Using Access Points - Amazon Simple Storage Service

Using Access Points

You can access the objects in an Amazon S3 bucket with an access point using the AWS Management Console, AWS CLI, AWS SDKs, or the S3 REST APIs.

Access points have Amazon Resource Names (ARNs). Access point ARNs are similar to bucket ARNs, but they are explicitly typed and encode the access point's Region and the AWS account ID of the access point's owner. For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.

Access point ARNs use the format arn:aws:s3:region:account-id:accesspoint/resource. For example:

  • arn:aws:s3:us-west-2:123456789012:accesspoint/test represents the access point named test, owned by account 123456789012 in Region us-west-2.

  • arn:aws:s3:us-west-2:123456789012:accesspoint/* represents all access points under account 123456789012 in Region us-west-2.

ARNs for objects accessed through an access point use the format arn:aws:s3:region:account-id:accesspoint/access-point-name/object/resource. For example:

  • arn:aws:s3:us-west-2:123456789012:accesspoint/test/object/unit-01 represents the object unit-01, accessed through the access point named test, owned by account 123456789012 in Region us-west-2.

  • arn:aws:s3:us-west-2:123456789012:accesspoint/test/object/* represents all objects for access point test, in account 123456789012 in Region us-west-2.

  • arn:aws:s3:us-west-2:123456789012:accesspoint/test/object/unit-01/finance/* represents all objects under prefix unit-01/finance/ for access point test, in account 123456789012 in Region us-west-2.

Access Point Compatibility with S3 Operations and AWS Services

S3 access points are compatible with a subset of S3 operations and other AWS services. The following sections list the compatible services and S3 operations.

AWS Services

You can use S3 access points with AWS CloudFormation.

For more information about AWS CloudFormation, see What is AWS CloudFormation? in the AWS CloudFormation User Guide.

S3 Operations

You can use access points to access a bucket using the following subset of Amazon S3 APIs:

Monitoring and Logging

Amazon S3 logs requests made through access points and requests made to the APIs that manage access points, such as CreateAccessPoint and GetAccessPointPolicy.

Requests made to Amazon S3 through an access point appear in your S3 server access logs and AWS CloudTrail logs with the access point's hostname. An access point's hostname takes the form access_point_name-account_id.s3-accesspoint.Region.amazonaws.com. For example, suppose that you have the following bucket and access point configuration:

  • A bucket named my-bucket in Region us-west-2 that contains object my-image.jpg

  • An access point named my-bucket-ap that is associated with my-bucket

  • Your AWS account ID is 123456789012

A request made to retrieve my-image.jpg directly through the bucket appears in your logs with a hostname of my-bucket.s3.us-west-2.amazonaws.com. If you make the request through the access point instead, Amazon S3 retrieves the same object but logs the request with a hostname of my-bucket-ap-123456789012.s3-accesspoint.us-west-2.amazonaws.com.

For more information about S3 Server Access Logs, see Amazon S3 Server Access Logging. For more information about AWS CloudTrail, see What is AWS CloudTrail? in the AWS CloudTrail User Guide.

Note

S3 access points aren't currently compatible with Amazon CloudWatch metrics.

Examples

Example: Request an Object Through an Access Point

The following example demonstrates how to request the object my-image.jpg through the access point prod owned by account ID 123456789012 in Region us-west-2, and saves the downloaded file as download.jpg.

AWS CLI
aws s3api get-object --key my-image.jpg --bucket arn:aws:s3:us-west-2:123456789012:accesspoint/prod download.jpg

Example: Upload an Object Through an Access Point

The following example demonstrates how to upload the object my-image.jpg through the access point prod owned by account ID 123456789012 in Region us-west-2.

AWS CLI
aws s3api put-object --bucket arn:aws:s3:us-west-2:123456789012:accesspoint/prod --key my-image.jpg --body my-image.jpg

Example: Delete an Object Through an Access Point

The following example demonstrates how to delete the object my-image.jpg through the access point prod owned by account ID 123456789012 in Region us-west-2.

AWS CLI
aws s3api delete-object --bucket arn:aws:s3:us-west-2:123456789012:accesspoint/prod --key my-image.jpg

Example: List Objects Through an Access Point

The following example demonstrates how to list objects through the access point prod owned by account ID 123456789012 in Region us-west-2.

AWS CLI
aws s3api list-objects-v2 --bucket arn:aws:s3:us-west-2:123456789012:accesspoint/prod

Example: Add a Tag Set to an Object Through an Access Point

The following example demonstrates how to add a tag set to the existing object my-image.jpg through the access point prod owned by account ID 123456789012 in Region us-west-2.

AWS CLI
aws s3api put-object-tagging --bucket arn:aws:s3:us-west-2:123456789012:accesspoint/prod --key my-image.jpg --tagging TagSet=[{Key="finance",Value="true"}]

Example: Grant Access Permissions Through an Access Point Using an ACL

The following example demonstrates how to apply an ACL to an existing object my-image.jpg through the access point prod owned by account ID 123456789012 in Region us-west-2.

AWS CLI
aws s3api put-object-acl --bucket arn:aws:s3:us-west-2:123456789012:accesspoint/prod --key my-image.jpg --acl private