object-key

Or 

for VPC:

#  pgsql

https://twtech-access-point-accountID.s3-accesspoint.us-east-2.vpce.amazonaws.com

 Comparison: Access Point vs Bucket Policy

Feature

S3 Bucket Policy

S3 Access Point

Scope

Whole bucket

Specific usage patterns

Complexity

Grows with more users/apps

Isolated per use case

IAM integration

Full

Full

VPC restriction

No

Yes

Key take-away

  • twtech can have up to 1,000 access points per Region per account.
  • Use AWS S3 Object Lambda + Access Points to process data on the fly (transit) before users receive it.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...