# Managing multi-Region traffic with Multi-Region Access Points
Amazon S3 Multi-Region Access Points provides a global endpoint that applications can use to fulfill requests from S3 buckets that are located in multiple AWS Regions. You can use Multi-Region Access Points to build multi-Region applications with the same architecture that's used in a single Region, and then run those applications anywhere in the world. Instead of sending requests over the congested public internet, Multi-Region Access Points provides built-in network resilience with acceleration of internet-based requests to Amazon S3. Application requests made to a Multi-Region Access Point global endpoint uses [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/) to automatically route over the AWS global network to the closest proximity S3 bucket with an active routing status.
If a Regional traffic disruption occurs, you can use Multi-Region Access Points failover controls to shift the S3 data request traffic between AWS Regions and redirect S3 traffic away from the disruptions within minutes. You can also test the application resiliency against a disruption to conduct application failover and perform disaster recovery simulations. If you need to connect and accelerate requests to S3 from outside of a VPC, you can simplify applications and network architecture with Amazon S3 Multi-Region Access Points. Your Multi-Region Access Points requests will be routed over the AWS global network and then back to S3 within the AWS Region, without having to traverse the public internet. As a result, you can build more highly available applications.
During your Multi-Region Access Points creation and setup, you'll specify a set of AWS Regions where you want to store data to be served through that Multi-Region Access Point. You can use the provided Multi-Region Access Points endpoint name to connect your clients. After you've established your client connections, you can select the existing or new buckets that you'd like to route the Multi-Region Access Points requests between. Then, use [S3 Cross-Region Replication (CRR)](https://aws.amazon.com/s3/features/replication/) rules to synchronize data among buckets in those Regions.
After you've set up your Multi-Region Access Point. you can then request or write data through the Multi-Region Access Points global endpoint. Amazon S3 automatically serves requests to the replicated data set from the closest available Region. Within the AWS Management Console, you're also able to view the underlying replication topology and replication metrics related to your Multi-Region Access Points requests. This gives you an even easier way to build, manage, and monitor storage for multi-Region applications. Alternatively, you can use Amazon CloudFront to automate the creation and configuration of S3 Multi-Region Access Points.
The following image is a graphical representation of an Amazon S3 Multi-Region Access Point in an active-active configuration. The graphic shows how Amazon S3 requests are automatically routed to buckets in the closest active AWS Region.
![\[Diagram showing requests routed through an Amazon S3 Multi-Region Access Point.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/MultiRegionAccessPoints.png)
The following image is a graphical representation of an Amazon S3 Multi-Region Access Point in an active-passive configuration. The graphic shows how you can control Amazon S3 data-access traffic to fail over between active and passive AWS Regions.
![\[Diagram showing an Amazon S3 Multi-Region Access Point in an active-passive configuration.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/MultiRegionAccessPointsFailover.png)
**Topics**
+ [
# Creating Multi-Region Access Points
](CreatingMultiRegionAccessPoints.md)
+ [
# Configuring a Multi-Region Access Point for use with AWS PrivateLink
](MultiRegionAccessConfiguration.md)
+ [
# Making requests through a Multi-Region Access Point
](MultiRegionAccessPointRequests.md)
# Creating Multi-Region Access Points
To create a Multi-Region Access Point in Amazon S3, you do the following:
+ Specify the name for the Multi-Region Access Point.
+ Choose one bucket in each AWS Region that you want to serve requests for the Multi-Region Access Point.
+ Configure the Amazon S3 Block Public Access settings for the Multi-Region Access Point.
You provide all of this information in a create request, which Amazon S3 processes asynchronously. Amazon S3 provides a token that you can use to monitor the status of the asynchronous creation request.
Make sure to resolve security warnings, errors, general warnings, and suggestions from AWS Identity and Access Management Access Analyzer before you save your policy. IAM Access Analyzer runs policy checks to validate your policy against IAM [policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) and [best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). These checks generate findings and provide actionable recommendations to help you author policies that are functional and conform to security best practices. To learn more about validating policies using IAM Access Analyzer, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see [IAM Access Analyzer policy check reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html).
When you use the API, the request to create a Multi-Region Access Point is asynchronous. When you submit a request to create a Multi-Region Access Point, Amazon S3 synchronously authorizes the request. It then immediately returns a token that you can use to track the progress of the creation request. For more information about tracking asynchronous requests to create and manage Multi-Region Access Points, see [Using Multi-Region Access Points with supported API operations](MrapOperations.md).
After you create the Multi-Region Access Point, you can create an access control policy for it. Each Multi-Region Access Point can have an associated policy. A Multi-Region Access Point policy is a resource-based policy that you can use to limit the use of the Multi-Region Access Point by resource, user, or other conditions.
**Note**
For an application or user to be able to access an object through a Multi-Region Access Point, both of the following policies must permit the request:
The access policy for the Multi-Region Access Point
The access policy for the underlying bucket that contains the object
When the two policies are different, the more restrictive policy takes precedence.
To simplify permissions management for Multi-Region Access Points, you can delegate access control from the bucket to the Multi-Region Access Point. For more information, see [Multi-Region Access Point policy examples](MultiRegionAccessPointPermissions.md#MultiRegionAccessPointPolicyExamples).
Using a bucket with a Multi-Region Access Point doesn't change the bucket's behavior when the bucket is accessed through the existing bucket name or an Amazon Resource Name (ARN). All existing operations against the bucket continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests that are made through the Multi-Region Access Point.
You can update the policy for a Multi-Region Access Point after creating it, but you can't delete the policy. However, you can update the Multi-Region Access Point policy to deny all permissions.
**Topics**
+ [
# Rules for naming Amazon S3 Multi-Region Access Points
](multi-region-access-point-naming.md)
+ [
# Rules for choosing buckets for Amazon S3 Multi-Region Access Points
](multi-region-access-point-buckets.md)
+ [
# Create an Amazon S3 Multi-Region Access Point
](multi-region-access-point-create-examples.md)
+ [
# Blocking public access with Amazon S3 Multi-Region Access Points
](multi-region-access-point-block-public-access.md)
+ [
# Viewing Amazon S3 Multi-Region Access Points configuration details
](multi-region-access-point-view-examples.md)
+ [
# Deleting a Multi-Region Access Point
](multi-region-access-point-delete-examples.md)
# Rules for naming Amazon S3 Multi-Region Access Points
When you create a Multi-Region Access Point, you give it a name, which is a string that you choose. You can't change the name of the Multi-Region Access Point after it is created. The name must be unique in your AWS account, and it must conform to the naming requirements listed in [Multi-Region Access Point restrictions and limitations](MultiRegionAccessPointRestrictions.md). To help you identify the Multi-Region Access Point, use a name that is meaningful to you, to your organization, or that reflects the scenario.
You use this name when invoking Multi-Region Access Point management operations, such as `GetMultiRegionAccessPoint` and `PutMultiRegionAccessPointPolicy`. The name is not used to send requests to the Multi-Region Access Point, and it doesn’t need to be exposed to clients who make requests by using the Multi-Region Access Point.
When Amazon S3 creates a Multi-Region Access Point, it automatically assigns an alias to it. This alias is a unique alphanumeric string that ends in `.mrap`. The alias is used to construct the hostname and the Amazon Resource Name (ARN) for a Multi-Region Access Point. The fully qualified name is also based on the alias for the Multi-Region Access Point.
You can’t determine the name of a Multi-Region Access Point from its alias, so you can disclose an alias without risk of exposing the name, purpose, or owner of the Multi-Region Access Point. Amazon S3 selects the alias for each new Multi-Region Access Point, and the alias can’t be changed. For more information about addressing a Multi-Region Access Point, see [Making requests through a Multi-Region Access Point](MultiRegionAccessPointRequests.md).
Multi-Region Access Point aliases are unique throughout time and aren’t based on the name or configuration of a Multi-Region Access Point. If you create a Multi-Region Access Point, and then delete it and create another one with the same name and configuration, the second Multi-Region Access Point will have a different alias than the first. New Multi-Region Access Points can never have the same alias as a previous Multi-Region Access Point.
# Rules for choosing buckets for Amazon S3 Multi-Region Access Points
Each Multi-Region Access Point is associated with the Regions where you want to fulfill requests. The Multi-Region Access Point must be associated with exactly one bucket in each of those Regions. You specify the name of each bucket in the request to create the Multi-Region Access Point. Buckets that support the Multi-Region Access Point can either be in the same AWS account that owns the Multi-Region Access Point, or they can be in other AWS accounts.
A single bucket can be used by multiple Multi-Region Access Points.
**Important**
You can specify the buckets that are associated with a Multi-Region Access Point only at the time that you create it. After it is created, you can’t add, modify, or remove buckets from the Multi-Region Access Point configuration. To change the buckets, you must delete the entire Multi-Region Access Point and create a new one.
You can't delete a bucket that is part of a Multi-Region Access Point. If you want to delete a bucket that's attached to a Multi-Region Access Point, delete the Multi-Region Access Point first.
If you add a bucket that's owned by another account to your Multi-Region Access Point, the bucket owner must also update their bucket policy to grant access permissions to the Multi-Region Access Point. Otherwise, the Multi-Region Access Point won't be able to retrieve data from that bucket. For example policies that show how to grant such access, see [Multi-Region Access Point policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointPermissions.html#MultiRegionAccessPointPolicyExamples).
Not all Regions support Multi-Region Access Points. To see the list of supported Regions, see [Multi-Region Access Point restrictions and limitations](MultiRegionAccessPointRestrictions.md).
You can create replication rules to synchronize data between buckets. These rules enable you to automatically copy data from source buckets to destination buckets. Having buckets connected to a Multi-Region Access Point does not affect how replication works. Configuring replication with Multi-Region Access Points is described in a later section.
**Important**
When you make a request to a Multi-Region Access Point, the Multi-Region Access Point isn't aware of the data contents of the buckets in the Multi-Region Access Point. Therefore, the bucket that gets the request might not contain the requested data. To create consistent datasets in the Amazon S3 buckets that are associated with a Multi-Region Access Point, we recommend that you configure S3 Cross-Region Replication (CRR). For more information, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
# Create an Amazon S3 Multi-Region Access Point
The following example demonstrates how to create a Multi-Region Access Point by using the Amazon S3 console.
## Using the S3 console
**To create a Multi-Region Access Point**
**Note**
Multi-Region Access Point opt-in Regions aren't currently supported in the Amazon S3 console.
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose **Create Multi-Region Access Points** to begin creating your Multi-Region Access Point.
1. On the **Multi-Region Access Point** page, supply a name for the Multi-Region Access Point in the **Multi-Region Access Point name** field.
1. Select the buckets that will be associated with this Multi-Region Access Point. You can choose buckets that are in your account, or you can choose buckets from other accounts.
**Note**
You must add at least one bucket from either your account or other accounts. Also, be aware that Multi-Region Access Points support only one bucket per AWS Region. Therefore, you can’t add two buckets from the same Region. [AWS Regions that are disabled by default](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) are not supported.
+ To add a bucket that is in your account, choose **Add buckets**. A list of all the buckets in your account displays. You can search for your bucket by name, or sort the bucket names in alphabetical order.
+ To add a bucket from another account, choose **Add bucket from other accounts**. Make sure that you know the exact bucket name and AWS account ID because you can't search or browse for buckets in other accounts.
**Note**
You must enter a valid AWS account ID and bucket name. The bucket must also be in a supported Region, or you will encounter an error when you try to create your Multi-Region Access Point. For the list of Regions that support Multi-Region Access Points, see [Multi-Region Access Points restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html).
1. (Optional) If you need to remove a bucket that you added, choose **Remove**.
**Note**
You can’t add or remove buckets to this Multi-Region Access Point after you’ve finished creating it.
1. Under **Block Public Access settings for this Multi-Region Access Point**, select the Block Public Access settings that you want to apply to the Multi-Region Access Point. By default, all Block Public Access settings are enabled for new Multi-Region Access Points. We recommend that you leave all settings enabled unless you know that you have a specific need to disable any of them.
**Note**
You can't change the Block Public Access settings for a Multi-Region Access Point after the Multi-Region Access Point has been created. Therefore, if you're going to block public access, make sure that your applications work correctly without public access before you create a Multi-Region Access Point.
1. Choose **Create Multi-Region Access Point**.
**Important**
When you add a bucket that's owned by another account to your Multi-Region Access Point, the bucket owner must also update their bucket policy to grant access permissions to the Multi-Region Access Point. Otherwise, the Multi-Region Access Point won't be able to retrieve data from that bucket. For example policies that show how to grant such access, see [Multi-Region Access Point policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointPermissions.html#MultiRegionAccessPointPolicyExamples).
## Using the AWS CLI
You can use the AWS CLI to create a Multi-Region Access Point. When you create the Multi-Region Access Point, you must provide all the buckets that it will support. You can't add buckets to the Multi-Region Access Point after it has been created.
The following example creates a Multi-Region Access Point with two buckets by using the AWS CLI. To use this example command, replace the `user input placeholders` with your own information.
**Note**
To create a Multi-Region Access Point using buckets in an opt-in Region, make sure to [enable all opt-in Regions](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) first. Otherwise, you’ll get a `403 InvalidRegion` error when you try to create a Multi-Region Access Point using buckets for an opt-in Region that you haven’t actually opted in to.
```
aws s3control create-multi-region-access-point --account-id 111122223333 --details '{
"Name": "simple-multiregionaccesspoint-with-two-regions",
"PublicAccessBlock": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"Regions": [
{ "Bucket": "amzn-s3-demo-bucket1" },
{ "Bucket": "amzn-s3-demo-bucket2" }
]
}' --region us-west-2
```
# Blocking public access with Amazon S3 Multi-Region Access Points
Each Multi-Region Access Point has distinct settings for Amazon S3 Block Public Access. These settings operate in conjunction with the Block Public Access settings for the AWS account that owns the Multi-Region Access Point and the underlying buckets.
When Amazon S3 authorizes a request, it applies the most restrictive combination of these settings. If the Block Public Access settings for any of these resources (the Multi-Region Access Point owner account, the underlying bucket, or the bucket owner account) block access for the requested action or resource, Amazon S3 rejects the request.
We recommend that you enable all Block Public Access settings unless you have a specific need to disable any of them. By default, all Block Public Access settings are enabled for a Multi-Region Access Point. If Block Public Access is enabled, the Multi-Region Access Point can't accept internet-based requests.
**Important**
You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created.
For more information about Amazon S3 Block Public Access, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
# Viewing Amazon S3 Multi-Region Access Points configuration details
The following example demonstrates how to view Multi-Region Access Point configuration details by using the Amazon S3 console.
## Using the S3 console
**To create a Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point for which you want to view the configuration details.
+ The **Properties** tab lists all of the buckets that are associated with your Multi-Region Access Point, the creation date, the Amazon Resource Name (ARN), and the alias. The AWS account ID column also lists any buckets owned by external accounts that are associated with your Multi-Region Access Point.
+ The **Permissions** tab lists the Block Public Access settings that are applied to the buckets associated with this Multi-Region Access Point. You can also view the Multi-Region Access Point policy for your Multi-Region Access Point, if you’ve created one. The **Info** alert on the **Permissions** page also lists all the buckets (in your account and other accounts) for this Multi-Region Access Point that have the **Public Access is blocked** setting enabled.
+ The **Replication and failover** tab provides a map view of the buckets that are associated with your Multi-Region Access Point and the Regions that the buckets reside int. If there are buckets from another account that you don’t have permission to pull data from, the Region will be marked in red on the **Replication summary** map, indicating that it is an **AWS Region with errors getting replication status**.
**Note**
To retrieve replication status information from a bucket in an external account, the bucket owner must grant you the `s3:GetBucketReplication` permission in their bucket policy.
This tab also provides the replication metrics, replication rules, and failover statuses for the Regions that are used with your Multi-Region Access Point.
## Using the AWS CLI
You can use the AWS CLI to view the configuration details for a Multi-Region Access Point.
The following AWS CLI example gets your current Multi-Region Access Point configuration. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point --account-id 111122223333 --name amzn-s3-demo-bucket
```
# Deleting a Multi-Region Access Point
The following procedure explains how to delete a Multi-Region Access Point by using the Amazon S3 console. Be aware that deleting a Multi-Region Access Point doesn't delete the buckets associated with the Multi-Region Access Point. Instead, it only deletes the Multi-Region Access Point itself.
**Note**
S3 Multi-Region Access Points using buckets in AWS opt-in Regions is currently only supported through AWS SDKs and the AWS CLI. To delete a Multi-Region Access Point using buckets in an opt-in Region, make sure to specify which AWS opt-in Regions your account can use first. Otherwise, if you try to delete a Multi-Region Access Point that uses buckets in disabled AWS opt-in Regions, you'll receive an error.
## Using the S3 console
**To delete a Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Select the option button next to the name of your Multi-Region Access Point.
1. Choose **Delete**.
1. In the **Delete Multi-Region Access Point** dialog box, enter the name of the AWS bucket that you want to delete.
**Note**
Make sure to enter a valid bucket name. Otherwise, the **Delete** button will be disabled.
1. Choose **Delete** to confirm deletion of your Multi-Region Access Point.
## Using the AWS CLI
You can use the AWS CLI to delete a Multi-Region Access Point. This action does not delete the buckets associated with the Multi-Region Access Point, only the Multi-Region Access Point itself. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control delete-multi-region-access-point --account-id 123456789012 --details Name=example-multi-region-access-point-name
```
# Configuring a Multi-Region Access Point for use with AWS PrivateLink
You can use Multi-Region Access Points to route Amazon S3 request traffic between AWS Regions. Each Multi-Region Access Point global endpoint routes Amazon S3 data request traffic from multiple sources without your having to build complex networking configurations with separate endpoints. These data-request traffic sources include:
+ Traffic originating in a virtual private cloud (VPC)
+ Traffic from on-premises data centers traveling over AWS PrivateLink
+ Traffic from the public internet
If you establish an AWS PrivateLink connection to an S3 Multi-Region Access Point, you can route S3 requests into AWS, or across multiple AWS Regions, over a private connection by using a simple network architecture and configuration. When you use AWS PrivateLink, you don't need to configure a VPC peering connection.
**Topics**
+ [
# Configuring Multi-Region Access Point opt-in Regions
](ConfiguringMrapOptInRegions.md)
+ [
# Configuring a Multi-Region Access Point for use with AWS PrivateLink
](MultiRegionAccessPointsPrivateLink.md)
+ [
# Removing access to a Multi-Region Access Point from a VPC endpoint
](RemovingMultiRegionAccessPointAccess.md)
# Configuring Multi-Region Access Point opt-in Regions
An AWS opt-in Region is a Region that isn’t enabled by default in your AWS account. In contrast, Regions that are enabled by default are known as AWS Regions or commercial Regions.
To start using Multi-Region Access Points in AWS opt-in Regions, you must manually enable the opt-in Region for your AWS account before creating your Multi-Region Access Point. After you enable the opt-in Region, you can create Multi-Region Access Points with buckets in the selected opt-in Region. For instructions on how to enable or disable an opt-in Region for your AWS account or AWS Organization, see [Enable or disable a Region for standalone accounts](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone) or [Enable or disable a Region in your organization](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-organization).
**Note**
Multi-Region Access Point opt-in Regions are currently only supported through AWS SDKs and AWS CLI.
S3 Multi-Region Access Points supports the following AWS opt-in Regions:
+ `Africa (Cape Town)`
+ `Asia Pacific (Hong Kong)`
+ `Asia Pacific (Jakarta)`
+ `Asia Pacific (Melbourne)`
+ `Asia Pacific (Hyderabad)`
+ `Canada West (Calgary)`
+ `Europe (Zurich)`
+ `Europe (Milan)`
+ `Europe (Spain)`
+ `Israel (Tel Aviv)`
+ `Middle East (Bahrain)`
+ `Middle East (UAE)`
**Note**
There are no additional costs for enabling an opt-in Region. However, creating or using a resource in a Multi-Region Access Point results in billing charges.
## Using a Multi-Region Access Point in an AWS opt-in Region
To perform a [data plane operation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MrapOperations.html) on your Multi-Region Access Point, all associated AWS accounts must enable the opt-in Regions that are part of the Multi-Region Access Point. This requirement applies to the requester account, the Multi-Region Access Point owner, S3 bucket owners, and the VPC endpoint owner. If any of these accounts don’t enable AWS opt-in Regions, the Multi-Region Access Point requests fail. For more information about the `InvalidToken` or `AllAccessDisabled` errors, see [List of error codes](https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#ErrorCodeList).
**Note**
[Control plane operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MrapOperations.html) such as updating your Multi-Region Access Point policy or updating your failover configuration aren’t impacted by the opt-in Region status of any Region that is part of your Multi-Region Access Point. You also don’t need to disable any active opt-in Regions before deleting a Multi-Region Access Point.
## Disabling an active AWS opt-in Region
If you disable opt-in Region that is part of your Multi-Region Access Point, requests routed to this Region result in a `403 AllAccessDisabled` error. To safely disable an opt-in Region, we recommend that you first identify an alternate Region in your Multi-Region Access Point configuration to route the traffic to. You can then use Multi-Region Access Point failover controls to mark the alternate Region as active, and mark the Region to be disabled as passive. After changing the failover controls, you can disable the Region you want to opt out of.
## Enabling a previously disabled AWS opt-in Region
To enable an opt-in AWS Region that was previously disabled for your Multi-Region Access Point, make sure to update your AWS account settings. After you re-enable the opt-in Region, run the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutMultiRegionAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutMultiRegionAccessPointPolicy.html) API operation to apply the Multi-Region Access Points policy to the opt-in Region.
If your Multi-Region Access Point is accessed through a VPC endpoint, we recommend that you update your VPCE policy and use the [ModifyVpcEndpoint](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpoint.html) API operation to apply the updated VPC endpoint policy to the re-enabled opt-in Region.
## Multi-Region Access Points policy and multiple AWS accounts
If your Multi-Region Access Points policy grants access to multiple AWS accounts, all requester accounts must also enable the same opt-in Regions in their account settings. If the requester account submits a Multi-Region Access Point request without enabling the opt-in Regions that are part of the Multi-Region Access Point, it’ll result in a `400 InvalidToken` error.
## AWS opt-in Region considerations
When you access a Multi-Region Access Point from an opt-in Region, be aware of the following:
+ When you enable an opt-in Region, it allows you to create a Multi-Region Access Point using the buckets from the opt-in Region. When you disable an opt-in Region, the Multi-Region Access Point is no longer supported in the opt-in Region. If you no longer want an opt-in Region enabled for your Multi-Region Access Point, make sure to [disable the Region for your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone) first. Then, create a new Multi-Region Access Point with your preferred list of opt-in Regions.
+ If you attempt to create your Multi-Region Access Point with a disabled opt-in Region, you’ll receive a `403 InvalidRegion` error. After you enable the opt-in Region, try creating the Multi-Region Access Point again.
+ The maximum number of supported Regions for a Multi-Region Access Point is 17 Regions. This includes both opt-in Regions and commercial Regions. For more information, see [Multi-Region Access Points restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html).
+ Control plane requests for Multi-Region Access Points will work, even if you haven't opted in to any Regions.
+ When you're trying to create a Multi-Region Access Point for the first time, you must opt into all Regions that are part of the Multi-Region Access Point.
+ Any AWS accounts that are granted access to an S3 Multi-Region Access Point through the Multi-Region Access Point policy must also enable the same opt-in Regions that are part of the Multi-Region Access Point.
# Configuring a Multi-Region Access Point for use with AWS PrivateLink
AWS PrivateLink provides you with private connectivity to Amazon S3 using private IP addresses in your virtual private cloud (VPC). You can provision one or more interface endpoints inside your VPC to connect to Amazon S3 Multi-Region Access Points.
You can create **com.amazonaws.s3-global.accesspoint** endpoints for Multi-Region Access Points through the AWS Management Console, AWS CLI, or AWS SDKs. To learn more about how to configure an interface endpoint for Multi-Region Access Point, see [Interface VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) in the *VPC User Guide*.
To make requests to a Multi-Region Access Point via interface endpoints, follow these steps to configure the VPC and the Multi-Region Access Point.
**To configure a Multi-Region Access Point to use with AWS PrivateLink**
1. Create or have an appropriate VPC endpoint that can connect to Multi-Region Access Points. For more information about creating VPC endpoints, see [Interface VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) in the *VPC User Guide*.
**Important**
Make sure to create a **com.amazonaws.s3-global.accesspoint** endpoint. Other endpoint types cannot access Multi-Region Access Points.
After this VPC endpoint is created, all Multi-Region Access Point requests in the VPC route through this endpoint if you have private DNS enabled for the endpoint. This is enabled by default.
1. If the Multi-Region Access Point policy does not support connections from VPC endpoints, you will need to update it.
1. Verify that the individual bucket policies will allow access to the users of the Multi-Region Access Point.
Remember that Multi-Region Access Points work by routing requests to buckets, not by fulfilling requests themselves. This is important to remember because the originator of the request must have permissions to the Multi-Region Access Point and be allowed to access the individual buckets in the Multi-Region Access Point. Otherwise, the request might be routed to a bucket where the originator doesn't have permissions to fulfill the request. A Multi-Region Access Point and the buckets associated can be owned by the same or another AWS account. However, VPCs from different accounts can use a Multi-Region Access Point if the permissions are configured correctly.
Because of this, the VPC endpoint policy must allow access both to the Multi-Region Access Point and to each underlying bucket that you want to be able to fulfill requests. For example, suppose that you have a Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`. It is backed by buckets `amzn-s3-demo-bucket1` and `amzn-s3-demo-bucket2`, all owned by AWS account `123456789012`. In this case, the following VPC endpoint policy would allow `GetObject` requests from the VPC made to `mfzwi23gnjvgw.mrap` to be fulfilled by either backing bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Read-buckets-and-MRAP-VPCE-policy",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*",
"arn:aws:s3:::amzn-s3-demo-bucket2/*",
"arn:aws:s3::111122223333:accesspoint/mfzwi23gnjvgw.mrap/object/*"
]
}]
}
```
------
As mentioned previously, you also must make sure that the Multi-Region Access Point policy is configured to support access through a VPC endpoint. You don't need to specify the VPC endpoint that is requesting access. The following sample policy would grant access to any requester trying to use the Multi-Region Access Point for the `GetObject` requests.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Open-read-MRAP-policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3::111122223333:accesspoint/mfzwi23gnjvgw.mrap/object/*"
}]
}
```
------
And of course, the individual buckets would each need a policy to support access from requests submitted through VPC endpoint. The following example policy grants read access to any anonymous users, which would include requests made through the VPC endpoint.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Public-read",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1",
"arn:aws:s3:::amzn-s3-demo-bucket2/*"]
}]
}
```
------
For more information about editing a VPC endpoint policy, see [Control access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *VPC User Guide*.
# Removing access to a Multi-Region Access Point from a VPC endpoint
If you own a Multi-Region Access Point and want to remove access to it from an interface endpoint, you must supply a new access policy for the Multi-Region Access Point that prevents access for requests coming through VPC endpoints. However, if the buckets in your Multi-Region Access Point support requests through VPC endpoints, they will continue to support these requests. If you want to prevent that support, you must also update the policies for the buckets. Supplying a new access policy to the Multi-Region Access Point prevents access only to the Multi-Region Access Point, not to the underlying buckets.
**Note**
You can't delete an access policy for a Multi-Region Access Point. To remove access to a Multi-Region Access Point, you must provide a new access policy with the modified access that you want.
Instead of updating the access policy for the Multi-Region Access Point, you can update the bucket policies to prevent requests through VPC endpoints. In this case, users can still access the Multi-Region Access Point through the VPC endpoint. However, if the Multi-Region Access Point request is routed to a bucket where the bucket policy prevents access, the request will generate an error message.
# Making requests through a Multi-Region Access Point
Like other resources, Amazon S3 Multi-Region Access Points have Amazon Resource Names (ARNs). You can use these ARNs to direct requests to Multi-Region Access Points by using the AWS Command Line Interface (AWS CLI), AWS SDKs, or the Amazon S3 API. You can also use these ARNs to identify Multi-Region Access Points in access control policies. A Multi-Region Access Point ARN doesn't include or disclose the name of the Multi-Region Access Point. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.
**Note**
The Multi-Region Access Point alias and ARN cannot be used interchangeably.
Multi-Region Access Point ARNs use the following format:
`arn:aws:s3::account-id:accesspoint/MultiRegionAccessPoint_alias`
The following are a few examples of Multi-Region Access Point ARNs:
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap` represents the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, which is owned by AWS account `123456789012`.
+ `arn:aws:s3::123456789012:accesspoint/*` represents all Multi-Region Access Points under the account `123456789012`. This ARN matches all Multi-Region Access Points for account `123456789012`, but doesn't match any Regional Amazon S3 Access Points because the ARN doesn’t include an AWS Region. In contrast, the ARN `arn:aws:s3:us-west-2:123456789012:accesspoint/*` matches all Regional Amazon S3 Access Points in the Region `us-west-2` for the account `123456789012`, but doesn't match any Multi-Region Access Points.
ARNs for objects that are accessed through a Multi-Region Access Point use the following format:
`arn:aws:s3::account_id:accesspoint/MultiRegionAccessPoint_alias//key`
As with Multi-Region Access Point ARNs, the ARNs for objects that are accessed through Multi-Region Access Points don't include an AWS Region. Here are some examples.
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap//-01` represents the `-01`, which is accessed through the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, which is owned by account `123456789012`.
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap//*` represents all objects that can be accessed through the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, in account `123456789012`.
+ `arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap//-01/finance/*` represents all objects that can be accessed under the `-01/finance/` for the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, in account `123456789012`.
## Multi-Region Access Point hostnames
You can access data in Amazon S3 through a Multi-Region Access Point by using the hostname of the Multi-Region Access Point. Requests can be directed to this hostname from the public internet. If you have configured one or more internet gateways for the Multi-Region Access Point, requests can also be directed to this hostname from a virtual private cloud (VPC). For more information about creating VPC interface endpoints to use with Multi-Region Access Points, see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](MultiRegionAccessPointsPrivateLink.md).
To make requests through a Multi-Region Access Point from a VPC by using a VPC endpoint, you can use AWS PrivateLink. When you're making requests to a Multi-Region Access Point by using AWS PrivateLink, you cannot directly use an endpoint-specific Regional DOMAIN NAME SYSTEM (DNS) name that ends with `region.vpce.amazonaws.com`. This hostname will not have a certificate associated with it, so it cannot be used directly. You can still use the public DOMAIN NAME SYSTEM (DNS) name of the VPC endpoint as a `CNAME` or `ALIAS` target. Alternatively, you can enable private DOMAIN NAME SYSTEM (DNS) on the endpoint and use the standard Multi-Region Access Point `MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com` DOMAIN NAME SYSTEM (DNS) name, as described in this section.
When you make requests to the API for Amazon S3 data operations (for example, `GetObject`) through a Multi-Region Access Point, the hostname for the request is as follows:
`MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com`
For example, to make a `GetObject` request through the Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, make a request to the hostname `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`. The `s3-global` portion of the hostname indicates that this hostname is not for a specific Region.
Making requests through a Multi-Region Access Point is similar to making requests through a single-Region access point. However, it's important to be aware of the following differences:
+ Multi-Region Access Point ARNs don't include an AWS Region. They follow the format `arn:aws:s3::account-id:accesspoint/MultiRegionAccessPoint_alias`.
+ For requests made through API operations (these requests don't require the use of an ARN), Multi-Region Access Points use a different endpoint scheme. The scheme is `MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com`—for example, `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`. Note the differences compared to a single-Region access point:
+ Multi-Region Access Point hostnames use their alias, not the Multi-Region Access Point name.
+ Multi-Region Access Point hostnames don't include the owner's AWS account ID.
+ Multi-Region Access Point hostnames don't include an AWS Region.
+ Multi-Region Access Point hostnames include `s3-global.amazonaws.com` instead of `s3.amazonaws.com`.
+ Multi-Region Access Point requests must be signed by using Signature Version 4A (SigV4A). When you use the AWS SDKs, the SDK automatically converts a SigV4 to SigV4A. Therefore, make sure that your [AWS SDK supports](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) SigV4A as the signing implementation that is used to sign the global AWS Region requests. For more information about SigV4A, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference*.
## Multi-Region Access Points and Amazon S3 Transfer Acceleration
Amazon S3 Transfer Acceleration is a feature that enables fast transfer of data to buckets. Transfer Acceleration is configured on the individual bucket level. For more information about Transfer Acceleration, see [Configuring fast, secure file transfers using Amazon S3 Transfer Acceleration](transfer-acceleration.md).
Multi-Region Access Points use a similar accelerated transfer mechanism as Transfer Acceleration for sending large objects over the AWS network. Because of this, you don't need to use Transfer Acceleration when sending requests through a Multi-Region Access Point. This increased transfer performance is automatically incorporated into the Multi-Region Access Point.
**Topics**
+ [
## Multi-Region Access Point hostnames
](#MultiRegionAccessPointHostnames)
+ [
## Multi-Region Access Points and Amazon S3 Transfer Acceleration
](#MultiRegionAccessPointsAndTransferAcceleration)
+ [
# Permissions
](MultiRegionAccessPointPermissions.md)
+ [
# Multi-Region Access Point restrictions and limitations
](MultiRegionAccessPointRestrictions.md)
+ [
# Multi-Region Access Point request routing
](MultiRegionAccessPointRequestRouting.md)
+ [
# Amazon S3 Multi-Region Access Points failover controls
](MrapFailover.md)
+ [
# Configuring replication for use with Multi-Region Access Points
](MultiRegionAccessPointBucketReplication.md)
+ [
# Using Multi-Region Access Points with supported API operations
](MrapOperations.md)
+ [
# Monitoring and logging requests made through a Multi-Region Access Point to underlying resources
](MultiRegionAccessPointMonitoring.md)
# Permissions
Amazon S3 Multi-Region Access Points can simplify data access for Amazon S3 buckets in multiple AWS Regions. Multi-Region Access Points are named global endpoints that you can use to perform Amazon S3 data-access object operations, such as `GetObject` and `PutObject`. Each Multi-Region Access Point can have distinct permissions and network controls for any request that is made through the global endpoint.
Each Multi-Region Access Point can also enforce a customized access policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For a cross-account request to succeed, the following policies must permit the operation:
+ The Multi-Region Access Point policy
+ The underlying AWS Identity and Access Management (IAM) policy
+ The underlying bucket policy (where the request is routed to)
**Note**
For same account requests, only the underlying IAM policy, which grants the appropriate access, is required.
You can configure any Multi-Region Access Point policy to accept requests only from specific IAM users or groups. For an example of how to do this, see Example 2 in [Multi-Region Access Point policy examples](#MultiRegionAccessPointPolicyExamples). To restrict Amazon S3 data access to a private network, you can configure the Multi-Region Access Point policy to accept requests only from a virtual private cloud (VPC).
For example, suppose that you make a `GetObject` request through a Multi-Region Access Point by using a user called `AppDataReader` in your AWS account. To help ensure that the request won't be denied, the `AppDataReader` user must be granted the `s3:GetObject` permission by the Multi-Region Access Point and by each bucket underlying the Multi-Region Access Point. `AppDataReader` won't be able to retrieve data from any bucket that doesn't grant this permission.
**Important**
Delegating access control for a bucket to a Multi-Region Access Point policy doesn't change the bucket's behavior when the bucket is accessed directly through its bucket name or Amazon Resource Name (ARN). All operations made directly against the bucket will continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests made through that Multi-Region Access Point.
## Managing public access to a Multi-Region Access Point
Multi-Region Access Points support independent Block Public Access settings for each Multi-Region Access Point. When you create a Multi-Region Access Point, you can specify the Block Public Access settings that apply to that Multi-Region Access Point.
**Note**
Any Block Public Access settings that are enabled under **Block Public Access settings for this account** (in your own account) or **Block Public Settings for external buckets** still apply even if the independent Block Public Access settings for your Multi-Region Access Point are disabled.
For any request that is made through a Multi-Region Access Point, Amazon S3 evaluates the Block Public Access settings for:
+ The Multi-Region Access Point
+ The underlying buckets (including external buckets)
+ The account that owns the Multi-Region Access Point
+ The account that owns the underlying buckets (including external accounts)
If any of these settings indicate that the request should be blocked, Amazon S3 rejects the request. For more information about the Amazon S3 Block Public Access feature, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
**Important**
By default, all Block Public Access settings are enabled for Multi-Region Access Points. You must explicitly turn off any settings that you don't want to apply to a Multi-Region Access Point.
You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created.
## Viewing Block Public Access settings for a Multi-Region Access Point
**To view the Block Public Access settings for a Multi-Region Access Point**
1.
Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to review.
1. Choose the **Permissions** tab.
1. Under **Block Public Access settings for this Multi-Region Access Point**, review the Block Public Access settings for your Multi-Region Access Point.
**Note**
You can't edit the Block Public Access settings after the Multi-Region Access Point is created. Therefore, if you're going to block public access, make sure that your applications work correctly without public access before you create a Multi-Region Access Point.
## Using a Multi-Region Access Point policy
The following example Multi-Region Access Point policy grants an IAM user access to list and download files from your Multi-Region Access Point. To use this example policy, replace the `user input placeholders` with your own information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/JohnDoe"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias",
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*"
]
}
]
}
```
------
To associate your Multi-Region Access Point policy with the specified Multi-Region Access Point by using the AWS Command Line Interface (AWS CLI), use the following `put-multi-region-access-point-policy` command. To use this example command, replace the `user input placeholders` with your own information. Each Multi-Region Access Point can have only one policy, so a request made to the `put-multi-region-access-point-policy` action replaces any existing policy that is associated with the specified Multi-Region Access Point.
------
#### [ AWS CLI ]
```
aws s3control put-multi-region-access-point-policy
--account-id 111122223333
--details { "Name": "amzn-s3-demo-bucket-MultiRegionAccessPoint", "Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:root\" }, \"Action\": [\"s3:ListBucket\", \"s3:GetObject\"], \"Resource\": [ \"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias", \"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*\" ] } }" }
```
------
To query your results for the previous operation, use the following command:
------
#### [ AWS CLI ]
```
aws s3control describe-multi-region-access-point-operation
--account-id 111122223333
--request-token-arn requestArn
```
------
To retrieve your Multi-Region Access Point policy, use the following command:
------
#### [ AWS CLI ]
```
aws s3control get-multi-region-access-point-policy
--account-id 111122223333
--name=amzn-s3-demo-bucket-MultiRegionAccessPoint
```
------
## Editing the Multi-Region Access Point policy
The Multi-Region Access Point policy (written in JSON) provides storage access to the Amazon S3 buckets that are used with this Multi-Region Access Point. You can allow or deny specific principals to perform various actions on your Multi-Region Access Point. When a request is routed to a bucket through the Multi-Region Access Point, both the access policies for the Multi-Region Access Point and the bucket apply. The more restrictive access policy always takes precedence.
**Note**
If a bucket contains objects that are owned by other accounts, the Multi-Region Access Point policy doesn't apply to the objects that are owned by other AWS accounts.
After you apply a Multi-Region Access Point policy, the policy cannot be deleted. You can either edit the policy or create a new policy that overwrites the existing one.
**To edit the Multi-Region Access Point policy**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to edit the policy for.
1. Choose the **Permissions** tab.
1. Scroll down to the **Multi-Region Access Point policy** section. Choose **Edit** to update the policy (in JSON).
1. The **Edit Multi-Region Access Point policy** page appears. You can either enter the policy directly into the text field, or you can choose **Add statement** to select policy elements from a dropdown list.
**Note**
The console automatically displays the Multi-Region Access Point Amazon Resource Name (ARN), which you can use in the policy. For example Multi-Region Access Point policies, see [Multi-Region Access Point policy examples](#MultiRegionAccessPointPolicyExamples).
## Multi-Region Access Point policy examples
Amazon S3 Multi-Region Access Points support AWS Identity and Access Management (IAM) resource policies. You can use these policies to control the use of the Multi-Region Access Point by resource, user, or other conditions. For an application or user to be able to access objects through a Multi-Region Access Point, both the Multi-Region Access Point and the underlying bucket must allow the same access.
To allow the same access to both the Multi-Region Access Point and the underlying bucket, do one of the following:
+ **(Recommended)** To simplify access controls when using an Amazon S3 Multi-Region Access Point, delegate access control for the Amazon S3 bucket to the Multi-Region Access Point. For an example of how to do this, see Example 1 in this section.
+ Add the same permissions contained in the Multi-Region Access Point policy to the underlying bucket policy.
**Important**
Delegating access control for a bucket to a Multi-Region Access Point policy doesn't change the bucket's behavior when the bucket is accessed directly through its bucket name or Amazon Resource Name (ARN). All operations made directly against the bucket will continue to work as before. Restrictions that you include in a Multi-Region Access Point policy apply only to requests made through that Multi-Region Access Point.
**Example 1 – Delegating access to specific Multi-Region Access Points in your bucket policy (for the same account or cross-account)**
The following example bucket policy grants full bucket access to a specific Multi-Region Access Point. This means that all access to this bucket is controlled by the policies that are attached to the Multi-Region Access Point. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket. You can use this bucket policy structure for Multi-Region Access Points in either the same account or in another account.
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "*",
"Resource" : [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*"],
"Condition": {
"StringEquals" : { "s3:DataAccessPointArn" : "arn:aws:s3::111122223333:accesspoint/example-multi-region-access-point" }
}
}]
}
```
If there are multiple Multi-Region Access Points that you're granting access to, make sure to list each Multi-Region Access Point.
**Example 2 – Granting an account access to a Multi-Region Access Point in your Multi-Region Access Point policy**
The following Multi-Region Access Point policy allows account `123456789012` permission to list and read the objects contained in the Multi-Region Access Point defined by the *`MultiRegionAccessPoint_ARN`*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/JohnDoe"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias",
"arn:aws:s3::111122223333:accesspoint/MultiRegionAccessPoint_alias/object/*"
]
}
]
}
```
**Example 3 – Multi-Region Access Point policy that allows bucket listing**
The following Multi-Region Access Point policy allows account `123456789012` permission to list the objects contained in the Multi-Region Access Point defined by the *`MultiRegionAccessPoint_ARN`*.
# Multi-Region Access Point restrictions and limitations
Multi-Region Access Points in Amazon S3 have the following restrictions and limitations.
## Names and aliases
Multi-Region Access Point names must meet the following requirements:
+ Must be unique within a single AWS account.
+ Must begin with a number or lowercase letter.
+ Must be between 3 and 50 characters long.
+ Can't begin or end with a hyphen (`-`).
+ Can't contain underscores (`_`), uppercase letters, or periods (`.`).
+ Can't be edited after they are created.
Multi-Region Access Point aliases (which are different from a Multi-Region Access Point name), are automatically generated by Amazon S3 and can't be edited or reused. For more information about the difference between Multi-Region Access Point aliases and Multi-Region Access Point names and their respective naming rules, see [Rules for naming Amazon S3 Multi-Region Access Points](multi-region-access-point-naming.md).
## Accessing a Multi-Region Access Point
You can't access data through a Multi-Region Access Point by using gateway endpoints. However, you can access data through a Multi-Region Access Point by using interface endpoints. To use AWS PrivateLink, you must create VPC endpoints. For more information, see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](MultiRegionAccessPointsPrivateLink.md). However, be aware that IPv6 isn't supported.
To use Multi-Region Access Points with Amazon CloudFront, you must configure the Multi-Region Access Point as a `Custom Origin` distribution type. For more information about various origin types, see [Using various origins with CloudFront distributions](https://docs.aws.amazon.com//AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html). For more information about using Multi-Region Access Points with Amazon CloudFront, see [ Building an active-active, proximity-based application across multiple Regions](https://aws.amazon.com/blogs/storage/building-an-active-active-latency-based-application-across-multiple-regions/) on the *AWS Storage Blog*.
**Note**
S3 on Outposts buckets aren't supported.
## Signing AWS API requests
To sign an AWS API request, your Multi-Region Access Point must meet the following minimum requirements:
**Note**
Multi-Region Access Points don't support anonymous requests.
+ Support for Transport Layer Security (TLS) version 1.2.
+ Support for Signature Version 4 (SigV4A)–This version of SigV4 allows requests to be signed for multiple AWS Regions. This feature is useful in API operations that might result in data access from one of several Regions. When using an AWS SDK, you supply your credentials, and the requests to Multi-Region Access Points will use Signature Version 4A without additional configuration. Make sure to check your [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) with the SigV4A algorithm. For more information about SigV4A, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference*.
**Note**
To use SigV4A with temporary security credentials—for example, when using AWS Identity and Access Management (IAM) roles—you can request the temporary credentials from a Regional AWS Security Token Service (AWS STS) endpoint. If you request temporary credentials from the global AWS STS endpoint (`sts.amazonaws.com`), then you must first set the Region compatibility of session tokens for the global endpoint to be valid in all AWS Regions. For more information, see [Managing AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the *IAM User Guide*.
## Amazon S3 API operations
+ `CopyObject` is supported as a destination only when using the Multi-Region Access Point ARN.
+ The S3 Batch Operations feature isn't supported.
## AWS SDKs
Certain AWS SDKs aren't supported. To confirm which AWS SDKs are supported for Multi-Region Access Points, see [Compatibility with AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat).
## Service quotas
Be aware of the following service quota limitations:
+ There is a maximum of 100 Multi-Region Access Points per account.
+ There is a limit of 17 Regions for a single Multi-Region Access Point.
## Creating, deleting, or modifying a Multi-Region Access Point
When you create, delete, or modify an Multi-Region Access Point, be aware of the following rules and restrictions:
+ After you create a Multi-Region Access Point, you can’t add, modify, or remove buckets from the Multi-Region Access Point configuration. To change the buckets, you must delete the entire Multi-Region Access Point and create a new one. If a cross-account bucket in your Multi-Region Access Point is deleted, the only way to reconnect this bucket is to recreate the bucket, using the same name and Region in that account.
+ Underlying buckets (in the same account) that are used in a Multi-Region Access Point can be deleted only after a Multi-Region Access Point is deleted.
## Region support
**Control plane requests**
All control plane requests to create or maintain Multi-Region Access Points must be routed to the `US West (Oregon)` Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified.
For the Multi-Region Access Point failover control plane, requests must be routed to one of these five supported Regions:
+ `US East (N. Virginia)`
+ `US West (Oregon)`
+ `Asia Pacific (Sydney)`
+ `Asia Pacific (Tokyo)`
+ `Europe (Ireland)`
**Regions enabled by default**
Your Multi-Region Access Point supports buckets in the following default AWS Regions (which are [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in your AWS account):
+ `US East (N. Virginia)`
+ `US East (Ohio)`
+ `US West (N. California)`
+ `US West (Oregon)`
+ `Asia Pacific (Mumbai)`
+ `Asia Pacific (Osaka)`
+ `Asia Pacific (Seoul)`
+ `Asia Pacific (Singapore)`
+ `Asia Pacific (Sydney)`
+ `Asia Pacific (Tokyo)`
+ `Canada (Central)`
+ `Europe (Frankfurt)`
+ `Europe (Ireland)`
+ `Europe (London)`
+ `Europe (Paris)`
+ `Europe (Stockholm)`
+ `South America (São Paulo)`
**AWS opt-in Regions**
Your Multi-Region Access Point also supports buckets in the following opt-in AWS Regions (which are [disabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in your AWS account):
+ `Africa (Cape Town)`
+ `Asia Pacific (Hong Kong)`
+ `Asia Pacific (Jakarta)`
+ `Asia Pacific (Melbourne)`
+ `Asia Pacific (Hyderabad)`
+ `Canada West (Calgary)`
+ `Europe (Zurich)`
+ `Europe (Milan)`
+ `Europe (Spain)`
+ `Israel (Tel Aviv)`
+ `Middle East (Bahrain)`
+ `Middle East (UAE)`
**Note**
There are no additional costs for enabling an opt-in Region. However, creating or using a resource in a Multi-Region Access Point results in billing charges.
An opt-in Region must be manually enabled when configuring or creating your Multi-Region Access Point. For more information about opt-in Region behaviors for Multi-Region Access Points, see [Configuring Multi-Region Access Point opt-in Regions](ConfiguringMrapOptInRegions.md). For information about how to enable an opt-in Region in your AWS account, see [Enable or disable a Region for standalone accounts](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone) in the *AWS Account Management Reference Guide*.
# Multi-Region Access Point request routing
When you make a request through a Multi-Region Access Point, Amazon S3 determines which of the buckets that are associated with the Multi-Region Access Point is closest to you. Amazon S3 then directs the request to that bucket, regardless of the AWS Region it is located in.
After the Multi-Region Access Point routes the request to the closest-proximity bucket, Amazon S3 processes the request as if you made it directly to that bucket. Multi-Region Access Points aren't aware of the data contents of an Amazon S3 bucket. Therefore, the bucket that gets the request might not contain the requested data. To create consistent datasets in the Amazon S3 buckets that are associated with a Multi-Region Access Point, you can configure S3 Cross-Region Replication (CRR). Then any bucket can fulfill the request successfully.
Amazon S3 directs Multi-Region Access Point requests according to the following rules:
+ Amazon S3 optimizes requests to be fulfilled according to proximity. It looks at the buckets supported by the Multi-Region Access Point and relays the request to the bucket that has the closest proximity.
+ If the request specifies an existing resource (for example, `GetObject`), Amazon S3 does *not* consider the name of the object when fulfilling the request. This means that even if an object exists in one bucket in the Multi-Region Access Point, your request can be routed to a bucket that doesn't contain the object. This situation will result in a 404 error message being returned to the client.
To avoid 404 errors, we recommend that you configure S3 Cross-Region Replication (CRR) for your buckets. Replication helps resolve the potential issue when the object that you want is in a bucket in the Multi-Region Access Point, but it's not located in the specific bucket that your request was routed to. For more information about configuring replication, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
To ensure that your requests are fulfilled by using the specific objects that you want, we also recommend that you turn on bucket versioning and include version IDs in your requests. This approach helps ensure that you have the correct version of the object that you are looking for. Versioning-enabled buckets can also help you recover objects from accidental overwrite. For more information, see [Using S3 Versioning in S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html).
+ If the request is to create a resource (for example, `PutObject` or `CreateMultipartUpload`), Amazon S3 fulfills the request by using the closest-proximity bucket. For example, consider a video company that wants to support video uploads from anywhere in the world. When a user makes a `PUT` request to the Multi-Region Access Point, the object is put into the bucket with the closest proximity. To then make that uploaded video available to others around the world for download with the lowest latency, you can use CRR with bidirectional (two-way) replication. Using CRR with two-way replication keeps the contents of all the buckets that are associated with the Multi-Region Access Point synchronized. For more information about using replication with Multi-Region Access Points, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
# Amazon S3 Multi-Region Access Points failover controls
With Amazon S3 Multi-Region Access Point failover controls, you can maintain business continuity during Regional traffic disruptions, while also giving your applications a multi-Region architecture to fulfill compliance and redundancy needs. If your Regional traffic gets disrupted, you can use Multi-Region Access Point failover controls to select which AWS Regions behind an Amazon S3 Multi-Region Access Point will process data-access and storage requests.
To support failover, you can set up your Multi-Region Access Point in an active-passive configuration, with traffic flowing to the active Region during normal conditions, and a passive Region on standby for failover.
For example, to perform failover to an AWS Region of your choice, you shift traffic from your primary (active) Region to your secondary (passive) Region. In an active-passive configuration like this, one bucket is active and accepting traffic, while the other bucket is passive and not accepting traffic. The passive bucket is used for disaster recovery. When you initiate failover, all traffic (such as `GET` or `PUT` requests) is directed to the bucket in the active state (in one Region) and away from the bucket in the passive state (in another Region).
If you have S3 Cross-Region Replication (CRR) enabled with two-way replication rules, you can keep your buckets synchronized during a failover. In addition, if you have CRR enabled in an active-active configuration, Amazon S3 Multi-Region Access Points can also fetch data from the bucket location of closest proximity, which improves application performance.
## AWS Region support
With Amazon S3 Multi-Region Access Points failover controls, your S3 buckets can be in any of the [17 Regions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html) where Multi-Region Access Points are supported. You can initiate failover across any two Regions at one time.
**Note**
Although failover is initiated between only two Regions at one time, you can separately update the routing statuses for multiple Regions at the same time in your Multi-Region Access Point.
The following topics demonstrate how to use and manage Amazon S3 Multi-Region Access Point failover controls.
**Topics**
+ [
## AWS Region support
](#RegionSupport)
+ [
# Amazon S3 Multi-Region Access Points routing states
](FailoverConfiguration.md)
+ [
# Using Amazon S3 Multi-Region Access Point failover controls
](UsingFailover.md)
+ [
# Amazon S3 Multi-Region Access Point failover controls errors
](mrap-failover-errors.md)
# Amazon S3 Multi-Region Access Points routing states
Your Amazon S3 Multi-Region Access Points failover configuration determines the routing status of the AWS Regions that are used with the Multi-Region Access Point. You can configure your Amazon S3 Multi-Region Access Point to be in an active-active state or active-passive state.
+ **Active-active** – In an active-active configuration, all requests are automatically sent to the closest proximity AWS Region in your Multi-Region Access Point. After the Multi-Region Access Point has been configured to be in an active-active state, all Regions can receive traffic. If traffic disruption occurs in an active-active configuration, network traffic will automatically be redirected to one of the active Regions.
+ **Active-passive** – In an active-passive configuration, the active Regions in your Multi-Region Access Point receive traffic and the passive ones do not. If you intend to use S3 failover controls to initiate failover in a disaster situation, set up your Multi-Region Access Points in an active-passive configuration while you're testing and performing disaster-recovery planning.
# Using Amazon S3 Multi-Region Access Point failover controls
This section explains how to manage and use your Amazon S3 Multi-Region Access Points failover controls by using the AWS Management Console.
There are two failover controls in the **Failover configuration** section on your Multi-Region Access Point details page in the AWS Management Console: **Edit routing status** and **Failover**. You can use these controls as follows:
+ **Edit routing status** – You can manually edit the routing statuses of up to 17 AWS Regions in a single request for your Multi-Region Access Point by choosing **Edit routing status**. You can use **Edit routing status** for the following purposes:
+ To set or edit the routing statuses of one or more Regions in your Multi-Region Access Point
+ To create a failover configuration for your Multi-Region Access Point by configuring two Regions to be in an active-passive state
+ To manually fail over your Regions
+ To manually switch traffic between Regions
+ **Failover** – When you initiate failover by choosing **Failover**, you are only updating the routing statuses of two Regions that are already configured to be in an active-passive state. During a failover that you initiated by choosing **Failover**, the routing statuses between the two Regions are automatically switched.
## Editing the routing status of the Regions in your Multi-Region Access Point
You can manually update the routing statuses of up to 17 AWS Regions in a single request for your Multi-Region Access Point by choosing **Edit routing status** in the **Failover configuration** section on your Multi-Region Access Point details page. However, when you initiate failover by choosing **Failover**, you are only updating the routing statuses of two Regions that are already configured to be in an active-passive state. During a failover that you initiated by choosing **Failover**, the routing statuses between the two Regions are automatically switched.
You can use **Edit routing status** (as described in the following procedure) for the following purposes:
+ To set or edit the routing statuses of one or more Regions in your Multi-Region Access Point
+ To create a failover configuration for your Multi-Region Access Point by configuring two Regions to be in an active-passive state
+ To manually fail over your Regions
+ To manually switch traffic between Regions
### Using the S3 console
**To update the routing status of the Regions in your Multi-Region Access Point**
1. Sign in to the AWS Management Console.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the Multi-Region Access Point that you want to update.
1. Choose the **Replication and failover** tab.
1. Select one or more Regions that you want to edit the routing status of.
**Note**
To initiate failover, at least one AWS Region must be designated as **Active** and one Region must be designated as **Passive** in your Multi-Region Access Point.
1. Choose **Edit routing status**.
1. In the dialog box that appears, select **Active** or **Passive** for the **Routing status** for each Region.
An active state allows traffic to be routed to the Region. A passive state stops any traffic from being directed to the Region.
If you are creating a failover configuration for your Multi-Region Access Point or initiating failover, at least one AWS Region must be designated as **Active** and one Region must be designated as **Passive** in your Multi-Region Access Point.
1. Choose **Save routing status**. It takes about 2 minutes for traffic to be redirected.
After you submit the routing status of the AWS Regions for your Multi-Region Access Point, you can verify your routing status changes. To verify these changes, go to Amazon CloudWatch at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/) to monitor the shift of your Amazon S3 data-request traffic (for example, `GET` and `PUT` requests) between active and passive Regions. Any existing connections will not be terminated during failover. Existing connections will continue until they reach a success or failure status.
### Using the AWS CLI
**Note**
You can run Multi-Region Access Point AWS CLI routing commands against any of these five Regions:
`ap-southeast-2`
`ap-northeast-1`
`us-east-1`
`us-west-2`
`eu-west-1`
The following example command updates your current Multi-Region Access Point route configuration. To update the active or passive status of a bucket, set the `TrafficDialPercentage` value to `100` for active and to `0` for passive. In this example, `amzn-s3-demo-bucket1` is set to active, and *amzn-s3-demo-bucket2* is set to passive. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control submit-multi-region-access-point-routes
--region ap-southeast-2
--account-id 123456789012
--mrap MultiRegionAccessPoint_ARN
--route-updates Bucket=amzn-s3-demo-bucket1,TrafficDialPercentage=100
Bucket=amzn-s3-demo-bucket2
,TrafficDialPercentage=0
```
The following example command gets your updated Multi-Region Access Point routing configuration. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point-routes
--region eu-west-1
--account-id 123456789012
--mrap MultiRegionAccessPoint_ARN
```
## Initiating failover
When you initiate failover by choosing **Failover** in the **Failover configuration** section on your Multi-Region Access Point details page, Amazon S3 request traffic automatically gets shifted to an alternate AWS Region. The failover process is completed within 2 minutes.
You can initiate a failover across any two AWS Regions at one time (of the [17 Regions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html) where Multi-Region Access Points are supported). Failover events are then logged in AWS CloudTrail. Upon failover completion, you can monitor Amazon S3 traffic and any traffic routing updates to the new active Region in Amazon CloudWatch.
**Important**
To keep all metadata and objects in sync across buckets during data replication, we recommend that you create two-way replication rules and enable replica modification sync before configuring your failover controls.
Two-way replication rules help ensure that when data is written to the Amazon S3 bucket that traffic fails over to, that data is then replicated back to the source bucket. Replica modification sync helps ensure that object metadata is also synchronized between buckets during two-way replication.
For more information about configuring replication to support failover, see [Configuring replication for use with Multi-Region Access Points](MultiRegionAccessPointBucketReplication.md).
**To initiate failover between replicated buckets**
1. Sign in to the AWS Management Console.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the Multi-Region Access Point that you want to use to initiate failover.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Failover configuration** section and select two AWS Regions.
**Note**
To initiate failover, at least one AWS Region must be designated as **Active** and one Region must be designated as **Passive** in your Multi-Region Access Point. An active state allows traffic to be directed to a Region. A passive state stops any traffic from being directed to the Region.
1. Choose **Failover**.
1. In the dialog box, choose **Failover** again to initiate the failover process. During this process, the routing statuses of the two Regions are automatically switched. All new traffic is directed to the Region that becomes active, and traffic stops being directed to the Region that becomes passive. It takes about 2 minutes for traffic to be redirected.
After you initiate the failover process, you can verify your traffic changes. To verify these changes, go to Amazon CloudWatch at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/) to monitor the shift of your Amazon S3 data-request traffic (for example, `GET` and `PUT` requests) between active and passive Regions. Any existing connections will not be terminated during failover. Existing connections will continue until they reach a success or failure status.
## Viewing your Amazon S3 Multi-Region Access Point routing controls
### Using the S3 console
**To view the routing controls for your Amazon S3 Multi-Region Access Point**
1. Sign in to the AWS Management Console.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the Multi-Region Access Point that you want to review.
1. Choose the **Replication and failover** tab. This page displays the routing configuration details and summary for your Multi-Region Access Point, associated replication rules, and replication metrics. You can see the routing status of your Regions in the **Failover configuration** section.
### Using the AWS CLI
The following example AWS CLI command gets your current Multi-Region Access Point route configuration for the specified Region. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point-routes
--region eu-west-1
--account-id 123456789012
--mrap MultiRegionAccessPoint_ARN
```
**Note**
This command can only be executed against these five Regions:
`ap-southeast-2`
`ap-northeast-1`
`us-east-1`
`us-west-2`
`eu-west-1`
# Amazon S3 Multi-Region Access Point failover controls errors
When you update the failover configuration for your Multi-Region Access Point, you might encounter one of these errors:
+ HTTP 400 Bad Request: This error can occur if you enter an invalid Multi-Region Access Point ARN while updating your failover configuration. You can confirm your Multi-Region Access Point ARN by reviewing your Multi-Region Access Point policy. To review or update your Multi-Region Access Point policy, see [Editing the Multi-Region Access Point policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingFailover.html#editing-mrap-policy). This error can also occur if you use an empty string or a random string while updating your Amazon S3 Multi-Region Access Point failover controls. Make sure to use the Multi-Region Access Point ARN format:
`arn:aws:s3::account-id:accesspoint/MultiRegionAccessPoint_alias`
+ HTTP 503 Slow Down: This error occurs if you send too many requests in a short period of time. Rejected requests will result in an error.
+ HTTP 409 Conflict: This error occurs when two or more concurrent route configuration update requests are targeting a single Multi-Region Access Point. The first request succeeds, but any other requests fail with an error.
+ HTTP 405 Method Not Allowed: This error occurs when you've selected a Multi-Region Access Point with only one AWS Region when initiating failover. You must select two Regions before you can initiate failover. Otherwise, an error is returned.
# Configuring replication for use with Multi-Region Access Points
When you make a request to a Multi-Region Access Point endpoint, Amazon S3 automatically routes the request to the bucket that is closest to you. Amazon S3 doesn't consider the contents of the request when making this decision. If you make a request to `GET` an object, your request might be routed to a bucket that doesn't have a copy of this object. If that happens, you receive an HTTP status code 404 (Not Found) error. For more information about Multi-Region Access Point request routing, see [Multi-Region Access Point request routing](MultiRegionAccessPointRequestRouting.md).
If you want the Multi-Region Access Point to be able to retrieve the object regardless of which bucket receives the request, you must configure Amazon S3 Cross-Region Replication (CRR).
For example, consider a Multi-Region Access Point with three buckets:
+ A bucket named `amzn-s3-demo-bucket1` in the Region `US West (Oregon)` that contains the object `my-image.jpg`
+ A bucket named `amzn-s3-demo-bucket2` in the Region `Asia Pacific (Mumbai)` that contains the object `my-image.jpg`
+ A bucket named `amzn-s3-demo-bucket` in the Region `Europe (Frankfurt)` that doesn't contain the object `my-image.jpg`
In this situation, if you make a `GetObject` request for the object `my-image.jpg`, the success of that request depends upon which bucket receives your request. Because Amazon S3 doesn't consider the contents of the request, it might route your `GetObject` request to the `amzn-s3-demo-bucket` bucket if that bucket responds of closest proximity. Even though your object is in a bucket in the Multi-Region Access Point, you will get an HTTP 404 Not Found error because the individual bucket that received your request didn't have the object.
Enabling Cross-Region Replication (CRR) helps avoid this result. With appropriate replication rules, the `my-image.jpg` object is copied over to the `amzn-s3-demo-bucket` bucket. Therefore, if Amazon S3 routes your request to that bucket, you can now retrieve the object.
Replication works as normal with buckets that are assigned to a Multi-Region Access Point. Amazon S3 doesn't perform any special replication handling with buckets that are in Multi-Region Access Points. For more information about configuring replication in your buckets, see [Setting up live replication overview](replication-how-setup.md).
**Recommendations for using replication with Multi-Region Access Points**
For the best replication performance when working with Multi-Region Access Points, we recommend the following:
+ Configure S3 Replication Time Control (S3 RTC). To replicate your data across different Regions within a predictable time frame, you can use S3 RTC. S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes (backed by a service-level agreement). For more information, see [Meeting compliance requirements with S3 Replication Time Control](replication-time-control.md). There are additional charges for S3 RTC. For information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
+ Use two-way (bidirectional) replication to support keeping buckets synchronized when buckets are updated through the Multi-Region Access Point. For more information, see [Create two-way replication rules for your Multi-Region Access Point](mrap-create-two-way-replication-rules.md).
+ Create cross-account Multi-Region Access Points to replicate data to buckets in separate AWS accounts. This approach provides account-level separation, so that data can be accessed from and replicated across different accounts in different Regions other than the source bucket. Setting up cross-account Multi-Region Access Points comes at no additional cost. If you're a bucket owner but don't own the Multi-Region Access Point, you pay only for data transfer and request costs. Multi-Region Access Point owners pay for data routing and internet-acceleration costs. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
+ Enable replica modification sync for each replication rule to also keep metadata changes to your objects in sync. For more information, see [Enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes).
+ Enable Amazon CloudWatch metrics to [monitor replication events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-metrics.html). CloudWatch metrics fees apply. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
**Topics**
+ [
# Create one-way replication rules for your Multi-Region Access Point
](mrap-create-one-way-replication-rules.md)
+ [
# Create two-way replication rules for your Multi-Region Access Point
](mrap-create-two-way-replication-rules.md)
+ [
# View the replication rules for your Multi-Region Access Point
](mrap-view-replication-rules.md)
# Create one-way replication rules for your Multi-Region Access Point
Replication rules enable automatic and asynchronous copying of objects across buckets. A one-way replication rule helps ensure that data is fully replicated from a source bucket in one AWS Region to a destination bucket in another Region. When one-way replication is set up, a replication rule from the source bucket (*amzn-s3-demo-bucket*) to the destination bucket (*amzn-s3-demo-bucket*) is created. Like all replication rules, you can apply the one-way replication rule to the entire Amazon S3 bucket or to a subset of objects that are filtered by a prefix or object tags.
**Important**
We recommend using one-way replication if your users will only be consuming the objects in your destination buckets. If your users will be uploading or modifying the objects in your destination buckets, use two-way replication to keep all of your buckets in sync. We also recommend two-way replication if you plan to use your Multi-Region Access Point for failover. To set up two-way replication, see [Create two-way replication rules for your Multi-Region Access Point](mrap-create-two-way-replication-rules.md).
**To create a one-way replication rule for your Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of your Multi-Region Access Point.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Replication rules** section, and then choose **Create replication rules**. Make sure that you have sufficient permissions to create the replication rule, or versioning will be disabled.
**Note**
You can create replication rules only for buckets in your own account. To create replication rules for external buckets, the bucket owners must create the replication rules for those buckets.
1. On the **Create replication rules** page, choose the **Replicate objects from one or more source buckets to one or more destination buckets** template.
**Important**
When you create replication rules by using this template, they replace any existing replication rules that are already assigned to the bucket.
To add to or modify any existing replication rules instead of replacing them, go to each bucket's **Management** tab in the console, and then edit the rules in the **Replication rules** section. You can also add to or modify existing replication rules by using the AWS CLI, SDKs, or REST API. For more information, see [Replication configuration file elements](replication-add-config.md).
1. In the **Source and destination** section, under **Source buckets**, select one or more buckets that you want to replicate objects from. All buckets (source and destination) that are chosen for replication must have S3 Versioning enabled, and each bucket must reside in a different AWS Region. For more information about S3 Versioning, see [Using versioning in Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html).
Under **Destination buckets**, select one or more buckets that you want to replicate objects to.
1. In the **Replication rule configuration** section, choose whether the replication rule will be **Enabled** or **Disabled** when it's created.
**Note**
You can't enter a name in the **Replication rule name** box. Replication rule names are generated based on your configuration when you create the replication rule.
1. In the **Scope** section, choose the appropriate scope for your replication.
+ To replicate the whole bucket, choose **Apply to all objects in the bucket**.
+ To replicate a subset of the objects in the bucket, choose **Limit the scope of this rule using one or more filters**.
You can filter your objects by using a prefix, object tags, or a combination of both.
+ To limit replication to all objects that have names that begin with the same string (for example `pictures`), enter a prefix in the **Prefix** box.
If you enter a prefix that is the name of a folder, you must use a delimiter such as a `/` (forward slash) to indicate its level of hierarchy (for example, `pictures/`). For more information about prefixes, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html).
+ To replicate all objects that have one or more object tags, choose **Add tag** and enter the key-value pair in the boxes. To add another tag, repeat the procedure. For more information about object tags, see [Categorizing your objects using tags](object-tagging.md).
1. Scroll down to the **Additional replication options** section, and select the replication options that you want to apply.
**Note**
We recommend that you apply the following options:
**Replication time control (RTC)** – To replicate your data across different Regions within a predictable time frame, you can use S3 Replication Time Control (S3 RTC). S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes (backed by a service-level agreement). For more information, see [Meeting compliance requirements with S3 Replication Time Control](replication-time-control.md).
**Replication metrics and notifications** – Enable Amazon CloudWatch metrics to monitor replication events.
**Delete marker replication** – Delete markers created by S3 delete operations will be replicated. Delete markers created by lifecycle rules are not replicated. For more information, see [Replicating delete markers between buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html).
There are additional charges for S3 RTC and CloudWatch replication metrics and notifications. For more information, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/) and [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
1. If you're writing a new replication rule that replaces an existing one, select **I acknowledge that by choosing Create replication rules, these existing replication rules will be overwritten**.
1. Choose **Create replication rules** to create and save your new one-way replication rule.
# Create two-way replication rules for your Multi-Region Access Point
Replication rules enable automatic and asynchronous copying of objects across buckets. A two-way replication rule (also known as a bidirectional replication rule) ensures that data is fully synchronized between two or more buckets in different AWS Regions. When two-way replication is set up, a replication rule from the source bucket (DOC-EXAMPLE-BUCKET-1) to the bucket containing the replicas (DOC-EXAMPLE-BUCKET-2) is created. Then, a second replication rule from the bucket containing the replicas (DOC-EXAMPLE-BUCKET-2) to the source bucket (DOC-EXAMPLE-BUCKET-1) is created.
Like all replication rules, you can apply the two-way replication rule to the entire Amazon S3 bucket or to a subset of objects filtered by a prefix or object tags. You can also keep metadata changes to your objects in sync by [enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes) for each replication rule. You can enable replica modification sync through the Amazon S3 console, the AWS CLI, the AWS SDKs, the Amazon S3 REST API, or AWS CloudFormation.
To monitor the replication progress of objects and object metadata in Amazon CloudWatch, enable S3 Replication metrics and notifications. For more information, see [Monitoring progress with replication metrics and Amazon S3 event notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-metrics.html).
**To create a two-way replication rule for your Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of the Multi-Region Access Point that you want to update.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Replication rules** section, and then choose **Create replication rules**.
1. On the **Create replication rules** page, choose the **Replicate objects among all specified buckets** template. The **Replicate objects among all specified buckets** template sets up two-way replication (with failover capabilities) for your buckets.
**Important**
When you create replication rules by using this template, they replace any existing replication rules that are already assigned to the bucket.
To add to or modify any existing replication rules instead of replacing them, go to each bucket's **Management** tab in the console, and then edit the rules in the **Replication rules** section. You can also add to or modify existing replication rules by using the AWS CLI, AWS SDKs, or Amazon S3 REST API. For more information, see [Replication configuration file elements](replication-add-config.md).
1. In the **Buckets** section, select at least two buckets that you want to replicate objects from. All buckets chosen for replication must have S3 Versioning enabled, and each bucket must reside in a different AWS Region. For more information about S3 Versioning, see [Using versioning in Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html).
**Note**
Make sure that you have the required read and replicate permissions to establish replication, or you will encounter errors. For more information, see [Creating an IAM role](https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html).
1. In the **Replication rule configuration** section, choose whether the replication rule will be **Enabled** or **Disabled** when it's created.
**Note**
You can't enter a name in the **Replication rule name** box. Replication rule names are generated based on your configuration when you create the replication rule.
1. In the **Scope** section, choose the appropriate scope for your replication.
+ To replicate the whole bucket, choose **Apply to all objects in the bucket**.
+ To replicate a subset of the objects in the bucket, choose **Limit the scope of this rule using one or more filters**.
You can filter your objects by using a prefix, object tags, or a combination of both.
+ To limit replication to all objects that have names that begin with the same string (for example `pictures`), enter a prefix in the **Prefix** box.
If you enter a prefix that is the name of a folder, you must use a `/` (forward slash) as the last character (for example, `pictures/`).
+ To replicate all objects that have one or more object tags, choose **Add tag** and enter the key-value pair in the boxes. To add another tag, repeat the procedure. For more information about object tags, see [Categorizing your objects using tags](object-tagging.md).
1. Scroll down to the **Additional replication options** section, and select the replication options that you want to apply.
**Note**
We recommend that you apply the following options, especially if you intend to configure your Multi-Region Access Point to support failover:
**Replication time control (RTC)** – To replicate your data across different Regions within a predictable time frame, you can use S3 Replication Time Control (S3 RTC). S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes (backed by a service-level agreement). For more information, see [Meeting compliance requirements with S3 Replication Time Control](replication-time-control.md).
**Replication metrics and notifications** – Enable Amazon CloudWatch metrics to monitor replication events.
**Delete marker replication** – Delete markers created by S3 delete operations will be replicated. Delete markers created by lifecycle rules are not replicated. For more information, see [Replicating delete markers between buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html).
**Replica modification sync** – Enable replica modification sync for each replication rule to also keep metadata changes to your objects in sync. For more information, see [Enabling replica modification sync](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-for-metadata-changes.html#enabling-replication-for-metadata-changes).
There are additional charges for S3 RTC and CloudWatch replication metrics and notifications. For more information, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/) and [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
1. If you're writing a new replication rule that replaces an existing one, select **I acknowledge that by choosing Create replication rules, these existing replication rules will be overwritten**.
1. Choose **Create replication rules** to create and save your new two-way replication rules.
# View the replication rules for your Multi-Region Access Point
With Multi-Region Access Points, you can either set up one-way replication rules or two-way (bidirectional) replication rules. For information about how to manage your replication rules, see [ Managing replication rules by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/disable-replication.html).
**To view the replication rules for your Multi-Region Access Point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Multi-Region Access Points**.
1. Choose the name of your Multi-Region Access Point.
1. Choose the **Replication and failover** tab.
1. Scroll down to the **Replication rules** section. This section lists all of the replication rules that have been created for your Multi-Region Access Point.
**Note**
If you’ve added a bucket from another account to this Multi-Region Access Point, you must have the `s3:GetBucketReplication` permission from the bucket owner to view the replication rules for that bucket.
# Using Multi-Region Access Points with supported API operations
Amazon S3 provides a set of operations to manage Multi-Region Access Points. Amazon S3 processes some of these operations synchronously and some asynchronously. When you invoke an asynchronous operation, Amazon S3 first synchronously authorizes the requested operation. If authorization is successful, Amazon S3 returns a token that you can use to track the progress and results of the requested operation.
**Note**
Requests that are made through the Amazon S3 console are always synchronous. The console waits until the request is completed before allowing you to submit another request.
You can view the current status and results of asynchronous operations by using the console, or you can use `DescribeMultiRegionAccessPointOperation` in the AWS CLI, AWS SDKs, or REST API. Amazon S3 provides a tracking token in the response to an asynchronous operation. You include that tracking token as an argument to `DescribeMultiRegionAccessPointOperation`. When you include the tracking token, Amazon S3 then returns the current status and results of the specified operation, including any errors or relevant resource information. Amazon S3 performs `DescribeMultiRegionAccessPointOperation` operations synchronously.
All control plane requests to create or maintain Multi-Region Access Points must be routed to the `US West (Oregon)` Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified. For the Multi-Region Access Point failover control plane, the request must be routed to one of the five supported Regions. For more information about Multi-Region Access Point supported Regions, see [Multi-Region Access Point restrictions and limitations](MultiRegionAccessPointRestrictions.md).
In addition, you must grant the `s3:ListAllMyBuckets` permission to the user, role, or other AWS Identity and Access Management (IAM) entity that makes a request to manage a Multi-Region Access Point.
The following examples demonstrate how to use Multi-Region Access Points with compatible operations in Amazon S3.
**Topics**
+ [
## Multi-Region Access Point compatibility with AWS services and AWS SDKs
](#mrap-api-support)
+ [
## Multi-Region Access Point compatibility with S3 operations
](#mrap-operations-support)
+ [
## View your Multi-Region Access Point routing configuration
](#query-mrap-routing-configuration)
+ [
## Update your underlying Amazon S3 bucket policy
](#update-underlying-bucket-policy)
+ [
## Update a Multi-Region Access Point route configuration
](#update-mrap-route-configuration)
+ [
## Add an object to a bucket in your Multi-Region Access Point
](#add-bucket-mrap)
+ [
## Retrieve objects from your Multi-Region Access Point
](#get-object-mrap)
+ [
## List objects that are stored in a bucket underlying your Multi-Region Access Point
](#list-objects-mrap)
+ [
## Use a presigned URL with Multi-Region Access Points
](#use-presigned-url-mrap)
+ [
## Use a bucket that's configured with Requester Pays with Multi-Region Access Points
](#use-requester-pays-mrap)
## Multi-Region Access Point compatibility with AWS services and AWS SDKs
To use a Multi-Region Access Point with applications that require an Amazon S3 bucket name, use the Amazon Resource Name (ARN) of the Multi-Region Access Point when making requests by using an AWS SDK. To check which AWS SDKs are compatible with Multi-Region Access Points, see [Compatibility with AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat).
## Multi-Region Access Point compatibility with S3 operations
You can use use the following Amazon S3 data plane API operations to perform actions on objects in buckets that are associated with your Multi-Region Access Point. The following S3 operations can accept Multi-Region Access Point ARNs:
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectTagging.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html)
**Note**
Multi-Region Access Points supports copy operations using Multi-Region Access Points only as a destination when using the Multi-Region Access Point ARN.
You can use the following Amazon S3 control plane operations to create and manage your Multi-Region Access Points:
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateMultiRegionAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateMultiRegionAccessPoint.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DescribeMultiRegionAccessPointOperation.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DescribeMultiRegionAccessPointOperation.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPoint.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicy.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicyStatus.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointPolicyStatus.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointRoutes.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetMultiRegionAccessPointRoutes.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListMultiRegionAccessPoints.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListMultiRegionAccessPoints.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutMultiRegionAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutMultiRegionAccessPointPolicy.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_SubmitMultiRegionAccessPointRoutes.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_SubmitMultiRegionAccessPointRoutes.html)
## View your Multi-Region Access Point routing configuration
------
#### [ AWS CLI ]
The following example command retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control get-multi-region-access-point-routes
--region eu-west-1
--account-id 111122223333
--mrap arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap
```
------
#### [ SDK for Java ]
The following SDK for Java code retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example syntax, replace the `user input placeholders` with your own information.
```
S3ControlClient s3ControlClient = S3ControlClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(credentialsProvider)
.build();
GetMultiRegionAccessPointRoutesRequest request = GetMultiRegionAccessPointRoutesRequest.builder()
.accountId("111122223333")
.mrap("arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap")
.build();
GetMultiRegionAccessPointRoutesResponse response = s3ControlClient.getMultiRegionAccessPointRoutes(request);
```
------
#### [ SDK for JavaScript ]
The following SDK for JavaScript code retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example syntax, replace the `user input placeholders` with your own information.
```
const REGION = 'us-east-1'
const s3ControlClient = new S3ControlClient({
region: REGION
})
export const run = async () => {
try {
const data = await s3ControlClient.send(
new GetMultiRegionAccessPointRoutesCommand({
AccountId: '111122223333',
Mrap: 'arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap',
})
)
console.log('Success', data)
return data
} catch (err) {
console.log('Error', err)
}
}
run()
```
------
#### [ SDK for Python ]
The following SDK for Python code retrieves your Multi-Region Access Point route configuration so that you can see the current routing statuses for your buckets. To use this example syntax, replace the `user input placeholders` with your own information.
```
s3.get_multi_region_access_point_routes(
AccountId=111122223333,
Mrap=arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap)['Routes']
```
------
## Update your underlying Amazon S3 bucket policy
To grant proper access, you must also update the underlying Amazon S3 bucket policy. The following examples delegate access control to the Multi-Region Access Point policy. After you delegate access control to the Multi-Region Access Point policy, the bucket policy is no longer used for access control when requests are made through the Multi-Region Access Point.
Here's an example bucket policy that delegates access control to the Multi-Region Access Point policy. To use this example bucket policy, replace the `user input placeholders` with your own information. To apply this policy through the AWS CLI `put-bucket-policy` command, as shown in the next example, save the policy in a file, for example, `policy.json`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444455556666:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "444455556666"
}
}
}
]
}
```
------
The following `put-bucket-policy` example command associates the updated S3 bucket policy with your S3 bucket:
```
aws s3api put-bucket-policy
--bucket amzn-s3-demo-bucket
--policy file:///tmp/policy.json
```
## Update a Multi-Region Access Point route configuration
The following example command updates the Multi-Region Access Point route configuration. Multi-Region Access Point route commands can be run against the following five Regions:
+ `ap-southeast-2`
+ `ap-northeast-1`
+ `us-east-1`
+ `us-west-2`
+ `eu-west-1`
In a Multi-Region Access Point routing configuration, you can set buckets to an active or passive routing status. Active buckets receive traffic, whereas passive buckets do not. You can set a bucket's routing status by setting the `TrafficDialPercentage` value for the bucket to `100` for active or `0` for passive.
------
#### [ AWS CLI ]
The following example command updates your Multi-Region Access Point routing configuration. In this example, `amzn-s3-demo-bucket1` is set to active status and `amzn-s3-demo-bucket2` is set to passive. To use this example command, replace the `user input placeholders` with your own information.
```
aws s3control submit-multi-region-access-point-routes
--region ap-southeast-2
--account-id 111122223333
--mrap arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap
--route-updates Bucket=amzn-s3-demo-bucket1,TrafficDialPercentage=100
Bucket=amzn-s3-demo-bucket2,TrafficDialPercentage=0
```
------
#### [ SDK for Java ]
The following SDK for Java code updates your Multi-Region Access Point routing configuration. To use this example syntax, replace the `user input placeholders` with your own information.
```
S3ControlClient s3ControlClient = S3ControlClient.builder()
.region(Region.ap-southeast-2)
.credentialsProvider(credentialsProvider)
.build();
SubmitMultiRegionAccessPointRoutesRequest request = SubmitMultiRegionAccessPointRoutesRequest.builder()
.accountId("111122223333")
.mrap("arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap")
.routeUpdates(
MultiRegionAccessPointRoute.builder()
.region("eu-west-1")
.trafficDialPercentage(100)
.build(),
MultiRegionAccessPointRoute.builder()
.region("ca-central-1")
.bucket("111122223333")
.trafficDialPercentage(0)
.build()
)
.build();
SubmitMultiRegionAccessPointRoutesResponse response = s3ControlClient.submitMultiRegionAccessPointRoutes(request);
```
------
#### [ SDK for JavaScript ]
The following SDK for JavaScript code updates your Multi-Region Access Point route configuration. To use this example syntax, replace the `user input placeholders` with your own information.
```
const REGION = 'ap-southeast-2'
const s3ControlClient = new S3ControlClient({
region: REGION
})
export const run = async () => {
try {
const data = await s3ControlClient.send(
new SubmitMultiRegionAccessPointRoutesCommand({
AccountId: '111122223333',
Mrap: 'arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap',
RouteUpdates: [
{
Region: 'eu-west-1',
TrafficDialPercentage: 100,
},
{
Region: 'ca-central-1',
Bucket: 'amzn-s3-demo-bucket1',
TrafficDialPercentage: 0,
},
],
})
)
console.log('Success', data)
return data
} catch (err) {
console.log('Error', err)
}
}
run()
```
------
#### [ SDK for Python ]
The following SDK for Python code updates your Multi-Region Access Point route configuration. To use this example syntax, replace the `user input placeholders` with your own information.
```
s3.submit_multi_region_access_point_routes(
AccountId=111122223333,
Mrap=arn:aws:s3::111122223333:accesspoint/abcdef0123456.mrap,
RouteUpdates= [{
'Bucket': amzn-s3-demo-bucket,
'Region': ap-southeast-2,
'TrafficDialPercentage': 10
}])
```
------
## Add an object to a bucket in your Multi-Region Access Point
To add an object to the bucket that's associated with the Multi-Region Access Point, you can use the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) operation. To keep all buckets in the Multi-Region Access Point in sync, enable [Cross-Region Replication](MultiRegionAccessPointBucketReplication.md).
**Note**
To use this operation, you must have the `s3:PutObject` permission for the Multi-Region Access Point. For more information about Multi-Region Access Point permission requirements, see [Permissions](MultiRegionAccessPointPermissions.md).
------
#### [ AWS CLI ]
The following example data plane request uploads *`example.txt`* to the specified Multi-Region Access Point. To use this example, replace the *`user input placeholders`* with your own information.
```
aws s3api put-object --bucket arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap --key example.txt --body example.txt
```
------
#### [ SDK for Java ]
```
S3Client s3Client = S3Client.builder()
.build();
PutObjectRequest objectRequest = PutObjectRequest.builder()
.bucket("arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap")
.key("example.txt")
.build();
s3Client.putObject(objectRequest, RequestBody.fromString("Hello S3!"));
```
------
#### [ SDK for JavaScript ]
```
const client = new S3Client({});
async function putObjectExample() {
const command = new PutObjectCommand({
Bucket: "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap",
Key: "example.txt",
Body: "Hello S3!",
});
try {
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
}
```
------
#### [ SDK for Python ]
```
import boto3
client = boto3.client('s3')
client.put_object(
Bucket='arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap',
Key='example.txt',
Body='Hello S3!'
)
```
------
## Retrieve objects from your Multi-Region Access Point
To retrieve objects from the Multi-Region Access Point, you can use the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) operation.
**Note**
To use this API operation, you must have the `s3:GetObject` permission for the Multi-Region Access Point. For more information about Multi-Region Access Point permissions requirements, see [Permissions](MultiRegionAccessPointPermissions.md).
------
#### [ AWS CLI ]
The following example data plane request retrieves *`example.txt`* from the specified Multi-Region Access Point and downloads it as *`downloaded_example.txt`*. To use this example, replace the *`user input placeholders`* with your own information.
```
aws s3api get-object --bucket arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap --key example.txt downloaded_example.txt
```
------
#### [ SDK for Java ]
```
S3Client s3 = S3Client
.builder()
.build();
GetObjectRequest getObjectRequest = GetObjectRequest.builder()
.bucket("arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap")
.key("example.txt")
.build();
s3Client.getObject(getObjectRequest);
```
------
#### [ SDK for JavaScript ]
```
const client = new S3Client({})
async function getObjectExample() {
const command = new GetObjectCommand({
Bucket: "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap",
Key: "example.txt"
});
try {
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
}
```
------
#### [ SDK for Python ]
```
import boto3
client = boto3.client('s3')
client.get_object(
Bucket='arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap',
Key='example.txt'
)
```
------
## List objects that are stored in a bucket underlying your Multi-Region Access Point
To return a list of objects that are stored in a bucket underlying your Multi-Region Access Point, use the [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html) operation. In the following example command, all objects for the specified Multi-Region Access Point are listed by using the ARN for the Multi-Region Access Point. In this case, the Multi-Region Access Point ARN is:
`arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap`
**Note**
To use this API operation, you must have the `s3:ListBucket` permission for the Multi-Region Access Point and the underlying bucket. For more information about Multi-Region Access Point permissions requirements, see [Permissions](MultiRegionAccessPointPermissions.md).
------
#### [ AWS CLI ]
The following example data plane request lists the objects in the bucket that underlies the Multi-Region Access Point that's specified by the ARN. To use this example, replace the *`user input placeholders`* with your own information.
```
aws s3api list-objects-v2 --bucket arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap
```
------
#### [ SDK for Java ]
```
S3Client s3Client = S3Client.builder()
.build();
String bucketName = "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap";
ListObjectsV2Request listObjectsRequest = ListObjectsV2Request
.builder()
.bucket(bucketName)
.build();
s3Client.listObjectsV2(listObjectsRequest);
```
------
#### [ SDK for JavaScript ]
```
const client = new S3Client({});
async function listObjectsExample() {
const command = new ListObjectsV2Command({
Bucket: "arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap",
});
try {
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
}
```
------
#### [ SDK for Python ]
```
import boto3
client = boto3.client('s3')
client.list_objects_v2(
Bucket='arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap'
)
```
------
## Use a presigned URL with Multi-Region Access Points
You can use a presigned URL to generate a URL that allows others to access your Amazon S3 buckets through an Amazon S3 Multi-Region Access Point. When you create a presigned URL, you associate it with a specific object action, such as an S3 upload (`PutObject`) or an S3 download (`GetObject`). You can share the presigned URL, and anyone with access to it can perform the action embedded in the URL as if they were the original signing user.
Presigned URLs have an expiration date. When the expiration time is reached, the URL will no longer work.
Before you use S3 Multi-Region Access Points with presigned URLs, check the [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat) with the SigV4A algorithm. Verify that your SDK version supports SigV4A as the signing implementation that is used to sign the global AWS Region requests. For more information about using presigned URLs with Amazon S3, see [Sharing objects by using presigned URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html).
The following examples show how you can use Multi-Region Access Points with presigned URLs. To use these examples, replace the *`user input placeholders`* with your own information.
------
#### [ AWS CLI ]
```
aws s3 presign arn:aws:s3::123456789012:accesspoint/MultiRegionAccessPoint_alias/example-file.txt
```
------
#### [ SDK for Python ]
```
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client('s3',aws_access_key_id='xxx',aws_secret_access_key='xxx')
s3_client.generate_presigned_url(HttpMethod='PUT',ClientMethod="put_object", Params={'Bucket':'arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap','Key':'example-file'})
```
------
#### [ SDK for Java ]
```
S3Presigner s3Presigner = S3Presigner.builder()
.credentialsProvider(StsAssumeRoleCredentialsProvider.builder()
.refreshRequest(assumeRole)
.stsClient(stsClient)
.build())
.build();
GetObjectRequest getObjectRequest = GetObjectRequest.builder()
.bucket("arn:aws:s3::123456789012:accesspoint/abcdef0123456.mrap")
.key("example-file")
.build();
GetObjectPresignRequest preSignedReq = GetObjectPresignRequest.builder()
.getObjectRequest(getObjectRequest)
.signatureDuration(Duration.ofMinutes(10))
.build();
PresignedGetObjectRequest presignedGetObjectRequest = s3Presigner.presignGetObject(preSignedReq);
```
------
**Note**
To use SigV4A with temporary security credentials—for example, when using IAM roles—make sure that you request the temporary credentials from a Regional endpoint in AWS Security Token Service (AWS STS), instead of a global endpoint. If you use the global endpoint for AWS STS (`sts.amazonaws.com`), AWS STS will generate temporary credentials from a global endpoint, which isn't supported by Sig4A. As a result, you'll get an error. To resolve this issue, use any of the listed [Regional endpoints for AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints).
## Use a bucket that's configured with Requester Pays with Multi-Region Access Points
If an S3 bucket that is associated with your Multi-Region Access Points is [configured to use Requester Pays](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysExamples.html), the requester will pay for the bucket request, the download, and any Multi-Region Access Points related costs. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
Here's an example of a data plane request to a Multi-Region Access Point that is connected to a Requester Pays bucket.
------
#### [ AWS CLI ]
To download objects from a Multi-Region Access Point that is connected to a Requester Pays bucket, you must specify `--request-payer requester` as part of your [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-object.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-object.html) request. You must also specify the name of the file in the bucket and the location where the downloaded file should be stored.
```
aws s3api get-object --bucket MultiRegionAccessPoint_ARN --request-payer requester --key example-file-in-bucket.txt example-location-of-downloaded-file.txt
```
------
#### [ SDK for Java ]
To download objects from a Multi-Region Access Point that is connected to a Requester Pays bucket, you must specify the `RequestPayer.REQUESTER` as part of your `GetObject` request. You must also specify the name of the file in the bucket, as well as the location where it should be stored.
```
GetObjectResponse getObjectResponse = s3Client.getObject(GetObjectRequest.builder()
.key("example-file.txt")
.bucket("arn:aws:s3::
123456789012:accesspoint/abcdef0123456.mrap")
.requestPayer(RequestPayer.REQUESTER)
.build()
).response();
```
------
# Monitoring and logging requests made through a Multi-Region Access Point to underlying resources
Amazon S3 logs requests made through Multi-Region Access Points and requests made to the API operations that manage them, such as `CreateMultiRegionAccessPoint` and `GetMultiRegionAccessPointPolicy`. Requests made to Amazon S3 through a Multi-Region Access Point appear in your Amazon S3 server access logs and AWS CloudTrail logs with the Multi-Region Access Point hostname. An access point's hostname takes the form `MRAP_alias.accesspoint.s3-global.amazonaws.com`. For example, suppose that you have the following bucket and Multi-Region Access Point configuration:
+ A bucket named `my-bucket-usw2` in the Region `us-west-2` that contains the object `my-image.jpg`.
+ A bucket named `my-bucket-aps1` in the Region `ap-south-1` that contains the object `my-image.jpg`.
+ A bucket named `my-bucket-euc1` in the Region `eu-central-1` that doesn’t contain an object named `my-image.jpg`.
+ A Multi-Region Access Point named `my-mrap` with the alias `mfzwi23gnjvgw.mrap` that is configured to fulfill requests from all three buckets.
+ Your AWS account ID is `123456789012`.
A request made to retrieve `my-image.jpg` directly through any of the buckets appears in your logs with a hostname of `bucket_name.s3.Region.amazonaws.com`.
If you make the request through the Multi-Region Access Point instead, Amazon S3 first determines which of the buckets in the different Regions is closest. After Amazon S3 determines which bucket to use to fulfill the request, it sends the request to that bucket and logs the operation by using the Multi-Region Access Point hostname. In this example, if Amazon S3 relays the request to `my-bucket-aps1`, your logs will reflect a successful `GET` request for `my-image.jpg` from `my-bucket-aps1`, using a hostname of `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`.
**Important**
Multi-Region Access Points aren't aware of the data contents of the underlying buckets. Therefore, the bucket that gets the request might not contain the requested data. For example, if Amazon S3 determines that the `my-bucket-euc1` bucket is the closest, your logs will reflect a failed `GET` request for `my-image.jpg` from `my-bucket-euc1`, using a hostname of `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`. If the request was routed to `my-bucket-usw2` instead, your logs would indicate a successful `GET` request.
For more information about Amazon S3 server access logs, see [Logging requests with server access logging](ServerLogs.md). For more information about AWS CloudTrail, see [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *AWS CloudTrail User Guide*.
## Monitoring and logging requests made to Multi-Region Access Point management API operations
Amazon S3 provides several API operations to manage Multi-Region Access Points, such as `CreateMultiRegionAccessPoint` and `GetMultiRegionAccessPointPolicy`. When you make requests to these API operations by using the AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API, Amazon S3 processes these requests asynchronously. Provided that you have the appropriate permissions for the request, Amazon S3 returns a token for these requests. You can use this token with `DescribeAsyncOperation` to help you to view the status of ongoing asynchronous operations. Amazon S3 processes `DescribeAsyncOperation` requests synchronously. To view the status of asynchronous requests, you can use the Amazon S3 console, AWS CLI, SDKs, or REST API.
**Note**
The console displays only the status of asynchronous requests that were made within the previous 14 days. To view the status of older requests, use the AWS CLI, SDKs, or REST API.
Asynchronous management operations can be in one of several states:
NEW
Amazon S3 has received the request and is preparing to perform the operation.
IN\$1PROGRESS
Amazon S3 is currently performing the operation.
SUCCESS
The operation succeeded. The response includes relevant information, such as the Multi-Region Access Point alias for a `CreateMultiRegionAccessPoint` request.
FAILED
The operation failed. The response includes an error message that indicates the reason for the request failure.
## Using AWS CloudTrail with Multi-Region Access Points
You can use AWS CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. With Multi-Region Access Points and CloudTrail logging, you can identify the following:
+ Who or what took which action
+ Which resources were acted upon
+ When the event occurred
+ Other details regarding the event
You can use this logging information to help you analyze and respond to activity that occurred through your Multi-Region Access Points.
### How to set up AWS CloudTrail for Multi-Region Access Points
To enable CloudTrail logging for any operations related to creating or maintaining Multi-Region Access Points, you must configure CloudTrail logging to record the events in the US West (Oregon) Region. You must set up your logging configuration this way regardless of which Region you are in when making the request, or which Regions the Multi-Region Access Point supports. All requests to create or maintain a Multi-Region Access Point are routed through the US West (Oregon) Region. We recommend that you either add this Region to an existing trail or create a new trail that contains this Region and all the Regions associated with the Multi-Region Access Point.
Amazon S3 logs all requests made through a Multi-Region Access Point and requests made to the API operations that manage access points, such as `CreateMultiRegionAccessPoint` and `GetMultiRegionAccessPointPolicy`. When you log these requests through a Multi-Region Access Point, they appear in your AWS CloudTrail logs with the hostname of the Multi-Region Access Point. For example, if you make requests to a bucket through a Multi-Region Access Point with the alias `mfzwi23gnjvgw.mrap`, the entries in the CloudTrail log will have a hostname of `mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com`.
Multi-Region Access Points route requests to the closest bucketBecause of this behavior, when you are looking at the CloudTrail logs for a Multi-Region Access Point, you will see requests being made to the underlying buckets. Some of those requests might be direct requests to the bucket that are not routed through the Multi-Region Access Point. Keep this fact in mind when reviewing traffic. When a bucket is in a Multi-Region Access Point, requests can still be made to that bucket directly without going through the Multi-Region Access Point.
There are asynchronous events involved with creating and managing Multi-Region Access Points. Asynchronous requests don't have completion events in the CloudTrail log. For more information about asynchronous requests, see [Monitoring and logging requests made to Multi-Region Access Point management API operations](#MonitoringMultiRegionAccessPointAPIs).
For more information about AWS CloudTrail, see [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *AWS CloudTrail User Guide*.