# Making requests through a Multi-Region Access Point
Like other resources, Amazon S3 Multi-Region Access Points have Amazon Resource Names (ARNs). You can use these ARNs to direct requests to Multi-Region Access Points by using the AWS Command Line Interface (AWS CLI), AWS SDKs, or the Amazon S3 API. You can also use these ARNs to identify Multi-Region Access Points in access control policies. A Multi-Region Access Point ARN doesn't include or disclose the name of the Multi-Region Access Point. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.
**Note**
The Multi-Region Access Point alias and ARN cannot be used interchangeably.
Multi-Region Access Point ARNs use the following format:
`arn:aws:s3::account-id:accesspoint/MultiRegionAccessPoint_alias`
The following are a few examples of Multi-Region Access Point ARNs:
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap` represents the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, which is owned by AWS account `123456789012`.
+ `arn:aws:s3::123456789012:accesspoint/*` represents all Multi-Region Access Points under the account `123456789012`. This ARN matches all Multi-Region Access Points for account `123456789012`, but doesn't match any Regional Amazon S3 Access Points because the ARN doesn’t include an AWS Region. In contrast, the ARN `arn:aws:s3:us-west-2:123456789012:accesspoint/*` matches all Regional Amazon S3 Access Points in the Region `us-west-2` for the account `123456789012`, but doesn't match any Multi-Region Access Points.
ARNs for objects that are accessed through a Multi-Region Access Point use the following format:
`arn:aws:s3::account_id:accesspoint/MultiRegionAccessPoint_alias//key`
As with Multi-Region Access Point ARNs, the ARNs for objects that are accessed through Multi-Region Access Points don't include an AWS Region. Here are some examples.
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap//-01` represents the `-01`, which is accessed through the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, which is owned by account `123456789012`.
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap//*` represents all objects that can be accessed through the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, in account `123456789012`.
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap//-01/finance/*` represents all objects that can be accessed under the `-01/finance/` for the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, in account `123456789012`.
## Multi-Region Access Point hostnames
You can access data in Amazon S3 through a Multi-Region Access Point by using the hostname of the Multi-Region Access Point. Requests can be directed to this hostname from the public internet. If you have configured one or more internet gateways for the Multi-Region Access Point, requests can also be directed to this hostname from a virtual private cloud (VPC). For more information about creating VPC interface endpoints to use with Multi-Region Access Points, see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](MultiRegionAccessPointsPrivateLink.md).
To make requests through a Multi-Region Access Point from a VPC by using a VPC endpoint, you can use AWS PrivateLink. When you're making requests to a Multi-Region Access Point by using AWS PrivateLink, you cannot directly use an endpoint-specific Regional DOMAIN NAME SYSTEM (DNS) name that ends with `region.vpce.amazonaws.com`. This hostname will not have a certificate associated with it, so it cannot be used directly. You can still use the public DOMAIN NAME SYSTEM (DNS) name of the VPC endpoint as a `CNAME` or `ALIAS` target. Alternatively, you can enable private DOMAIN NAME SYSTEM (DNS) on the endpoint and use the standard Multi-Region Access Point `MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com` DOMAIN NAME SYSTEM (DNS) name, as described in this section.
When you make requests to the API for Amazon S3 data operations (for example, `GetObject`) through a Multi-Region Access Point, the hostname for the request is as follows:
`MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com`
For example, to make a `GetObject` request through the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, make a request to the hostname `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`. The `s3-global` portion of the hostname indicates that this hostname is not for a specific Region.
Making requests through a Multi-Region Access Point is similar to making requests through a single-Region access point. However, it's important to be aware of the following differences:
+ Multi-Region Access Point ARNs don't include an AWS Region. They follow the format `arn:aws:s3::account-id:accesspoint/MultiRegionAccessPoint_alias`.
+ For requests made through API operations (these requests don't require the use of an ARN), Multi-Region Access Points use a different endpoint scheme. The scheme is `MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com`—for example, `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`. Note the differences compared to a single-Region access point:
+ Multi-Region Access Point hostnames use their alias, not the Multi-Region Access Point name.
+ Multi-Region Access Point hostnames don't include the owner's AWS account ID.
+ Multi-Region Access Point hostnames don't include an AWS Region.
+ Multi-Region Access Point hostnames include `s3-global.amazonaws.com` instead of `s3.amazonaws.com`.
+ Multi-Region Access Point requests must be signed by using Signature Version 4A (SigV4A). When you use the AWS SDKs, the SDK automatically converts a SigV4 to SigV4A. Therefore, make sure that your [AWS SDK supports](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) SigV4A as the signing implementation that is used to sign the global AWS Region requests. For more information about SigV4A, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference*.
## Multi-Region Access Points and Amazon S3 Transfer Acceleration
Amazon S3 Transfer Acceleration is a feature that enables fast transfer of data to buckets. Transfer Acceleration is configured on the individual bucket level. For more information about Transfer Acceleration, see [Configuring fast, secure file transfers using Amazon S3 Transfer Acceleration](transfer-acceleration.md).
Multi-Region Access Points use a similar accelerated transfer mechanism as Transfer Acceleration for sending large objects over the AWS network. Because of this, you don't need to use Transfer Acceleration when sending requests through a Multi-Region Access Point. This increased transfer performance is automatically incorporated into the Multi-Region Access Point.
**Topics**
+ [
## Multi-Region Access Point hostnames
](#MultiRegionAccessPointHostnames)
+ [
## Multi-Region Access Points and Amazon S3 Transfer Acceleration
](#MultiRegionAccessPointsAndTransferAcceleration)
+ [
# Permissions
](MultiRegionAccessPointPermissions.md)
+ [
# Multi-Region Access Point restrictions and limitations
](MultiRegionAccessPointRestrictions.md)
+ [
# Multi-Region Access Point request routing
](MultiRegionAccessPointRequestRouting.md)
+ [
# Amazon S3 Multi-Region Access Points failover controls
](MrapFailover.md)
+ [
# Configuring replication for use with Multi-Region Access Points
](MultiRegionAccessPointBucketReplication.md)
+ [
# Using Multi-Region Access Points with supported API operations
](MrapOperations.md)
+ [
# Monitoring and logging requests made through a Multi-Region Access Point to underlying resources
](MultiRegionAccessPointMonitoring.md)
# Permissions
Amazon S3 Multi-Region Access Points can simplify data access for Amazon S3 buckets in multiple AWS Regions. Multi-Region Access Points are named global endpoints that you can use to perform Amazon S3 data-access object operations, such as `GetObject` and `PutObject`. Each Multi-Region Access Point can have distinct permissions and network controls for any request that is made through the global endpoint.
Each Multi-Region Access Point can also enforce a customized access policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For a cross-account request to succeed, the following policies must permit the operation:
+ The Multi-Region Access Point policy
+ The underlying AWS Identity and Access Management (IAM) policy
+ The underlying bucket policy (where the request is routed to)
**Note**
For same account requests, only the underlying IAM policy, which grants the appropriate access, is required.
You can configure any Multi-Region Access Point policy to accept requests only from specific IAM users or groups. For an example of how to do this, see Example 2 in [Multi-Region Access Point policy examples](#MultiRegionAccessPointPolicyExamples). To restrict Amazon S3 data access to a private network, you can configure the Multi-Region Access Point policy to accept requests only from a virtual private cloud (VPC).
For example, suppose that you make a `GetObject` request through a Multi-Region Access Point by using a user called `AppDataReader` in your AWS account. To help ensure that the request won't be denied, the `AppDataReader` user must be granted the `s3:GetObject` permission by the Multi-Region Access Point and by each bucket underlying the Multi-Region Access Point. `AppDataReader` won't be able to retrieve data from any bucket that doesn't grant this permission.
**Important**
Delegating access control for a bucket to a Multi-Region Access Point policy doesn't change the bucket's behavior when the bucket is accessed directly through its bucket name or Amazon Resource Name (ARN). All operations made directly against the bucket will continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests made through that Multi-Region Access Point.
## Managing public access to a Multi-Region Access Point
Multi-Region Access Points support independent Block Public Access settings for each Multi-Region Access Point. When you create a Multi-Region Access Point, you can specify the Block Public Access settings that apply to that Multi-Region Access Point.
**Note**
Any Block Public Access settings that are enabled under **Block Public Access settings for this account** (in your own account) or **Block Public Settings for external buckets** still apply even if the independent Block Public Access settings for your Multi-Region Access Point are disabled.
For any request that is made through a Multi-Region Access Point, Amazon S3 evaluates the Block Public Access settings for:
+ The Multi-Region Access Point
+ The underlying buckets (including external buckets)
+ The account that owns the Multi-Region Access Point
+ The account that owns the underlying buckets (including external accounts)
If any of these settings indicate that the request should be blocked, Amazon S3 rejects the request. For more information about the Amazon S3 Block Public Access feature, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
**Important**
By default, all Block Public Access settings are enabled for Multi-Region Access Points. You must explicitly turn off any settings that you don't want to apply to a Multi-Region Access Point.
You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created.
## Viewing Block Public Access settings for a Multi-Region Access Point
**To view the Block Public Access settings for a Multi-Region Access Point**
1.
Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to review.
1. Choose the **Permissions** tab.
1. Under **Block Public Access settings for this Multi-Region Access Point**, review the Block Public Access settings for your Multi-Region Access Point.
**Note**
You can't edit the Block Public Access settings after the Multi-Region Access Point is created. Therefore, if you're going to block public access, make sure that your applications work correctly without public access before you create a Multi-Region Access Point.
## Using a Multi-Region Access Point policy
The following example Multi-Region Access Point policy grants an IAM user access to list and download files from your Multi-Region Access Point. To use this example policy, replace the `user input placeholders` with your own information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/JohnDoe"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias",
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*"
]
}
]
}
```
------
To associate your Multi-Region Access Point policy with the specified Multi-Region Access Point by using the AWS Command Line Interface (AWS CLI), use the following `put-multi-region-access-point-policy` command. To use this example command, replace the `user input placeholders` with your own information. Each Multi-Region Access Point can have only one policy, so a request made to the `put-multi-region-access-point-policy` action replaces any existing policy that is associated with the specified Multi-Region Access Point.
------
#### [ AWS CLI ]
```
aws s3control put-multi-region-access-point-policy
--account-id 111122223333
--details { "Name": "amzn-s3-demo-bucket-MultiRegionAccessPoint", "Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:root\" }, \"Action\": [\"s3:ListBucket\", \"s3:GetObject\"], \"Resource\": [ \"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias", \"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*\" ] } }" }
```
------
To query your results for the previous operation, use the following command:
------
#### [ AWS CLI ]
```
aws s3control describe-multi-region-access-point-operation
--account-id 111122223333
--request-token-arn requestArn
```
------
To retrieve your Multi-Region Access Point policy, use the following command:
------
#### [ AWS CLI ]
```
aws s3control get-multi-region-access-point-policy
--account-id 111122223333
--name=amzn-s3-demo-bucket-MultiRegionAccessPoint
```
------
## Editing the Multi-Region Access Point policy
The Multi-Region Access Point policy (written in JSON) provides storage access to the Amazon S3 buckets that are used with this Multi-Region Access Point. You can allow or deny specific principals to perform various actions on your Multi-Region Access Point. When a request is routed to a bucket through the Multi-Region Access Point, both the access policies for the Multi-Region Access Point and the bucket apply. The more restrictive access policy always takes precedence.
**Note**
If a bucket contains objects that are owned by other accounts, the Multi-Region Access Point policy doesn't apply to the objects that are owned by other AWS accounts.
After you apply a Multi-Region Access Point policy, the policy cannot be deleted. You can either edit the policy or create a new policy that overwrites the existing one.
**To edit the Multi-Region Access Point policy**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to edit the policy for.
1. Choose the **Permissions** tab.
1. Scroll down to the **Multi-Region Access Point policy** section. Choose **Edit** to update the policy (in JSON).
1. The **Edit Multi-Region Access Point policy** page appears. You can either enter the policy directly into the text field, or you can choose **Add statement** to select policy elements from a dropdown list.
**Note**
The console automatically displays the Multi-Region Access Point Amazon Resource Name (ARN), which you can use in the policy. For example Multi-Region Access Point policies, see [Multi-Region Access Point policy examples](#MultiRegionAccessPointPolicyExamples).
## Multi-Region Access Point policy examples
Amazon S3 Multi-Region Access Points support AWS Identity and Access Management (IAM) resource policies. You can use these policies to control the use of the Multi-Region Access Point by resource, user, or other conditions. For an application or user to be able to access objects through a Multi-Region Access Point, both the Multi-Region Access Point and the underlying bucket must allow the same access.
To allow the same access to both the Multi-Region Access Point and the underlying bucket, do one of the following:
+ **(Recommended)** To simplify access controls when using an Amazon S3 Multi-Region Access Point, delegate access control for the Amazon S3 bucket to the Multi-Region Access Point. For an example of how to do this, see Example 1 in this section.
+ Add the same permissions contained in the Multi-Region Access Point policy to the underlying bucket policy.
**Important**
Delegating access control for a bucket to a Multi-Region Access Point policy doesn't change the bucket's behavior when the bucket is accessed directly through its bucket name or Amazon Resource Name (ARN). All operations made directly against the bucket will continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests made through that Multi-Region Access Point.
**Example 1 – Delegating access to specific Multi-Region Access Points in your bucket policy (for the same account or cross-account)**
The following example bucket policy grants full bucket access to a specific Multi-Region Access Point. This means that all access to this bucket is controlled by the policies that are attached to the Multi-Region Access Point. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket. You can use this bucket policy structure for Multi-Region Access Points in either the same account or in another account.
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "*",
"Resource" : [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*"],
"Condition": {
"StringEquals" : { "s3:DataAccessPointArn" : "arn:aws:s3::111122223333:accesspoint/example-multi-region-access-point" }
}
}]
}
```
If there are multiple Multi-Region Access Points that you're granting access to, make sure to list each Multi-Region Access Point.
**Example 2 – Granting an account access to a Multi-Region Access Point in your Multi-Region Access Point policy**
The following Multi-Region Access Point policy allows account `123456789012` permission to list and read the objects contained in the Multi-Region Access Point defined by the *`MultiRegionAccessPoint_ARN`*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/JohnDoe"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias",
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*"
]
}
]
}
```
**Example 3 – Multi-Region Access Point policy that allows bucket listing**
The following Multi-Region Access Point policy allows account `123456789012` permission to list the objects contained in the Multi-Region Access Point defined by the *`MultiRegionAccessPoint_ARN`*.
# Multi-Region Access Point restrictions and limitations
Multi-Region Access Points in Amazon S3 have the following restrictions and limitations.
## Names and aliases
Multi-Region Access Point names must meet the following requirements:
+ Must be unique within a single AWS account.
+ Must begin with a number or lowercase letter.
+ Must be between 3 and 50 characters long.
+ Can't begin or end with a hyphen (`-`).
+ Can't contain underscores (`_`), uppercase letters, or periods (`.`).
+ Can't be edited after they are created.
Multi-Region Access Point aliases (which are different from a Multi-Region Access Point name), are automatically generated by Amazon S3 and can't be edited or reused. For more information about the difference between Multi-Region Access Point aliases and Multi-Region Access Point names and their respective naming rules, see [Rules for naming Amazon S3 Multi-Region Access Points](multi-region-access-point-naming.md).
## Accessing a Multi-Region Access Point
You can't access data through a Multi-Region Access Point by using gateway endpoints. However, you can access data through a Multi-Region Access Point by using interface endpoints. To use AWS PrivateLink, you must create VPC endpoints. For more information, see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](MultiRegionAccessPointsPrivateLink.md). However, be aware that IPv6 isn't supported.
To use Multi-Region Access Points with Amazon CloudFront, you must configure the Multi-Region Access Point as a `Custom Origin` distribution type. For more information about various origin types, see [Using various origins with CloudFront distributions](https://docs.aws.amazon.com//AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html). For more information about using Multi-Region Access Points with Amazon CloudFront, see [ Building an active-active, proximity-based application across multiple Regions](https://aws.amazon.com/blogs/storage/building-an-active-active-latency-based-application-across-multiple-regions/) on the *AWS Storage Blog*.
**Note**
S3 on Outposts buckets aren't supported.
## Signing AWS API requests
To sign an AWS API request, your Multi-Region Access Point must meet the following minimum requirements:
**Note**
Multi-Region Access Points don't support anonymous requests.
+ Support for Transport Layer Security (TLS) version 1.2.
+ Support for Signature Version 4 (SigV4A)–This version of SigV4 allows requests to be signed for multiple AWS Regions. This feature is useful in API operations that might result in data access from one of several Regions. When using an AWS SDK, you supply your credentials, and the requests to Multi-Region Access Points will use Signature Version 4A without additional configuration. Make sure to check your [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) with the SigV4A algorithm. For more information about SigV4A, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference*.
**Note**
To use SigV4A with temporary security credentials—for example, when using AWS Identity and Access Management (IAM) roles—you can request the temporary credentials from a Regional AWS Security Token Service (AWS STS) endpoint. If you request temporary credentials from the global AWS STS endpoint (`sts.amazonaws.com`), then you must first set the Region compatibility of session tokens for the global endpoint to be valid in all AWS Regions. For more information, see [Managing AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the *IAM User Guide*.
## Amazon S3 API operations
+ `CopyObject` is supported as a destination only when using the Multi-Region Access Point ARN.
+ The S3 Batch Operations feature isn't supported.
## AWS SDKs
Certain AWS SDKs aren't supported. To confirm which AWS SDKs are supported for Multi-Region Access Points, see [Compatibility with AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat).
## Service quotas
Be aware of the following service quota limitations:
+ There is a maximum of 100 Multi-Region Access Points per account.
+ There is a limit of 17 Regions for a single Multi-Region Access Point.
## Creating, deleting, or modifying a Multi-Region Access Point
When you create, delete, or modify an Multi-Region Access Point, be aware of the following rules and restrictions:
+ After you create a Multi-Region Access Point, you can’t add, modify, or remove buckets from the Multi-Region Access Point configuration. To change the buckets, you must delete the entire Multi-Region Access Point and create a new one. If a cross-account bucket in your Multi-Region Access Point is deleted, the only way to reconnect this bucket is to recreate the bucket, using the same name and Region in that account.
+ Underlying buckets (in the same account) that are used in a Multi-Region Access Point can be deleted only after a Multi-Region Access Point is deleted.
## Region support
**Control plane requests**
All control plane requests to create or maintain Multi-Region Access Points must be routed to the `US West (Oregon)` Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified.
For the Multi-Region Access Point failover control plane, requests must be routed to one of these five supported Regions:
+ `US East (N. Virginia)`
+ `US West (Oregon)`
+ `Asia Pacific (Sydney)`
+ `Asia Pacific (Tokyo)`
+ `Europe (Ireland)`
**Regions enabled by default**
Your Multi-Region Access Point supports buckets in the following default AWS Regions (which are [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in your AWS account):
+ `US East (N. Virginia)`
+ `US East (Ohio)`
+ `US West (N. California)`
+ `US West (Oregon)`
+ `Asia Pacific (Mumbai)`
+ `Asia Pacific (Osaka)`
+ `Asia Pacific (Seoul)`
+ `Asia Pacific (Singapore)`
+ `Asia Pacific (Sydney)`
+ `Asia Pacific (Tokyo)`
+ `Canada (Central)`
+ `Europe (Frankfurt)`
+ `Europe (Ireland)`
+ `Europe (London)`
+ `Europe (Paris)`
+ `Europe (Stockholm)`
+ `South America (São Paulo)`
**AWS opt-in Regions**
Your Multi-Region Access Point also supports buckets in the following opt-in AWS Regions (which are [disabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in your AWS account):
+ `Africa (Cape Town)`
+ `Asia Pacific (Hong Kong)`
+ `Asia Pacific (Jakarta)`
+ `Asia Pacific (Melbourne)`
+ `Asia Pacific (Hyderabad)`
+ `Canada West (Calgary)`
+ `Europe (Zurich)`
+ `Europe (Milan)`
+ `Europe (Spain)`
+ `Israel (Tel Aviv)`
+ `Middle East (Bahrain)`
+ `Middle East (UAE)`
**Note**
There are no additional costs for enabling an opt-in Region. However, creating or using a resource in a Multi-Region Access Point results in billing charges.
An opt-in Region must be manually enabled when configuring or creating your Multi-Region Access Point. For more information about opt-in Region behaviors for Multi-Region Access Points, see [Configuring Multi-Region Access Point opt-in Regions](ConfiguringMrapOptInRegions.md). For information about how to enable an opt-in Region in your AWS account, see [Enable or disable a Region for standalone accounts](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone) in the *AWS Account Management Reference Guide*.
# Multi-Region Access Point request routing
When you make a request through a Multi-Region Access Point, Amazon S3 determines which of the buckets that are associated with the Multi-Region Access Point is closest to you. Amazon S3 then directs the request to that bucket, regardless of the AWS Region it is located in.
After the Multi-Region Access Point routes the request to the closest-proximity bucket, Amazon S3 processes the request as if you made it directly to that bucket. Multi-Region Access Points aren't aware of the data contents of an Amazon S3 bucket. Therefore, the bucket that gets the request might not contain the requested data. To create consistent datasets in the Amazon S3 buckets that are associated with a Multi-Region Access Point, you can configure S3 Cross-Region Replication (CRR). Then any bucket can fulfill the request successfully.
Amazon S3 directs Multi-Region Access Point requests according to the following rules:
+ Amazon S3 optimizes requests to be fulfilled according to proximity. It looks at the buckets supported by the Multi-Region Access Point and relays the request to the bucket that has the closest proximity.
+ If the request specifies an existing resource (for example, `GetObject`), Amazon S3 does *not* consider the name of the object when fulfilling the request. This means that even if an object exists in one bucket in the Multi-Region Access Point, your request can be routed to a bucket that doesn't contain the object. This situation will result in a 404 error message being returned to the client.
To avoid 404 errors, we recommend that you configure S3 Cross-Region Replication (CRR) for your buckets. Replication helps resolve the potential issue when the object that you want is in a bucket in the Multi-Region Access Point, but it's not located in the specific bucket that your request was routed to. For more information about configuring replication, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
To ensure that your requests are fulfilled by using the specific objects that you want, we also recommend that you turn on bucket versioning and include version IDs in your requests. This approach helps ensure that you have the correct version of the object that you are looking for. Versioning-enabled buckets can also help you recover objects from accidental overwrite. For more information, see [Using S3 Versioning in S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html).
+ If the request is to create a resource (for example, `PutObject` or `CreateMultipartUpload`), Amazon S3 fulfills the request by using the closest-proximity bucket. For example, consider a video company that wants to support video uploads from anywhere in the world. When a user makes a `PUT` request to the Multi-Region Access Point, the object is put into the bucket with the closest proximity. To then make that uploaded video available to others around the world for download with the lowest latency, you can use CRR with bidirectional (two-way) replication. Using CRR with two-way replication keeps the contents of all the buckets that are associated with the Multi-Region Access Point synchronized. For more information about using replication with Multi-Region Access Points, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
# Amazon S3 Multi-Region Access Points failover controls
With Amazon S3 Multi-Region Access Point failover controls, you can maintain business continuity during Regional traffic disruptions, while also giving your applications a multi-Region architecture to fulfill compliance and redundancy needs. If your Regional traffic gets disrupted, you can use Multi-Region Access Point failover controls to select which AWS Regions behind an Amazon S3 Multi-Region Access Point will process data-access and storage requests.
To support failover, you can set up your Multi-Region Access Point in an active-passive configuration, with traffic flowing to the active Region during normal conditions, and a passive Region on standby for failover.
For example, to perform failover to an AWS Region of your choice, you shift traffic from your primary (active) Region to your secondary (passive) Region. In an active-passive configuration like this, one bucket is active and accepting traffic, while the other bucket is passive and not accepting traffic. The passive bucket is used for disaster recovery. When you initiate failover, all traffic (such as `GET` or `PUT` requests) is directed to the bucket in the active state (in one Region) and away from the bucket in the passive state (in another Region).
If you have S3 Cross-Region Replication (CRR) enabled with two-way replication rules, you can keep your buckets synchronized during a failover. In addition, if you have CRR enabled in an active-active configuration, Amazon S3 Multi-Region Access Points can also fetch data from the bucket location of closest proximity, which improves application performance.
## AWS Region support
With Amazon S3 Multi-Region Access Points failover controls, your S3 buckets can be in any of the [17 Regions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html) where Multi-Region Access Points are supported. You can initiate failover across any two Regions at one time.
**Note**
Although failover is initiated between only two Regions at one time, you can separately update the routing statuses for multiple Regions at the same time in your Multi-Region Access Point.
The following topics demonstrate how to use and manage Amazon S3 Multi-Region Access Point failover controls.
**Topics**
+ [
## AWS Region support
](#RegionSupport)
+ [
# Amazon S3 Multi-Region Access Points routing states
](FailoverConfiguration.md)
+ [
# Using Amazon S3 Multi-Region Access Point failover controls
](UsingFailover.md)
+ [
# Amazon S3 Multi-Region Access Point failover controls errors
](mrap-failover-errors.md)
# Amazon S3 Multi-Region Access Points routing states
Your Amazon S3 Multi-Region Access Points failover configuration determines the routing status of the AWS Regions that are used with the Multi-Region Access Point. You can configure your Amazon S3 Multi-Region Access Point to be in an active-active state or active-passive state.
+ **Active-active** – In an active-active configuration, all requests are automatically sent to the closest proximity AWS Region in your Multi-Region Access Point. After the Multi-Region Access Point has been configured to be in an active-active state, all Regions can receive traffic. If traffic disruption occurs in an active-active configuration, network traffic will automatically be redirected to one of the active Regions.
+ **Active-passive** – In an active-passive configuration, the active Regions in your Multi-Region Access Point receive traffic and the passive ones do not. If you intend to use S3 failover controls to initiate failover in a disaster situation, set up your Multi-Region Access Points in an active-passive configuration while you're testing and performing disaster-recovery planning.
# Using Amazon S3 Multi-Region Access Point failover controls
This section explains how to manage and use your Amazon S3 Multi-Region Access Points failover controls by using the AWS Management Console.
There are two failover controls in the **Failover configuration** section on your Multi-Region Access Point details page in the AWS Management Console: **Edit routing status** and **Failover**. You can use these controls as follows:
+ **Edit routing status** – You can manually edit the routing statuses of up to 17 AWS Regions in a single request for your Multi-Region Access Point by choosing **Edit routing status**. You can use **Edit routing status** for the following purposes:
+ To set or edit the routing statuses of one or more Regions in your Multi-Region Access Point
+ To create a failover configuration for your Multi-Region Access Point by configuring two Regions to be in an active-passive state
+ To manually fail over your Regions
+ To manually switch traffic between Regions
+ **Failover** – When you initiate failover by choosing **Failover**, you are only updating the routing statuses of two Regions that are already configured to be in an active-passive state. During a failover that you initiated by choosing **Failover**, the routing statuses between the two Regions are automatically switched.
## Editing the routing status of the Regions in your Multi-Region Access Point
You can manually update the routing statuses of up to 17 AWS Regions in a single request for your Multi-Region Access Point by choosing **Edit routing status** in the **Failover configuration** section on your Multi-Region Access Point details page. However, when you initiate failover by choosing **Failover**, you are only updating the routing statuses of two Regions that are already configured to be in an active-passive state. During a failover that you initiated by choosing **Failover**, the routing statuses between the two Regions are automatically switched.
You can use **Edit routing status** (as described in the following procedure) for the following purposes:
+ To set or edit the routing statuses of one or more Regions in your Multi-Region Access Point
+ To create a failover configuration for your Multi-Region Access Point by configuring two Regions to be in an active-passive state
+ To manually fail over your Regions
+ To manually switch traffic between Regions
### Using the S3 console
**To update the routing status of the Regions in your Multi-Region Access Point**
1. Sign in to the AWS Management Console.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the Multi-Region Access Point that you want to update.
1. Choose the **Replication and failover** tab.
1. Select one or more Regions that you want to edit the routing status of.
**Note**
To initiate failover, at least one AWS Region must be designated as **Active** and one Region must be designated as **Passive** in your Multi-Region Access Point.
1. Choose **Edit routing status**.
1. In the dialog box that appears, select **Active** or **Passive** for the **Routing status** for each Region.
An active state allows traffic to be routed to the Region. A passive state stops any traffic from being directed to the Region.
If you are creating a failover configuration for your Multi-Region Access Point or initiating failover, at least one AWS Region must be designated as **Active** and one Region must be designated as **Passive** in your Multi-Region Access Point.
1. Choose **Save routing status**. It takes about 2 minutes for traffic to be redirected.
After you submit the routing status of the AWS Regions for your Multi-Region Access Point, you can verify your routing status changes. To verify these changes, go to Amazon CloudWatch at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/) to monitor the shift of your Amazon S3 data-request traffic (for example, `GET` and `PUT` requests) between active and passive Regions. Any existing connections will not be terminated during failover. Existing connections will continue until they reach a success or failure status.
### Using the AWS CLI
**Note**
You can run Multi-Region Access Point AWS CLI routing commands against any of these five Regions:
`ap-southeast-2`
`ap-northeast-1`
`us-east-1`
`us-west-2`
`eu-west-1`
The following example command updates your current Multi-Region Access Point route configuration. To update the active or passive status of a bucket, set the `TrafficDialPercentage` value to `100` for active and to `0` for passive. In this example, `amzn-s3-demo-bucket1` is set to active, and *amzn-s3-demo-bucket2* is set to passive. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control submit-multi-region-access-point-routes
--region ap-southeast-2
--account-id 123456789012
--mrap MultiRegionAccessPoint_ARN
--route-updates Bucket=amzn-s3-demo-bucket1,TrafficDialPercentage=100
Bucket=amzn-s3-demo-bucket2
,TrafficDialPercentage=0
```
The following example command gets your updated Multi-Region Access Point routing configuration. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point-routes
--region eu-west-1
--account-id 123456789012
--mrap MultiRegionAccessPoint_ARN
```
## Initiating failover
When you initiate failover by choosing **Failover** in the **Failover configuration** section on your Multi-Region Access Point details page, Amazon S3 request traffic automatically gets shifted to an alternate AWS Region. The failover process is completed within 2 minutes.
You can initiate a failover across any two AWS Regions at one time (of the [17 Regions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html) where Multi-Region Access Points are supported). Failover events are then logged in AWS CloudTrail. Upon failover completion, you can monitor Amazon S3 traffic and any traffic routing updates to the new active Region in Amazon CloudWatch.
**Important**
To keep all metadata and objects in sync across buckets during data replication, we recommend that you create two-way replication rules and enable replica modification sync before configuring your failover controls.
Two-way replication rules help ensure that when data is written to the Amazon S3 bucket that traffic fails over to, that data is then replicated back to the source bucket. Replica modification sync helps ensure that object metadata is also synchronized between buckets during two-way replication.
For more information about configuring replication to support failover, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
**To initiate failover between replicated buckets**
1. Sign in to the AWS Management Console.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the Multi-Region Access Point that you want to use to initiate failover.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Failover configuration** section and select two AWS Regions.
**Note**
To initiate failover, at least one AWS Region must be designated as **Active** and one Region must be designated as **Passive** in your Multi-Region Access Point. An active state allows traffic to be directed to a Region. A passive state stops any traffic from being directed to the Region.
1. Choose **Failover**.
1. In the dialog box, choose **Failover** again to initiate the failover process. During this process, the routing statuses of the two Regions are automatically switched. All new traffic is directed to the Region that becomes active, and traffic stops being directed to the Region that becomes passive. It takes about 2 minutes for traffic to be redirected.
After you initiate the failover process, you can verify your traffic changes. To verify these changes, go to Amazon CloudWatch at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/) to monitor the shift of your Amazon S3 data-request traffic (for example, `GET` and `PUT` requests) between active and passive Regions. Any existing connections will not be terminated during failover. Existing connections will continue until they reach a success or failure status.
## Viewing your Amazon S3 Multi-Region Access Point routing controls
### Using the S3 console
**To view the routing controls for your Amazon S3 Multi-Region Access Point**
1. Sign in to the AWS Management Console.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the Multi-Region Access Point that you want to review.
1. Choose the **Replication and failover** tab. This page displays the routing configuration details and summary for your Multi-Region Access Point, associated replication rules, and replication metrics. You can see the routing status of your Regions in the **Failover configuration** section.
### Using the AWS CLI
The following example AWS CLI command gets your current Multi-Region Access Point route configuration for the specified Region. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point-routes
--region eu-west-1
--account-id 123456789012
--mrap MultiRegionAccessPoint_ARN
```
**Note**
This command can only be executed against these five Regions:
`ap-southeast-2`
`ap-northeast-1`
`us-east-1`
`us-west-2`
`eu-west-1`
# Amazon S3 Multi-Region Access Point failover controls errors
When you update the failover configuration for your Multi-Region Access Point, you might encounter one of these errors:
+ HTTP 400 Bad Request: This error can occur if you enter an invalid Multi-Region Access Point ARN while updating your failover configuration. You can confirm your Multi-Region Access Point ARN by reviewing your Multi-Region Access Point policy. To review or update your Multi-Region Access Point policy, see [Editing the Multi-Region Access Point policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingFailover.html#editing-mrap-policy). This error can also occur if you use an empty string or a random string while updating your Amazon S3 Multi-Region Access Point failover controls. Make sure to use the Multi-Region Access Point ARN format:
`arn:aws:s3::account-id:accesspoint/MultiRegionAccessPoint_alias`
+ HTTP 503 Slow Down: This error occurs if you send too many requests in a short period of time. Rejected requests will result in an error.
+ HTTP 409 Conflict: This error occurs when two or more concurrent route configuration update requests are targeting a single Multi-Region Access Point. The first request succeeds, but any other requests fail with an error.
+ HTTP 405 Method Not Allowed: This error occurs when you've selected a Multi-Region Access Point with only one AWS Region when initiating failover. You must select two Regions before you can initiate failover. Otherwise, an error is returned.
# Configuring replication for use with Multi-Region Access Points
When you make a request to a Multi-Region Access Point endpoint, Amazon S3 automatically routes the request to the bucket that is closest to you. Amazon S3 doesn't consider the contents of the request when making this decision. If you make a request to `GET` an object, your request might be routed to a bucket that doesn't have a copy of this object. If that happens, you receive an HTTP status code 404 (Not Found) error. For more information about Multi-Region Access Point request routing, see [Multi-Region Access Point request routing](MultiRegionAccessPointRequestRouting.md).
If you want the Multi-Region Access Point to be able to retrieve the object regardless of which bucket receives the request, you must configure Amazon S3 Cross-Region Replication (CRR).
For example, consider a Multi-Region Access Point with three buckets:
+ A bucket named `amzn-s3-demo-bucket1` in the Region `US West (Oregon)` that contains the object `my-image.jpg`
+ A bucket named `amzn-s3-demo-bucket2` in the Region `Asia Pacific (Mumbai)` that contains the object `my-image.jpg`
+ A bucket named `amzn-s3-demo-bucket` in the Region `Europe (Frankfurt)` that doesn't contain the object `my-image.jpg`
In this situation, if you make a `GetObject` request for the object `my-image.jpg`, the success of that request depends upon which bucket receives your request. Because Amazon S3 doesn't consider the contents of the request, it might route your `GetObject` request to the `amzn-s3-demo-bucket` bucket if that bucket responds of closest proximity. Even though your object is in a bucket in the Multi-Region Access Point, you will get an HTTP 404 Not Found error because the individual bucket that received your request didn't have the object.
Enabling Cross-Region Replication (CRR) helps avoid this result. With appropriate replication rules, the `my-image.jpg` object is copied over to the `amzn-s3-demo-bucket` bucket. Therefore, if Amazon S3 routes your request to that bucket, you can now retrieve the object.
Replication works as normal with buckets that are assigned to a Multi-Region Access Point. Amazon S3 doesn't perform any special replication handling with buckets that are in Multi-Region Access Points. For more information about configuring replication in your buckets, see [Setting up live replication overview](replication-how-setup.md).
**Recommendations for using replication with Multi-Region Access Points**
For the best replication performance when working with Multi-Region Access Points, we recommend the following:
+ Configure S3 Replication Time Control (S3 RTC). To replicate your data across different Regions within a predictable time frame, you can use S3 RTC. S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes (backed by a service-level agreement). For more information, see [Meeting compliance requirements with S3 Replication Time Control](replication-time-control.md). There are additional charges for S3 RTC. For information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
+ Use two-way (bidirectional) replication to support keeping buckets synchronized when buckets are updated through the Multi-Region Access Point. For more information, see [Create two-way replication rules for your Multi-Region Access Point](mrap-create-two-way-replication-rules.md).
+ Create cross-account Multi-Region Access Points to replicate data to buckets in separate AWS accounts. This approach provides account-level separation, so that data can be accessed from and replicated across different accounts in different Regions other than the source bucket. Setting up cross-account Multi-Region Access Points comes at no additional cost. If you're a bucket owner but don't own the Multi-Region Access Point, you pay only for data transfer and request costs. Multi-Region Access Point owners pay for data routing and internet-acceleration costs. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
+ Enable replica modification sync for each replication rule to also keep metadata changes to your objects in sync. For more information, see [Enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes).
+ Enable Amazon CloudWatch metrics to [monitor replication events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-metrics.html). CloudWatch metrics fees apply. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
**Topics**
+ [
# Create one-way replication rules for your Multi-Region Access Point
](mrap-create-one-way-replication-rules.md)
+ [
# Create two-way replication rules for your Multi-Region Access Point
](mrap-create-two-way-replication-rules.md)
+ [
# View the replication rules for your Multi-Region Access Point
](mrap-view-replication-rules.md)
# Create one-way replication rules for your Multi-Region Access Point
Replication rules enable automatic and asynchronous copying of objects across buckets. A one-way replication rule helps ensure that data is fully replicated from a source bucket in one AWS Region to a destination bucket in another Region. When one-way replication is set up, a replication rule from the source bucket (*amzn-s3-demo-bucket*) to the destination bucket (*amzn-s3-demo-bucket*) is created. Like all replication rules, you can apply the one-way replication rule to the entire Amazon S3 bucket or to a subset of objects that are filtered by a prefix or object tags.
**Important**
We recommend using one-way replication if your users will only be consuming the objects in your destination buckets. If your users will be uploading or modifying the objects in your destination buckets, use two-way replication to keep all of your buckets in sync. We also recommend two-way replication if you plan to use your Multi-Region Access Point for failover. To set up two-way replication, see [Create two-way replication rules for your Multi-Region Access Point](mrap-create-two-way-replication-rules.md).
**To create a one-way replication rule for your Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of your Multi-Region Access Point.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Replication rules** section, and then choose **Create replication rules**. Make sure that you have sufficient permissions to create the replication rule, or versioning will be disabled.
**Note**
You can create replication rules only for buckets in your own account. To create replication rules for external buckets, the bucket owners must create the replication rules for those buckets.
1. On the **Create replication rules** page, choose the **Replicate objects from one or more source buckets to one or more destination buckets** template.
**Important**
When you create replication rules by using this template, they replace any existing replication rules that are already assigned to the bucket.
To add to or modify any existing replication rules instead of replacing them, go to each bucket's **Management** tab in the console, and then edit the rules in the **Replication rules** section. You can also add to or modify existing replication rules by using the AWS CLI, SDKs, or REST API. For more information, see [Replication configuration file elements](replication-add-config.md).
1. In the **Source and destination** section, under **Source buckets**, select one or more buckets that you want to replicate objects from. All buckets (source and destination) that are chosen for replication must have S3 Versioning enabled, and each bucket must reside in a different AWS Region. For more information about S3 Versioning, see [Using versioning in Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html).
Under **Destination buckets**, select one or more buckets that you want to replicate objects to.
1. In the **Replication rule configuration** section, choose whether the replication rule will be **Enabled** or **Disabled** when it's created.
**Note**
You can't enter a name in the **Replication rule name** box. Replication rule names are generated based on your configuration when you create the replication rule.
1. In the **Scope** section, choose the appropriate scope for your replication.
+ To replicate the whole bucket, choose **Apply to all objects in the bucket**.
+ To replicate a subset of the objects in the bucket, choose **Limit the scope of this rule using one or more filters**.
You can filter your objects by using a prefix, object tags, or a combination of both.
+ To limit replication to all objects that have names that begin with the same string (for example `pictures`), enter a prefix in the **Prefix** box.
If you enter a prefix that is the name of a folder, you must use a delimiter such as a `/` (forward slash) to indicate its level of hierarchy (for example, `pictures/`). For more information about prefixes, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html).
+ To replicate all objects that have one or more object tags, choose **Add tag** and enter the key-value pair in the boxes. To add another tag, repeat the procedure. For more information about object tags, see [Categorizing your objects using tags](object-tagging.md).
1. Scroll down to the **Additional replication options** section, and select the replication options that you want to apply.
**Note**
We recommend that you apply the following options:
**Replication time control (RTC)** – To replicate your data across different Regions within a predictable time frame, you can use S3 Replication Time Control (S3 RTC). S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes (backed by a service-level agreement). For more information, see [Meeting compliance requirements with S3 Replication Time Control](replication-time-control.md).
**Replication metrics and notifications** – Enable Amazon CloudWatch metrics to monitor replication events.
**Delete marker replication** – Delete markers created by S3 delete operations will be replicated. Delete markers created by lifecycle rules are not replicated. For more information, see [Replicating delete markers between buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html).
There are additional charges for S3 RTC and CloudWatch replication metrics and notifications. For more information, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/) and [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
1. If you're writing a new replication rule that replaces an existing one, select **I acknowledge that by choosing Create replication rules, these existing replication rules will be overwritten**.
1. Choose **Create replication rules** to create and save your new one-way replication rule.
# Create two-way replication rules for your Multi-Region Access Point
Replication rules enable automatic and asynchronous copying of objects across buckets. A two-way replication rule (also known as a bidirectional replication rule) ensures that data is fully synchronized between two or more buckets in different AWS Regions. When two-way replication is set up, a replication rule from the source bucket (DOC-EXAMPLE-BUCKET-1) to the bucket containing the replicas (DOC-EXAMPLE-BUCKET-2) is created. Then, a second replication rule from the bucket containing the replicas (DOC-EXAMPLE-BUCKET-2) to the source bucket (DOC-EXAMPLE-BUCKET-1) is created.
Like all replication rules, you can apply the two-way replication rule to the entire Amazon S3 bucket or to a subset of objects filtered by a prefix or object tags. You can also keep metadata changes to your objects in sync by [enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes) for each replication rule. You can enable replica modification sync through the Amazon S3 console, the AWS CLI, the AWS SDKs, the Amazon S3 REST API, or AWS CloudFormation.
To monitor the replication progress of objects and object metadata in Amazon CloudWatch, enable S3 Replication metrics and notifications. For more information, see [Monitoring progress with replication metrics and Amazon S3 event notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-metrics.html).
**To create a two-way replication rule for your Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to update.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Replication rules** section, and then choose **Create replication rules**.
1. On the **Create replication rules** page, choose the **Replicate objects among all specified buckets** template. The **Replicate objects among all specified buckets** template sets up two-way replication (with failover capabilities) for your buckets.
**Important**
When you create replication rules by using this template, they replace any existing replication rules that are already assigned to the bucket.
To add to or modify any existing replication rules instead of replacing them, go to each bucket's **Management** tab in the console, and then edit the rules in the **Replication rules** section. You can also add to or modify existing replication rules by using the AWS CLI, AWS SDKs, or Amazon S3 REST API. For more information, see [Replication configuration file elements](replication-add-config.md).
1. In the **Buckets** section, select at least two buckets that you want to replicate objects from. All buckets chosen for replication must have S3 Versioning enabled, and each bucket must reside in a different AWS Region. For more information about S3 Versioning, see [Using versioning in Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html).
**Note**
Make sure that you have the required read and replicate permissions to establish replication, or you will encounter errors. For more information, see [Creating an IAM role](https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html).
1. In the **Replication rule configuration** section, choose whether the replication rule will be **Enabled** or **Disabled** when it's created.
**Note**
You can't enter a name in the **Replication rule name** box. Replication rule names are generated based on your configuration when you create the replication rule.
1. In the **Scope** section, choose the appropriate scope for your replication.
+ To replicate the whole bucket, choose **Apply to all objects in the bucket**.
+ To replicate a subset of the objects in the bucket, choose **Limit the scope of this rule using one or more filters**.
You can filter your objects by using a prefix, object tags, or a combination of both.
+ To limit replication to all objects that have names that begin with the same string (for example `pictures`), enter a prefix in the **Prefix** box.
If you enter a prefix that is the name of a folder, you must use a `/` (forward slash) as the last character (for example, `pictures/`).
+ To replicate all objects that have one or more object tags, choose **Add tag** and enter the key-value pair in the boxes. To add another tag, repeat the procedure. For more information about object tags, see [Categorizing your objects using tags](object-tagging.md).
1. Scroll down to the **Additional replication options** section, and select the replication options that you want to apply.
**Note**
We recommend that you apply the following options, especially if you intend to configure your Multi-Region Access Point to support failover:
**Replication time control (RTC)** – To replicate your data across different Regions within a predictable time frame, you can use S3 Replication Time Control (S3 RTC). S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes (backed by a service-level agreement). For more information, see [Meeting compliance requirements with S3 Replication Time Control](replication-time-control.md).
**Replication metrics and notifications** – Enable Amazon CloudWatch metrics to monitor replication events.
**Delete marker replication** – Delete markers created by S3 delete operations will be replicated. Delete markers created by lifecycle rules are not replicated. For more information, see [Replicating delete markers between buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html).
**Replica modification sync** – Enable replica modification sync for each replication rule to also keep metadata changes to your objects in sync. For more information, see [Enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes).
There are additional charges for S3 RTC and CloudWatch replication metrics and notifications. For more information, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/) and [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
1. If you're writing a new replication rule that replaces an existing one, select **I acknowledge that by choosing Create replication rules, these existing replication rules will be overwritten**.
1. Choose **Create replication rules** to create and save your new two-way replication rules.
# View the replication rules for your Multi-Region Access Point
With Multi-Region Access Points, you can either set up one-way replication rules or two-way (bidirectional) replication rules. For information about how to manage your replication rules, see [ Managing replication rules by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/disable-replication.html).
**To view the replication rules for your Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of your Multi-Region Access Point.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Replication rules** section. This section lists all of the replication rules that have been created for your Multi-Region Access Point.
**Note**
If you’ve added a bucket from another account to this Multi-Region Access Point, you must have the `s3:GetBucketReplication` permission from the bucket owner to view the replication rules for that bucket.
# Using Multi-Region Access Points with supported API operations
Amazon S3 provides a set of operations to manage Multi-Region Access Points. Amazon S3 processes some of these operations synchronously and some asynchronously. When you invoke an asynchronous operation, Amazon S3 first synchronously authorizes the requested operation. If authorization is successful, Amazon S3 returns a token that you can use to track the progress and results of the requested operation.
**Note**
Requests that are made through the Amazon S3 console are always synchronous. The console waits until the request is completed before allowing you to submit another request.
You can view the current status and results of asynchronous operations by using the console, or you can use `DescribeMultiRegionAccessPointOperation` in the AWS CLI, AWS SDKs, or REST API. Amazon S3 provides a tracking token in the response to an asynchronous operation. You include that tracking token as an argument to `DescribeMultiRegionAccessPointOperation`. When you include the tracking token, Amazon S3 then returns the current status and results of the specified operation, including any errors or relevant resource information. Amazon S3 performs `DescribeMultiRegionAccessPointOperation` operations synchronously.
All control plane requests to create or maintain Multi-Region Access Points must be routed to the `US West (Oregon)` Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified. For the Multi-Region Access Point failover control plane, the request must be routed to one of the five supported Regions. For more information about Multi-Region Access Point supported Regions, see [Multi-Region Access Point restrictions and limitations](MultiRegionAccessPointRestrictions.md).
In addition, you must grant the `s3:ListAllMyBuckets` permission to the user, role, or other AWS Identity and Access Management (IAM) entity that makes a request to manage a Multi-Region Access Point.
The following examples demonstrate how to use Multi-Region Access Points with compatible operations in Amazon S3.
**Topics**
+ [
## Multi-Region Access Point compatibility with AWS services and AWS SDKs
](#mrap-api-support)
+ [
## Multi-Region Access Point compatibility with S3 operations
](#mrap-operations-support)
+ [
## View your Multi-Region Access Point routing configuration
](#query-mrap-routing-configuration)
+ [
## Update your underlying Amazon S3 bucket policy
](#update-underlying-bucket-policy)
+ [
## Update a Multi-Region Access Point route configuration
](#update-mrap-route-configuration)
+ [
## Add an object to a bucket in your Multi-Region Access Point
](#add-bucket-mrap)
+ [
## Retrieve objects from your Multi-Region Access Point
](#get-object-mrap)
+ [
## List objects that are stored in a bucket underlying your Multi-Region Access Point
](#list-objects-mrap)
+ [
## Use a presigned URL with Multi-Region Access Points
](#use-presigned-url-mrap)
+ [
## Use a bucket that's configured with Requester Pays with Multi-Region Access Points
](#use-requester-pays-mrap)
## Multi-Region Access Point compatibility with AWS services and AWS SDKs
To use a Multi-Region Access Point with applications that require an Amazon S3 bucket name, use the Amazon Resource Name (ARN) of the Multi-Region Access Point when making requests by using an AWS SDK. To check which AWS SDKs are compatible with Multi-Region Access Points, see [Compatibility with AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat).
## Multi-Region Access Point compatibility with S3 operations
You can use use the following Amazon S3 data plane API operations to perform actions on objects in buckets that are associated with your Multi-Region Access Point. The following S3 operations can accept Multi-Region Access Point ARNs:
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectTagging.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html)
**Note**
Multi-Region Access Points supports copy operations using Multi-Region Access Points only as a destination when using the Multi-Region Access Point ARN.
You can use the following Amazon S3 control plane operations to create and manage your Multi-Region Access Points:
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateMultiRegionAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateMultiRegionAccessPoint.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DescribeMultiRegionAccessPointOperation.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DescribeMultiRegionAccessPointOperation.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPoint.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicy.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicyStatus.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicyStatus.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointRoutes.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointRoutes.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListMultiRegionAccessPoints.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListMultiRegionAccessPoints.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutMultiRegionAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutMultiRegionAccessPointPolicy.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_SubmitMultiRegionAccessPointRoutes.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_SubmitMultiRegionAccessPointRoutes.html)
## View your Multi-Region Access Point routing configuration
------
#### [ AWS CLI ]
The following example command retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point-routes
--region eu-west-1
--account-id 111122223333
--mrap arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap
```
------
#### [ SDK for Java ]
The following SDK for Java code retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example syntax, replace the `user input placeholders` with your own information.
```
S3ControlClient s3ControlClient = S3ControlClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(credentialsProvider)
.build();
GetMultiRegionAccessPointRoutesRequest request = GetMultiRegionAccessPointRoutesRequest.builder()
.accountId("111122223333")
.mrap("arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap")
.build();
GetMultiRegionAccessPointRoutesResponse response = s3ControlClient.getMultiRegionAccessPointRoutes(request);
```
------
#### [ SDK for JavaScript ]
The following SDK for JavaScript code retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example syntax, replace the `user input placeholders` with your own information.
```
const REGION = 'us-east-1'
const s3ControlClient = new S3ControlClient({
region: REGION
})
export const run = async () => {
try {
const data = await s3ControlClient.send(
new GetMultiRegionAccessPointRoutesCommand({
AccountId: '111122223333',
Mrap: 'arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap',
})
)
console.log('Success', data)
return data
} catch (err) {
console.log('Error', err)
}
}
run()
```
------
#### [ SDK for Python ]
The following SDK for Python code retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example syntax, replace the `user input placeholders` with your own information.
```
s3.get_multi_region_access_point_routes(
AccountId=111122223333,
Mrap=arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap)['Routes']
```
------
## Update your underlying Amazon S3 bucket policy
To grant proper access, you must also update the underlying Amazon S3 bucket policy. The following examples delegate access control to the Multi-Region Access Point policy. After you delegate access control to the Multi-Region Access Point policy, the bucket policy is no longer used for access control when requests are made through the Multi-Region Access Point.
Here's an example bucket policy that delegates access control to the Multi-Region Access Point policy. To use this example bucket policy, replace the `user input placeholders` with your own information. To apply this policy through the AWS CLI `put-bucket-policy` command, as shown in the next example, save the policy in a file, for example, `policy.json`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444455556666:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "444455556666"
}
}
}
]
}
```
------
The following `put-bucket-policy` example command associates the updated S3 bucket policy with your S3 bucket:
```
aws s3api put-bucket-policy
--bucket amzn-s3-demo-bucket
--policy file:///tmp/policy.json
```
## Update a Multi-Region Access Point route configuration
The following example command updates the Multi-Region Access Point route configuration. Multi-Region Access Point route commands can be run against the following five Regions:
+ `ap-southeast-2`
+ `ap-northeast-1`
+ `us-east-1`
+ `us-west-2`
+ `eu-west-1`
In a Multi-Region Access Point routing configuration, you can set buckets to an active or passive routing status. Active buckets receive traffic, whereas passive buckets do not. You can set a bucket's routing status by setting the `TrafficDialPercentage` value for the bucket to `100` for active or `0` for passive.
------
#### [ AWS CLI ]
The following example command updates your Multi-Region Access Point routing configuration. In this example, `amzn-s3-demo-bucket1` is set to active status and `amzn-s3-demo-bucket2` is set to passive. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control submit-multi-region-access-point-routes
--region ap-southeast-2
--account-id 111122223333
--mrap arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap
--route-updates Bucket=amzn-s3-demo-bucket1,TrafficDialPercentage=100
Bucket=amzn-s3-demo-bucket2,TrafficDialPercentage=0
```
------
#### [ SDK for Java ]
The following SDK for Java code updates your Multi-Region Access Point routing configuration. To use this example syntax, replace the `user input placeholders` with your own information.
```
S3ControlClient s3ControlClient = S3ControlClient.builder()
.region(Region.ap-southeast-2)
.credentialsProvider(credentialsProvider)
.build();
SubmitMultiRegionAccessPointRoutesRequest request = SubmitMultiRegionAccessPointRoutesRequest.builder()
.accountId("111122223333")
.mrap("arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap")
.routeUpdates(
MultiRegionAccessPointRoute.builder()
.region("eu-west-1")
.trafficDialPercentage(100)
.build(),
MultiRegionAccessPointRoute.builder()
.region("ca-central-1")
.bucket("111122223333")
.trafficDialPercentage(0)
.build()
)
.build();
SubmitMultiRegionAccessPointRoutesResponse response = s3ControlClient.submitMultiRegionAccessPointRoutes(request);
```
------
#### [ SDK for JavaScript ]
The following SDK for JavaScript code updates your Multi-Region Access Point route configuration. To use this example syntax, replace the `user input placeholders` with your own information.
```
const REGION = 'ap-southeast-2'
const s3ControlClient = new S3ControlClient({
region: REGION
})
export const run = async () => {
try {
const data = await s3ControlClient.send(
new SubmitMultiRegionAccessPointRoutesCommand({
AccountId: '111122223333',
Mrap: 'arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap',
RouteUpdates: [
{
Region: 'eu-west-1',
TrafficDialPercentage: 100,
},
{
Region: 'ca-central-1',
Bucket: 'amzn-s3-demo-bucket1',
TrafficDialPercentage: 0,
},
],
})
)
console.log('Success', data)
return data
} catch (err) {
console.log('Error', err)
}
}
run()
```
------
#### [ SDK for Python ]
The following SDK for Python code updates your Multi-Region Access Point route configuration. To use this example syntax, replace the `user input placeholders` with your own information.
```
s3.submit_multi_region_access_point_routes(
AccountId=111122223333,
Mrap=arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap,
RouteUpdates= [{
'Bucket': amzn-s3-demo-bucket,
'Region': ap-southeast-2,
'TrafficDialPercentage': 10
}])
```
------
## Add an object to a bucket in your Multi-Region Access Point
To add an object to the bucket that's associated with the Multi-Region Access Point, you can use the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) operation. To keep all buckets in the Multi-Region Access Point in sync, enable [Cross-Region Replication](MultiRegionAccessPointBucketReplication.md).
**Note**
To use this operation, you must have the `s3:PutObject` permission for the Multi-Region Access Point. For more information about Multi-Region Access Point permission requirements, see [Permissions](MultiRegionAccessPointPermissions.md).
------
#### [ AWS CLI ]
The following example data plane request uploads *`example.txt`* to the specified Multi-Region Access Point. To use this example, replace the *`user input placeholders`* with your own information.
```
aws s3api put-object --bucket arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap --key example.txt --body example.txt
```
------
#### [ SDK for Java ]
```
S3Client s3Client = S3Client.builder()
.build();
PutObjectRequest objectRequest = PutObjectRequest.builder()
.bucket("arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap")
.key("example.txt")
.build();
s3Client.putObject(objectRequest, RequestBody.fromString("Hello S3!"));
```
------
#### [ SDK for JavaScript ]
```
const client = new S3Client({});
async function putObjectExample() {
const command = new PutObjectCommand({
Bucket: "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap",
Key: "example.txt",
Body: "Hello S3!",
});
try {
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
}
```
------
#### [ SDK for Python ]
```
import boto3
client = boto3.client('s3')
client.put_object(
Bucket='arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap',
Key='example.txt',
Body='Hello S3!'
)
```
------
## Retrieve objects from your Multi-Region Access Point
To retrieve objects from the Multi-Region Access Point, you can use the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) operation.
**Note**
To use this API operation, you must have the `s3:GetObject` permission for the Multi-Region Access Point. For more information about Multi-Region Access Point permissions requirements, see [Permissions](MultiRegionAccessPointPermissions.md).
------
#### [ AWS CLI ]
The following example data plane request retrieves *`example.txt`* from the specified Multi-Region Access Point and downloads it as *`downloaded_example.txt`*. To use this example, replace the *`user input placeholders`* with your own information.
```
aws s3api get-object --bucket arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap --key example.txt downloaded_example.txt
```
------
#### [ SDK for Java ]
```
S3Client s3 = S3Client
.builder()
.build();
GetObjectRequest getObjectRequest = GetObjectRequest.builder()
.bucket("arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap")
.key("example.txt")
.build();
s3Client.getObject(getObjectRequest);
```
------
#### [ SDK for JavaScript ]
```
const client = new S3Client({})
async function getObjectExample() {
const command = new GetObjectCommand({
Bucket: "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap",
Key: "example.txt"
});
try {
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
}
```
------
#### [ SDK for Python ]
```
import boto3
client = boto3.client('s3')
client.get_object(
Bucket='arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap',
Key='example.txt'
)
```
------
## List objects that are stored in a bucket underlying your Multi-Region Access Point
To return a list of objects that are stored in a bucket underlying your Multi-Region Access Point, use the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html) operation. In the following example command, all objects for the specified Multi-Region Access Point are listed by using the ARN for the Multi-Region Access Point. In this case, the Multi-Region Access Point ARN is:
`arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap`
**Note**
To use this API operation, you must have the `s3:ListBucket` permission for the Multi-Region Access Point and the underlying bucket. For more information about Multi-Region Access Point permissions requirements, see [Permissions](MultiRegionAccessPointPermissions.md).
------
#### [ AWS CLI ]
The following example data plane request lists the objects in the bucket that underlies the Multi-Region Access Point that's specified by the ARN. To use this example, replace the *`user input placeholders`* with your own information.
```
aws s3api list-objects-v2 --bucket arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap
```
------
#### [ SDK for Java ]
```
S3Client s3Client = S3Client.builder()
.build();
String bucketName = "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap";
ListObjectsV2Request listObjectsRequest = ListObjectsV2Request
.builder()
.bucket(bucketName)
.build();
s3Client.listObjectsV2(listObjectsRequest);
```
------
#### [ SDK for JavaScript ]
```
const client = new S3Client({});
async function listObjectsExample() {
const command = new ListObjectsV2Command({
Bucket: "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap",
});
try {
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
}
```
------
#### [ SDK for Python ]
```
import boto3
client = boto3.client('s3')
client.list_objects_v2(
Bucket='arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap'
)
```
------
## Use a presigned URL with Multi-Region Access Points
You can use a presigned URL to generate a URL that allows others to access your Amazon S3 buckets through an Amazon S3 Multi-Region Access Point. When you create a presigned URL, you associate it with a specific object action, such as an S3 upload (`PutObject`) or an S3 download (`GetObject`). You can share the presigned URL, and anyone with access to it can perform the action embedded in the URL as if they were the original signing user.
Presigned URLs have an expiration date. When the expiration time is reached, the URL will no longer work.
Before you use S3 Multi-Region Access Points with presigned URLs, check the [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat) with the SigV4A algorithm. Verify that your SDK version supports SigV4A as the signing implementation that is used to sign the global AWS Region requests. For more information about using presigned URLs with Amazon S3, see [Sharing objects by using presigned URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html).
The following examples show how you can use Multi-Region Access Points with presigned URLs. To use these examples, replace the *`user input placeholders`* with your own information.
------
#### [ AWS CLI ]
```
aws s3 presign arn:aws:s3::123456789012:accesspoint/MultiRegionAccessPoint_alias/example-file.txt
```
------
#### [ SDK for Python ]
```
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client('s3',aws_access_key_id='xxx',aws_secret_access_key='xxx')
s3_client.generate_presigned_url(HttpMethod='PUT',ClientMethod="put_object", Params={'Bucket':'arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap','Key':'example-file'})
```
------
#### [ SDK for Java ]
```
S3Presigner s3Presigner = S3Presigner.builder()
.credentialsProvider(StsAssumeRoleCredentialsProvider.builder()
.refreshRequest(assumeRole)
.stsClient(stsClient)
.build())
.build();
GetObjectRequest getObjectRequest = GetObjectRequest.builder()
.bucket("arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap")
.key("example-file")
.build();
GetObjectPresignRequest preSignedReq = GetObjectPresignRequest.builder()
.getObjectRequest(getObjectRequest)
.signatureDuration(Duration.ofMinutes(10))
.build();
PresignedGetObjectRequest presignedGetObjectRequest = s3Presigner.presignGetObject(preSignedReq);
```
------
**Note**
To use SigV4A with temporary security credentials—for example, when using IAM roles—make sure that you request the temporary credentials from a Regional endpoint in AWS Security Token Service (AWS STS), instead of a global endpoint. If you use the global endpoint for AWS STS (`sts.amazonaws.com`), AWS STS will generate temporary credentials from a global endpoint, which isn't supported by Sig4A. As a result, you'll get an error. To resolve this issue, use any of the listed [Regional endpoints for AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints).
## Use a bucket that's configured with Requester Pays with Multi-Region Access Points
If an S3 bucket that is associated with your Multi-Region Access Points is [configured to use Requester Pays](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysExamples.html), the requester will pay for the bucket request, the download, and any Multi-Region Access Points related costs. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
Here's an example of a data plane request to a Multi-Region Access Point that is connected to a Requester Pays bucket.
------
#### [ AWS CLI ]
To download objects from a Multi-Region Access Point that is connected to a Requester Pays bucket, you must specify `--request-payer requester` as part of your [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-object.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-object.html) request. You must also specify the name of the file in the bucket and the location where the downloaded file should be stored.
```
aws s3api get-object --bucket MultiRegionAccessPoint_ARN --request-payer requester --key example-file-in-bucket.txt example-location-of-downloaded-file.txt
```
------
#### [ SDK for Java ]
To download objects from a Multi-Region Access Point that is connected to a Requester Pays bucket, you must specify the `RequestPayer.REQUESTER` as part of your `GetObject` request. You must also specify the name of the file in the bucket, as well as the location where it should be stored.
```
GetObjectResponse getObjectResponse = s3Client.getObject(GetObjectRequest.builder()
.key("example-file.txt")
.bucket("arn:aws:s3::
123456789012:accesspoint/abcdef0123456.mrap")
.requestPayer(RequestPayer.REQUESTER)
.build()
).response();
```
------
# Monitoring and logging requests made through a Multi-Region Access Point to underlying resources
Amazon S3 logs requests made through Multi-Region Access Points and requests made to the API operations that manage them, such as `CreateMultiRegionAccessPoint` and `GetMultiRegionAccessPointPolicy`. Requests made to Amazon S3 through a Multi-Region Access Point appear in your Amazon S3 server access logs and AWS CloudTrail logs with the Multi-Region Access Point hostname. An access point's hostname takes the form `MRAP_alias.accesspoint.s3-global.amazonaws.com`. For example, suppose that you have the following bucket and Multi-Region Access Point configuration:
+ A bucket named `my-bucket-usw2` in the Region `us-west-2` that contains the object `my-image.jpg`.
+ A bucket named `my-bucket-aps1` in the Region `ap-south-1` that contains the object `my-image.jpg`.
+ A bucket named `my-bucket-euc1` in the Region `eu-central-1` that doesn’t contain an object named `my-image.jpg`.
+ A Multi-Region Access Point named `my-mrap` with the alias `mfzwi23gnjvgw.mrap` that is configured to fulfill requests from all three buckets.
+ Your AWS account ID is `123456789012`.
A request made to retrieve `my-image.jpg` directly through any of the buckets appears in your logs with a hostname of `bucket_name.s3.Region.amazonaws.com`.
If you make the request through the Multi-Region Access Point instead, Amazon S3 first determines which of the buckets in the different Regions is closest. After Amazon S3 determines which bucket to use to fulfill the request, it sends the request to that bucket and logs the operation by using the Multi-Region Access Point hostname. In this example, if Amazon S3 relays the request to `my-bucket-aps1`, your logs will reflect a successful `GET` request for `my-image.jpg` from `my-bucket-aps1`, using a hostname of `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`.
**Important**
Multi-Region Access Points aren't aware of the data contents of the underlying buckets. Therefore, the bucket that gets the request might not contain the requested data. For example, if Amazon S3 determines that the `my-bucket-euc1` bucket is the closest, your logs will reflect a failed `GET` request for `my-image.jpg` from `my-bucket-euc1`, using a hostname of `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`. If the request was routed to `my-bucket-usw2` instead, your logs would indicate a successful `GET` request.
For more information about Amazon S3 server access logs, see [Logging requests with server access logging](ServerLogs.md). For more information about AWS CloudTrail, see [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *AWS CloudTrail User Guide*.
## Monitoring and logging requests made to Multi-Region Access Point management API operations
Amazon S3 provides several API operations to manage Multi-Region Access Points, such as `CreateMultiRegionAccessPoint` and `GetMultiRegionAccessPointPolicy`. When you make requests to these API operations by using the AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API, Amazon S3 processes these requests asynchronously. Provided that you have the appropriate permissions for the request, Amazon S3 returns a token for these requests. You can use this token with `DescribeAsyncOperation` to help you to view the status of ongoing asynchronous operations. Amazon S3 processes `DescribeAsyncOperation` requests synchronously. To view the status of asynchronous requests, you can use the Amazon S3 console, AWS CLI, SDKs, or REST API.
**Note**
The console displays only the status of asynchronous requests that were made within the previous 14 days. To view the status of older requests, use the AWS CLI, SDKs, or REST API.
Asynchronous management operations can be in one of several states:
NEW
Amazon S3 has received the request and is preparing to perform the operation.
IN\$1PROGRESS
Amazon S3 is currently performing the operation.
SUCCESS
The operation succeeded. The response includes relevant information, such as the Multi-Region Access Point alias for a `CreateMultiRegionAccessPoint` request.
FAILED
The operation failed. The response includes an error message that indicates the reason for the request failure.
## Using AWS CloudTrail with Multi-Region Access Points
You can use AWS CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. With Multi-Region Access Points and CloudTrail logging, you can identify the following:
+ Who or what took which action
+ Which resources were acted upon
+ When the event occurred
+ Other details regarding the event
You can use this logging information to help you analyze and respond to activity that occurred through your Multi-Region Access Points.
### How to set up AWS CloudTrail for Multi-Region Access Points
To enable CloudTrail logging for any operations related to creating or maintaining Multi-Region Access Points, you must configure CloudTrail logging to record the events in the US West (Oregon) Region. You must set up your logging configuration this way regardless of which Region you are in when making the request, or which Regions the Multi-Region Access Point supports. All requests to create or maintain a Multi-Region Access Point are routed through the US West (Oregon) Region. We recommend that you either add this Region to an existing trail or create a new trail that contains this Region and all the Regions associated with the Multi-Region Access Point.
Amazon S3 logs all requests made through a Multi-Region Access Point and requests made to the API operations that manage access points, such as `CreateMultiRegionAccessPoint` and `GetMultiRegionAccessPointPolicy`. When you log these requests through a Multi-Region Access Point, they appear in your AWS CloudTrail logs with the hostname of the Multi-Region Access Point. For example, if you make requests to a bucket through a Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, the entries in the CloudTrail log will have a hostname of `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`.
Multi-Region Access Points route requests to the closest bucketBecause of this behavior, when you are looking at the CloudTrail logs for a Multi-Region Access Point, you will see requests being made to the underlying buckets. Some of those requests might be direct requests to the bucket that are not routed through the Multi-Region Access Point. Keep this fact in mind when reviewing traffic. When a bucket is in a Multi-Region Access Point, requests can still be made to that bucket directly without going through the Multi-Region Access Point.
There are asynchronous events involved with creating and managing Multi-Region Access Points. Asynchronous requests don't have completion events in the CloudTrail log. For more information about asynchronous requests, see [Monitoring and logging requests made to Multi-Region Access Point management API operations](#MonitoringMultiRegionAccessPointAPIs).
For more information about AWS CloudTrail, see [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *AWS CloudTrail User Guide*.