Amazon Simple Storage Service (Amazon S3)

AWS S3 Management

Demo Access Points

In this tutorial, you’ll learn how to use Amazon S3 Access Points to delegate and isolate access control for different teams. By the end, you will have configured two access points—one for developers and one for finance—each with its own fine-grained policy.


Table of Contents

  1. Create a Demo Bucket
  2. Verify Default Access for Other Users
  3. Create Access Points
  4. Delegate Bucket Permissions to Access Points
  5. Define Access Point Policies
  6. Test Access via Access Points
  7. Final Permissions Overview
  8. Conclusion
  9. Links and References

1. Create a Demo Bucket

First, set up a new S3 bucket named kk-accesspoint with the default settings. Then upload a sample file (beach.jpg) for testing.

The image shows an AWS S3 console screen where a user is configuring settings for a new bucket, including versioning, tags, and default encryption options. The "Create bucket" button is highlighted at the bottom.

Upload your test asset:

The image shows an AWS S3 upload interface where a file named "beach.jpg" is being prepared for upload. The file is 2.7 MB in size, and the "Upload" button is highlighted.

Once uploaded, as the bucket owner (user1), you can view the object details:

The image shows an Amazon S3 console page displaying details of an object named "beach.jpg," including its properties, S3 URI, and object URL. It also indicates that bucket versioning is disabled.

Best Practice

Consider enabling versioning and default encryption on production buckets to protect against accidental data loss or unauthorized access.


2. Verify Default Access for Other Users

Assume two IAM users—user2 and user3—each have only CloudShell access. By default, neither can list or retrieve objects from your new bucket.

The image shows the AWS Identity and Access Management (IAM) console, displaying a list of users with details such as last activity, password age, and active key age.

The image shows an AWS Identity and Access Management (IAM) console screen, displaying user permissions with the "AWSCloudShellFullAccess" policy attached. The console access is enabled without MFA, and no permissions boundary is set.

In AWS CloudShell, both users attempt to list and copy objects:

The image shows the AWS Management Console with a search for "CloudShell," displaying services, resources, blogs, and documentation related to AWS CloudShell. The interface is dark-themed, and there are multiple tabs open in the browser.

# As user2
[cloudshell-user@ip-... ~]$ aws s3 ls s3://kk-accesspoint/
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
[cloudshell-user@ip-... ~]$ aws s3 cp s3://kk-accesspoint/beach.jpg .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

# As user3
[cloudshell-user@ip-... ~]$ aws s3 ls s3://kk-accesspoint/
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
[cloudshell-user@ip-... ~]$ aws s3 cp s3://kk-accesspoint/beach.jpg .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

3. Create Access Points

Navigate to Amazon S3 → Access points and create two points:

  1. developers (for user2)
  2. finance (for user3)

Select kk-accesspoint as the data source, choose Internet for Network origin, and keep public access blocking enabled.

The image shows an AWS S3 console interface for creating an access point, with fields for access point name, bucket selection, and network origin settings.

The image shows an AWS S3 Access Point configuration screen, where settings for bucket selection, AWS region, network origin, and public access blocking are being configured.

Public Access

Always keep Block all public access enabled on buckets and access points to prevent accidental exposure.


4. Delegate Bucket Permissions to Access Points

To let your access points list bucket contents, add this bucket policy. Replace 123456789012 with your AWS account ID:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::kk-accesspoint",
      "Condition": {
        "StringEquals": {
          "s3:DataAccessPointAccount": "123456789012"
        }
      }
    }
  ]
}

Apply under Bucket → Permissions → Bucket policy:

The image shows an Amazon S3 console screen with the "Permissions" tab open for a bucket named "kk-access-point." It displays settings related to blocking public access and bucket policies.


5. Define Access Point Policies

5.1 Developer Access Point Policy

Go to Access points → developers → Permissions → Edit and paste:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/user2"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:us-east-1:123456789012:accesspoint/developers",
        "arn:aws:s3:us-east-1:123456789012:accesspoint/developers/object/*"
      ]
    }
  ]
}

The image shows an AWS management console screen for editing an S3 Access Point policy, indicating that public access is blocked due to current settings. There are options to check and learn more about public access settings.

5.2 Finance Access Point Policy

For finance, allow user3:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/user3"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:us-east-1:123456789012:accesspoint/finance",
        "arn:aws:s3:us-east-1:123456789012:accesspoint/finance/object/*"
      ]
    }
  ]
}

After saving, review each access point’s overview:

The image shows an Amazon S3 Access Point overview page, displaying details such as bucket name, account ID, AWS region, creation date, and network origin.


Access Point Summary

Access PointPrincipalActions
developersarn:aws:iam::123456789012:user/user2List, GetObject, PutObject
financearn:aws:iam::123456789012:user/user3List, GetObject, PutObject

6. Test Access via Access Points

6.1 Developer (user2)

In AWS CloudShell as user2, list and copy via the developers access point ARN:

# List via developers access point
[cloudshell-user@... ~]$ aws s3 ls s3://arn:aws:s3:us-east-1:123456789012:accesspoint/developers
2023-09-04 07:39:25    2879314 beach.jpg

# Download the object
[cloudshell-user@... ~]$ aws s3 cp s3://arn:aws:s3:us-east-1:123456789012:accesspoint/developers/beach.jpg .

6.2 Finance (user3)

As user3, perform the same steps and upload a new file:

# List via finance access point
[cloudshell-user@... ~]$ aws s3 ls s3://arn:aws:s3:us-east-1:123456789012:accesspoint/finance
2023-09-04 07:39:25    2879314 beach.jpg

# Download the object
[cloudshell-user@... ~]$ aws s3 cp s3://arn:aws:s3:us-east-1:123456789012:accesspoint/finance/beach.jpg .

# Upload a test file
[cloudshell-user@... ~]$ touch test1
[cloudshell-user@... ~]$ aws s3 cp test1 s3://arn:aws:s3:us-east-1:123456789012:accesspoint/finance/test1

# Verify both files
[cloudshell-user@... ~]$ aws s3 ls s3://arn:aws:s3:us-east-1:123456789012:accesspoint/finance
2023-09-04 07:39:25    2879314 beach.jpg
2023-09-04 07:40:10         0 test1

7. Final Permissions Overview

Inspect the finance access point’s permissions tab:

The image shows an AWS S3 Access Point settings page, specifically the "Permissions" tab for an access point named "finance," with options to block public access enabled.


8. Conclusion

By leveraging S3 Access Points, you can:

  • Delegate access control to distinct teams without modifying the main bucket policy.
  • Create isolated entry points with tailored permissions.
  • Simplify management when multiple user groups share a bucket.

This approach improves security posture and operational efficiency in multi-team environments.


Watch Video

Watch video content

Previous
Access Points