Access points restrictions and limitations - Amazon Simple Storage Service

Access points restrictions and limitations

Amazon S3 access points have the following restrictions and limitations:

  • Each access point is associated with exactly one bucket, which you must specify when you create the access point. After you create an access point, you can't associate it with a different bucket. However, you can delete an access point, and then create another one with the same name and associate that new access point with a different bucket.

  • Access point names must meet certain conditions. For more information about naming access points, see Rules for naming Amazon S3 access points.

  • After you create an access point, you can't change its virtual private cloud (VPC) configuration.

  • Access point policies are limited to 20 KB in size.

  • You can create a maximum of 10,000 access points per AWS account per Region. If you need more than 10,000 access points for a single account in a single Region, you can request a service quota increase. For more information about service quotas and requesting an increase, see AWS service quotas in the AWS General Reference.

  • In AWS Regions where you have more than 1,000 access points, you can't search for an access point by name in the Amazon S3 console.

  • You can't use an access point as a destination for S3 Replication. For more information about replication, see Replicating objects within and across Regions.

  • You can't use S3 access point aliases as the source or destination for Move operations in the Amazon S3 console.

  • You can address access points only by using virtual-host-style URLs. For more information about virtual-host-style addressing, see Accessing an Amazon S3 bucket.

  • API operations that control access point functionality (for example, PutAccessPoint and GetAccessPointPolicy) don't support cross-account calls.

  • You must use AWS Signature Version 4 when making requests to an access point by using the REST APIs. For more information about authenticating requests, see Authenticating Requests (AWS Signature Version 4) in the Amazon Simple Storage Service API Reference.

  • Access points only support requests over HTTPS. Amazon S3 will automatically respond with an HTTP redirect for any requests made via HTTP, to upgrade the request to HTTPS.

  • Access points don't support anonymous access.

  • Cross-account access points don’t grant you access to data until you are granted permissions from the bucket owner. The bucket owner always retains ultimate control over access to the data and must update the bucket policy to authorize requests from the cross-account access point. To view a bucket policy example, see Configuring IAM policies for using access points.

  • When you're viewing a cross-account access point in the Amazon S3 console, the Access column displays Unknown. The Amazon S3 console can't determine if public access is granted for the associated bucket and objects. Unless you require a public configuration for a specific use case, we recommend that you and the bucket owner block all public access to the access point and the bucket. For more information, see Blocking public access to your Amazon S3 storage.