Multi-Region Access Point restrictions and limitations - Amazon Simple Storage Service

Multi-Region Access Point restrictions and limitations

Multi-Region Access Points in Amazon S3 have the following restrictions and limitations.

  • Multi-Region Access Point names:

    • Must be unique within a single AWS account

    • Must begin with a number or lowercase letter

    • Must be between 3 and 50 characters long

    • Can't begin or end with a hyphen (-)

    • Can't contain underscores (_), uppercase letters, or periods (.)

    • Can't be edited after they are created

  • Multi-Region Access Point aliases are generated by Amazon S3 and can't be edited or reused.

  • You cannot access data through a Multi-Region Access Point by using gateway endpoints. However, you can access data through a Multi-Region Access Point by using interface endpoints. To use AWS PrivateLink, you must create VPC endpoints. For more information, see Configuring a Multi-Region Access Point for use with AWS PrivateLink.

  • To use Multi-Region Access Points with Amazon CloudFront, you must configure the Multi-Region Access Point as a Custom Origin distribution type. For more information about various origin types, see Using various origins with CloudFront distributions. For more information about using Multi-Region Access Points with Amazon CloudFront, see Building an active-active, proximity-based application across multiple Regions on the AWS Storage Blog.

  • Multi-Region Access Point minimum requirements:

    • Transport Layer Security (TLS) v1.2

    • Signature Version 4 (SigV4A)

      Multi-Region Access Points support Signature Version 4A. This version of SigV4 allows requests to be signed for multiple AWS Regions. This feature is useful in API operations that might result in data access from one of several Regions. When using an AWS SDK, you supply your credentials, and the requests to Multi-Region Access Points will use Signature Version 4A without additional configuration. Make sure to check your AWS SDK compatibility with the SigV4A algorithm. For more information about SigV4A, see Signing AWS API requests in the AWS General Reference.

      Note

      To use SigV4A with temporary security credentials—for example, when using AWS Identity and Access Management (IAM) roles—make sure that you request the temporary credentials from a Regional endpoint in AWS Security Token Service (AWS STS), instead of a global endpoint. If you use the global endpoint for AWS STS (sts.amazonaws.com), AWS STS will generate temporary credentials from a global endpoint, which isn't supported by Sig4A. As a result, you'll get an error. To resolve this issue, use any of the listed Regional endpoints for AWS STS.

  • Multi-Region Access Points don't support anonymous requests.

  • Multi-Region Access Point limitations:

    • IPv6 is not supported.

    • Amazon S3 on Outposts buckets are not supported.

    • CopyObject is supported only as a destination when using the Multi-Region Access Point ARN. You can also perform the CopyObject action only between buckets in the same AWS Region.

    • The S3 Batch Operations feature is not supported.

  • Certain AWS SDKs are not supported. To confirm which AWS SDKs are supported for Multi-Region Access Points, see Compatibility with AWS SDKs.

  • The service quotas for Multi-Region Access Points are as follows:

    • There is a maximum of 100 Multi-Region Access Points per account.

    • There is a limit of 17 Regions for a single Multi-Region Access Point.

  • After you create a Multi-Region Access Point, you can’t add, modify, or remove buckets from the Multi-Region Access Point configuration. To change the buckets, you must delete the entire Multi-Region Access Point and create a new one. If a cross-account bucket in your Multi-Region Access Point is deleted, the only way to reconnect this bucket is to recreate the bucket, using the same name and Region in that account.

  • Underlying buckets (in the same account) that are used in a Multi-Region Access Point can be deleted only after a Multi-Region Access Point is deleted.

  • All control plane requests to create or maintain Multi-Region Access Points must be routed to the US West (Oregon) Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified.

  • For the Multi-Region Access Point failover control plane, requests must be routed to one of these five supported Regions:

    • US East (N. Virginia)

    • US West (Oregon)

    • Asia Pacific (Sydney)

    • Asia Pacific (Tokyo)

    • Europe (Ireland)

  • Your Multi-Region Access Point only supports buckets in the following AWS Regions:

    • US East (N. Virginia)

    • US East (Ohio)

    • US West (N. California)

    • US West (Oregon)

    • Asia Pacific (Mumbai)

    • Asia Pacific (Osaka)

    • Asia Pacific (Seoul)

    • Asia Pacific (Singapore)

    • Asia Pacific (Sydney)

    • Asia Pacific (Tokyo)

    • Canada (Central)

    • Europe (Frankfurt)

    • Europe (Ireland)

    • Europe (London)

    • Europe (Paris)

    • Europe (Stockholm)

    • South America (São Paulo)