# Permissions
Amazon S3 Multi-Region Access Points can simplify data access for Amazon S3 buckets in multiple AWS Regions. Multi-Region Access Points are named global endpoints that you can use to perform Amazon S3 data-access object operations, such as `GetObject` and `PutObject`. Each Multi-Region Access Point can have distinct permissions and network controls for any request that is made through the global endpoint.
Each Multi-Region Access Point can also enforce a customized access policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For a cross-account request to succeed, the following policies must permit the operation:
+ The Multi-Region Access Point policy
+ The underlying AWS Identity and Access Management (IAM) policy
+ The underlying bucket policy (where the request is routed to)
**Note**
For same account requests, only the underlying IAM policy, which grants the appropriate access, is required.
You can configure any Multi-Region Access Point policy to accept requests only from specific IAM users or groups. For an example of how to do this, see Example 2 in [Multi-Region Access Point policy examples](#MultiRegionAccessPointPolicyExamples). To restrict Amazon S3 data access to a private network, you can configure the Multi-Region Access Point policy to accept requests only from a virtual private cloud (VPC).
For example, suppose that you make a `GetObject` request through a Multi-Region Access Point by using a user called `AppDataReader` in your AWS account. To help ensure that the request won't be denied, the `AppDataReader` user must be granted the `s3:GetObject` permission by the Multi-Region Access Point and by each bucket underlying the Multi-Region Access Point. `AppDataReader` won't be able to retrieve data from any bucket that doesn't grant this permission.
**Important**
Delegating access control for a bucket to a Multi-Region Access Point policy doesn't change the bucket's behavior when the bucket is accessed directly through its bucket name or Amazon Resource Name (ARN). All operations made directly against the bucket will continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests made through that Multi-Region Access Point.
## Managing public access to a Multi-Region Access Point
Multi-Region Access Points support independent Block Public Access settings for each Multi-Region Access Point. When you create a Multi-Region Access Point, you can specify the Block Public Access settings that apply to that Multi-Region Access Point.
**Note**
Any Block Public Access settings that are enabled under **Block Public Access settings for this account** (in your own account) or **Block Public Settings for external buckets** still apply even if the independent Block Public Access settings for your Multi-Region Access Point are disabled.
For any request that is made through a Multi-Region Access Point, Amazon S3 evaluates the Block Public Access settings for:
+ The Multi-Region Access Point
+ The underlying buckets (including external buckets)
+ The account that owns the Multi-Region Access Point
+ The account that owns the underlying buckets (including external accounts)
If any of these settings indicate that the request should be blocked, Amazon S3 rejects the request. For more information about the Amazon S3 Block Public Access feature, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
**Important**
By default, all Block Public Access settings are enabled for Multi-Region Access Points. You must explicitly turn off any settings that you don't want to apply to a Multi-Region Access Point.
You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created.
## Viewing Block Public Access settings for a Multi-Region Access Point
**To view the Block Public Access settings for a Multi-Region Access Point**
1.
Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to review.
1. Choose the **Permissions** tab.
1. Under **Block Public Access settings for this Multi-Region Access Point**, review the Block Public Access settings for your Multi-Region Access Point.
**Note**
You can't edit the Block Public Access settings after the Multi-Region Access Point is created. Therefore, if you're going to block public access, make sure that your applications work correctly without public access before you create a Multi-Region Access Point.
## Using a Multi-Region Access Point policy
The following example Multi-Region Access Point policy grants an IAM user access to list and download files from your Multi-Region Access Point. To use this example policy, replace the `user input placeholders` with your own information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/JohnDoe"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias",
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*"
]
}
]
}
```
------
To associate your Multi-Region Access Point policy with the specified Multi-Region Access Point by using the AWS Command Line Interface (AWS CLI), use the following `put-multi-region-access-point-policy` command. To use this example command, replace the `user input placeholders` with your own information. Each Multi-Region Access Point can have only one policy, so a request made to the `put-multi-region-access-point-policy` action replaces any existing policy that is associated with the specified Multi-Region Access Point.
------
#### [ AWS CLI ]
```
aws s3control put-multi-region-access-point-policy
--account-id 111122223333
--details { "Name": "amzn-s3-demo-bucket-MultiRegionAccessPoint", "Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:root\" }, \"Action\": [\"s3:ListBucket\", \"s3:GetObject\"], \"Resource\": [ \"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias", \"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*\" ] } }" }
```
------
To query your results for the previous operation, use the following command:
------
#### [ AWS CLI ]
```
aws s3control describe-multi-region-access-point-operation
--account-id 111122223333
--request-token-arn requestArn
```
------
To retrieve your Multi-Region Access Point policy, use the following command:
------
#### [ AWS CLI ]
```
aws s3control get-multi-region-access-point-policy
--account-id 111122223333
--name=amzn-s3-demo-bucket-MultiRegionAccessPoint
```
------
## Editing the Multi-Region Access Point policy
The Multi-Region Access Point policy (written in JSON) provides storage access to the Amazon S3 buckets that are used with this Multi-Region Access Point. You can allow or deny specific principals to perform various actions on your Multi-Region Access Point. When a request is routed to a bucket through the Multi-Region Access Point, both the access policies for the Multi-Region Access Point and the bucket apply. The more restrictive access policy always takes precedence.
**Note**
If a bucket contains objects that are owned by other accounts, the Multi-Region Access Point policy doesn't apply to the objects that are owned by other AWS accounts.
After you apply a Multi-Region Access Point policy, the policy cannot be deleted. You can either edit the policy or create a new policy that overwrites the existing one.
**To edit the Multi-Region Access Point policy**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to edit the policy for.
1. Choose the **Permissions** tab.
1. Scroll down to the **Multi-Region Access Point policy** section. Choose **Edit** to update the policy (in JSON).
1. The **Edit Multi-Region Access Point policy** page appears. You can either enter the policy directly into the text field, or you can choose **Add statement** to select policy elements from a dropdown list.
**Note**
The console automatically displays the Multi-Region Access Point Amazon Resource Name (ARN), which you can use in the policy. For example Multi-Region Access Point policies, see [Multi-Region Access Point policy examples](#MultiRegionAccessPointPolicyExamples).
## Multi-Region Access Point policy examples
Amazon S3 Multi-Region Access Points support AWS Identity and Access Management (IAM) resource policies. You can use these policies to control the use of the Multi-Region Access Point by resource, user, or other conditions. For an application or user to be able to access objects through a Multi-Region Access Point, both the Multi-Region Access Point and the underlying bucket must allow the same access.
To allow the same access to both the Multi-Region Access Point and the underlying bucket, do one of the following:
+ **(Recommended)** To simplify access controls when using an Amazon S3 Multi-Region Access Point, delegate access control for the Amazon S3 bucket to the Multi-Region Access Point. For an example of how to do this, see Example 1 in this section.
+ Add the same permissions contained in the Multi-Region Access Point policy to the underlying bucket policy.
**Important**
Delegating access control for a bucket to a Multi-Region Access Point policy doesn't change the bucket's behavior when the bucket is accessed directly through its bucket name or Amazon Resource Name (ARN). All operations made directly against the bucket will continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests made through that Multi-Region Access Point.
**Example 1 – Delegating access to specific Multi-Region Access Points in your bucket policy (for the same account or cross-account)**
The following example bucket policy grants full bucket access to a specific Multi-Region Access Point. This means that all access to this bucket is controlled by the policies that are attached to the Multi-Region Access Point. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket. You can use this bucket policy structure for Multi-Region Access Points in either the same account or in another account.
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "*",
"Resource" : [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*"],
"Condition": {
"StringEquals" : { "s3:DataAccessPointArn" : "arn:aws:s3::111122223333:accesspoint/example-multi-region-access-point" }
}
}]
}
```
If there are multiple Multi-Region Access Points that you're granting access to, make sure to list each Multi-Region Access Point.
**Example 2 – Granting an account access to a Multi-Region Access Point in your Multi-Region Access Point policy**
The following Multi-Region Access Point policy allows account `123456789012` permission to list and read the objects contained in the Multi-Region Access Point defined by the *`MultiRegionAccessPoint_ARN`*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/JohnDoe"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias",
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*"
]
}
]
}
```
**Example 3 – Multi-Region Access Point policy that allows bucket listing**
The following Multi-Region Access Point policy allows account `123456789012` permission to list the objects contained in the Multi-Region Access Point defined by the *`MultiRegionAccessPoint_ARN`*.