Manage the scope of your access points for directory buckets
This section explains how to view and modify the scope of your access points for directory buckets using the AWS Command Line Interface, REST API, or AWS SDKs. You can use the access point scope to restrict access to specific prefixes or API operations.
Topics
View the scope of your access points for directory buckets
You can use the AWS Command Line Interface, REST API, or AWS SDKs to view the scope of your access point for directory buckets.
The following get-access-point-scope example command shows how you can use
the AWS CLI to view the scope of your access point.
The following command shows the scope of the access point my-access-pointzoneID--xa-s3 for AWS account 111122223333.
aws s3control get-access-point-scope --name--my-access-pointzoneID--xa-s3 --account-id111122223333
For more information and examples, see get-access-point-scope
Example result of get-access-point-scope
{ "Scope": { "Permissions": [ "ListBucket", "PutObject" ] "Prefixes": [ "Prefix": "MyPrefix1*", "Prefix": "MyObjectName.csv" ] } }
The following GetAccessPointScope example request shows how you can use
the REST API to view the scope of your access point.
The following request shows the scope of the access point my-access-pointregion-zoneID--xa-s3 for AWS account 111122223333.
GET /v20180820/accesspoint/--my-access-pointzoneID--xa-s3/scope HTTP/1.1 Host: s3express-control.region.amazonaws.com x-amz-account-id:111122223333
Example result of GetAccessPointScope
HTTP/1.1 200 <?xml version="1.0" encoding="UTF-8"?> <GetAccessPointScopeResult> <Scope> <Prefixes> <Prefix>MyPrefix1*</Prefix> <Prefix>MyObjectName.csv</Prefix> </Prefixes> <Permissions> <Permission>ListBucket</Permission> <Permission>PutObject</Permission> </Permissions> <Scope> </GetAccessPointScopeResult>
You can use the AWS SDKs to view the scope of your access point. For more information, see list of supported SDKs in the Amazon Simple Storage Service API Reference.
Modify the scope of your access point for directory buckets
You can use the AWS Command Line Interface, REST API, or AWS SDKs to modify the scope of your access points for directory buckets. Access point scope is used to restrict access to specific prefixes, API operations, or a combination of both.
You can include one or more of the following API operations as permissions:
PutObjectGetObjectDeleteObjectListBucket(required forListObjectsV2)GetObjectAttributesAbortMultipartUploadsListBucketMultipartUploadsListMultipartUploadParts
Note
You can specify any amount of prefixes, but the total length of characters of all prefixes must be less than 256 bytes in size.
When you modify the scope of an access point, you replace the existing scope.
The following put-access-point-scope example command shows how you can use
the AWS CLI to modify the scope of your access point.
The following command modifies the access point scope of my-access-pointzoneID--xa-s3 for AWS account 111122223333.
Note
You can use wildcards in prefixes by using the asterisk (*) character. If you want to use the asterisk character as a literal, add a backslash character (\) before it to escape it.
Also, all prefixes have an implicit '*' ending, meaning all paths withing the prefix will be included.
aws s3control put-access-point-scope --name--my-access-pointzoneID--xa-s3 --account-id111122223333--scope Prefixes=string,Permissions=string
For more information and examples, see put-access-point-scope
The following PutAccessPointScope example request shows how you can use
the REST API to modify the scope of your access point.
The following request modifies the access point scope of my-access-pointzoneID--xa-s3 for AWS account 111122223333.
Note
You can use wildcards in prefixes by using the asterisk (*) character. If you want to use the asterisk character as a literal, add a backslash character (\) before it to escape it.
Also, all prefixes have an implicit '*' ending, meaning all paths withing the prefix will be included.
PUT /v20180820/accesspoint/--my-access-pointzoneID--xa-s3/scope HTTP/1.1 Host: s3express-control.region.amazonaws.com x-amz-account-id:111122223333<?xml version="1.0" encoding="UTF-8"?> <PutAccessPointScopeRequest> <Scope> <Prefixes> <Prefix>Jane/*</Prefix> </Prefixes> <Permissions> <Permission>PutObject</Permission> <Permission>GetObject</Permission> </Permissions> <Scope> </PutAccessPointScopeRequest>
You can use the AWS CLI, AWS SDKs, or REST API to modify the scope of your access point. For more information, see list of supported SDKs in the Amazon Simple Storage Service API Reference.
Delete the scope of your access points for directory buckets
You can use the AWS Command Line Interface, REST API, or AWS SDKs to delete the scope of your access points for directory buckets.
Note
When you delete the scope of an access point, all prefixes and permissions are deleted.
The following delete-access-point-scope example command shows how you can use
the AWS CLI to delete the scope of your access point.
The following command deletes the scope of the access point my-access-pointzoneID--xa-s3 for AWS account 111122223333.
aws s3control delete-access-point-scope --name--my-access-pointregion-zoneID--xa-s3 --account-id111122223333
For more information and examples, see delete-access-point-scope
The following request deletes the scope of the access point my-access-pointzoneID--xa-s3 for AWS account 111122223333.
DELETE /v20180820/accesspoint/--my-access-pointzoneID--xa-s3/scope HTTP/1.1 Host: s3express-control.region.amazonaws.com x-amz-account-id:111122223333
You can use the AWS SDKs to delete the scope of your access point. For more information, see list of supported SDKs in the Amazon Simple Storage Service API Reference.
