Access Points provide unique hostnames and policies for controlled access to the same S3 bucket, simplifying security management at scale.
- Each access point has its own DNS name (Internet or VPC origin) and access point policy.
- Use multiple access points to apply different permissions to different prefixes or teams.
Example:
- Finance AP: read/write
/financeprefix for Finance team.
- Sales AP: read/write
/salesprefix for Sales team.
- Analytics AP: read-only entire bucket for Analytics team.
Amazon S3 – Access Points (VPC Origin)
Restricts access to a bucket via an Access Point only from within a VPC.
- Requires a VPC Endpoint (Gateway or Interface) with a policy allowing access to the bucket and the access point.
- The request path: EC2 in VPC → VPC Endpoint → Access Point → Bucket.
Key policy note:
- VPC Endpoint policy must include both the bucket ARN and the access point ARN.