# Managing access to shared datasets with access points
Amazon S3 access points simplify data access for any AWS service or customer application that stores data in S3. Access points are named network endpoints that are attached to a data source such as a bucket, Amazon FSx for NetApp ONTAP volume, or Amazon FSx for OpenZFS volume. For information about working with buckets, see [General purpose buckets overview](UsingBucket.md). For information about working with FSx for NetApp ONTAP, see [What is Amazon FSx for NetApp ONTAP](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/what-is-fsx-ontap.html) in the *FSx for ONTAP User Guide*. For information about working with FSx for OpenZFS, see [What is Amazon FSx for OpenZFS](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/what-is-fsx.html) in the *FSx for OpenZFS User Guide*.
You can use access points to perform S3 object operations, such as `GetObject` and `PutObject`. Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point. Each endpoint enforces a customized access point policy that allow you to control use by resource, user, or other conditions. If your access point is attached to a bucket the access point policy works in conjunction with the underlying bucket policy. You can configure any access point to accept requests only from a virtual private cloud (VPC) to restrict Amazon S3 data access to a private network. You can also configure custom block public access settings for each access point.
**Note**
You can only use access points to perform operations on objects. You can't use access points to perform other Amazon S3 operations, such as deleting buckets or creating S3 Replication configurations. For a complete list of S3 operations that support access points, see [Access point compatibility](access-points-service-api-support.md).
The topics in this section explain how to work with Amazon S3 access points. For topics on using access points with directory buckets see, [Managing access to shared datasets in directory buckets with access points](access-points-directory-buckets.md).
**Topics**
+ [
# Access points naming rules, restrictions, and limitations
](access-points-restrictions-limitations-naming-rules.md)
+ [
# Referencing access points with ARNs, access point aliases, or virtual-hosted–style URIs
](access-points-naming.md)
+ [
# Access point compatibility
](access-points-service-api-support.md)
+ [
# Configuring IAM policies for using access points
](access-points-policies.md)
+ [
# Monitoring and logging access points
](access-points-monitoring-logging.md)
+ [
# Creating an access point
](creating-access-points.md)
+ [
# Managing your Amazon S3 access points for general purpose buckets
](access-points-manage.md)
+ [
# Using Amazon S3 access points for general purpose buckets
](using-access-points.md)
+ [
# Using tags with S3 Access Points for general purpose buckets
](access-points-tagging.md)
# Access points naming rules, restrictions, and limitations
Access points are named network endpoints attached to a bucket or a volume on an Amazon FSx file system that simplify managing data. When you create an access point you choose a name and the AWS Region to create it in. The following topics provide information about access point naming rules, restrictions and limitations.
**Topics**
+ [
## Naming rules for access points
](#access-points-names)
+ [
## Restrictions and limitations for access points
](#access-points-restrictions-limitations)
+ [
## Restrictions and limitations for access points attached to a volume on an Amazon FSx file system
](#access-points-restrictions-limitations-fsx)
## Naming rules for access points
When you create an access point, you choose its name and the AWS Region to create it in. Unlike general purpose buckets access point names do not need to be unique across AWS accounts or AWS Regions. The same AWS account may create access points with the same name in different AWS Regions or two different AWS accounts may use the same access point name. However, within a single AWS Region an AWS account may not have two identically named access points.
**Note**
If you choose to publicize your access point name, avoid including sensitive information in the access point name. Access point names are published in a publicly accessible database known as the Domain Name System (DNS).
Access point names must be DNS-compliant and must meet the following conditions:
+ Must be unique within a single AWS account and AWS Region
+ Must begin with a number or lowercase letter
+ Must be between 3 and 50 characters long
+ Can't begin or end with a hyphen (`-`)
+ Can't contain underscores (`_`), uppercase letters, spaces, or periods (`.`)
+ Can't end with the suffix `-s3alias` or `-ext-s3alias`. These suffixes are reserved for access point alias names. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
## Restrictions and limitations for access points
Amazon S3 access points have the following restrictions and limitations:
+ Each access point is associated with exactly one bucket or FSx for OpenZFS volume. You must specify this when you create the access point. After you create an access point, you can't associate it with a different bucket or FSx for OpenZFS volume. However, you can delete an access point, and then create another one with the same name.
+ After you create an access point, you can't change its virtual private cloud (VPC) configuration.
+ Access point policies are limited to 20 KB in size.
+ You can create a maximum of 10,000 access points per AWS account per AWS Region. If you need more than 10,000 access points for a single account in a single Region, you can request a service quota increase. For more information about service quotas and requesting an increase, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) in the *AWS General Reference*.
+ You can't use an access point as a destination for S3 Replication. For more information about replication, see [Replicating objects within and across Regions](replication.md).
+ You can't use S3 access point aliases as the source or destination for **Move** operations in the Amazon S3 console.
+ You can address access points only by using virtual-host-style URLs. For more information about virtual-host-style addressing, see [Accessing an Amazon S3 general purpose bucket](access-bucket-intro.md).
+ API operations that control access point functionality (for example, `PutAccessPoint` and `GetAccessPointPolicy`) don't support cross-account calls.
+ You must use AWS Signature Version 4 when making requests to an access point by using the REST APIs. For more information about authenticating requests, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon Simple Storage Service API Reference*.
+ Access points only support requests over HTTPS. Amazon S3 will automatically respond with an HTTP redirect for any requests made via HTTP, to upgrade the request to HTTPS.
+ Access points don't support anonymous access.
+ After you create an access point, you can't change its block public access settings.
+ Cross-account access points don’t grant you access to data until you are granted permissions from the bucket owner. The bucket owner always retains ultimate control over access to the data and must update the bucket policy to authorize requests from the cross-account access point. To view a bucket policy example, see [Configuring IAM policies for using access points](access-points-policies.md).
+ In AWS Regions where you have more than 1,000 access points, you can't search for an access point by name in the Amazon S3 console.
+ When you're viewing a cross-account access point in the Amazon S3 console, the **Access** column displays **Unknown**. The Amazon S3 console can't determine if public access is granted for the associated bucket and objects. Unless you require a public configuration for a specific use case, we recommend that you and the bucket owner block all public access to the access point and the bucket. For more information, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
## Restrictions and limitations for access points attached to a volume on an Amazon FSx file system
The following are specific limitations when using access points attached to a volume on an Amazon FSx file system:
+ When creating an access points you can only attach the access point to a volume on a Amazon FSx file systems that you own. You cannot attach to a volume owned by another AWS account.
+ You cannot use the `CreateAccessPoint` API when creating and attaching an access point to a volume on a Amazon FSx file system. You must use the [https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateAndAttachS3AccessPoint.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateAndAttachS3AccessPoint.html) API.
+ You can not turn off any block public access settings when creating or using an access point attached to a volume on an Amazon FSx file system.
+ You can't list objects or use **Copy** or **Move** operations in the S3 console with access points attached to a volume on an Amazon FSx file system.
+ `CopyObject` is supported for access points attached to an FSx for NetApp ONTAP or FSx for OpenZFS volume only if the source and destination are the same access point. For more information, about access point compatibility, see [Access point compatibility](access-points-service-api-support.md).
+ Multipart uploads are limited to 5GB.
+ FSx for OpenZFS deployment type and storage class support varies by AWS Region. For more information, see [Availability by AWS Region](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/available-aws-regions.html) in the *OpenZFS User Guide*.
# Referencing access points with ARNs, access point aliases, or virtual-hosted–style URIs
After you create an access point you can use these endpoints to preform a number of operations. When referring to an access point you can use the Amazon Resource Names (ARNs), access point alias, or virtual-hosted–style URI.
**Topics**
+ [
## Access point ARNs
](#access-points-arns)
+ [
## Access point aliases
](#access-points-alias)
+ [
## Virtual-hosted–style URI
](#accessing-a-bucket-through-s3-access-point)
## Access point ARNs
Access points have Amazon Resource Names (ARNs). Access point ARNs are similar to bucket ARNs, but they are explicitly typed and encode the access point's AWS Region and the AWS account ID of the access point's owner. For more information about ARNs, see [Identify AWS resources with Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) in the *IAM User Guide*.
Access point ARNs use the following format:
```
arn:aws:s3:region:account-id:accesspoint/resource
```
+ `arn:aws:s3:us-west-2:123456789012:accesspoint/test` represents the access point named `test`, owned by account *`123456789012`* in the Region *`us-west-2`*.
+ `arn:aws:s3:us-west-2:123456789012:accesspoint/*` represents all access points under account *`123456789012`* in the Region *`us-west-2`*.
ARNs for objects accessed through an access point use the following format:
```
arn:aws:s3:region:account-id:accesspoint/access-point-name/object/resource
```
+ `arn:aws:s3:us-west-2:123456789012:accesspoint/test/object/unit-01` represents the object *`unit-01`*, accessed through the access point named *`test`*, owned by account *`123456789012`* in the Region *`us-west-2`*.
+ `arn:aws:s3:us-west-2:123456789012:accesspoint/test/object/*` represents all objects for the access point named *`test`*, in account *`123456789012`* in the Region *`us-west-2`*.
+ `arn:aws:s3:us-west-2:123456789012:accesspoint/test/object/unit-01/finance/*` represents all objects under prefix *`unit-01/finance/`* for the access point named *`test`*, in account *`123456789012`* in the Region *`us-west-2`*.
## Access point aliases
When you create an access point, Amazon S3 automatically generates an alias that you can use instead of an Amazon S3 bucket name for data access. You can use this access point alias instead of an Amazon Resource Name (ARN) for access point data plane operations. For a list of these operations, see [Access point compatibility](access-points-service-api-support.md).
An access point alias name is created within the same namespace as an Amazon S3 bucket. This alias name is automatically generated and cannot be changed. An access point alias name meets all the requirements of a valid Amazon S3 bucket name and consists of the following parts:
`ACCESS POINT NAME-METADATA-s3alias` (for access points attached to an Amazon S3 bucket)
`ACCESS POINT NAME-METADATA-ext-s3alias` (for access points attached to an non-S3 bucket data source)
**Note**
The `-s3alias` and `-ext-s3alias` suffixes are reserved for access point alias names and can't be used for bucket or access point names. For more information about Amazon S3 bucket-naming rules, see [General purpose bucket naming rules](bucketnamingrules.md).
### Access points aliases use cases and limitations
When adopting access points, you can use access point alias names without requiring extensive code changes.
When you create an access point, Amazon S3 automatically generates an access point alias name, as shown in the following example. To run this command, replace the `user input placeholders` with your own information.
```
aws s3control create-access-point --bucket amzn-s3-demo-bucket1 --name my-access-point --account-id 111122223333
{
"AccessPointArn": "arn:aws:s3:region:111122223333:accesspoint/my-access-point",
"Alias": "my-access-point-aqfqprnstn7aefdfbarligizwgyfouse1a-s3alias"
}
```
You can use this access point alias name instead of an Amazon S3 bucket name in any data plane operation. For a list of these operations, see [Access point compatibility](access-points-service-api-support.md).
The following AWS CLI example for the `get-object` command uses the bucket's access point alias to return information about the specified object. To run this command, replace the `user input placeholders` with your own information.
```
aws s3api get-object --bucket my-access-point-aqfqprnstn7aefdfbarligizwgyfouse1a-s3alias --key dir/my_data.rtf my_data.rtf
{
"AcceptRanges": "bytes",
"LastModified": "2020-01-08T22:16:28+00:00",
"ContentLength": 910,
"ETag": "\"00751974dc146b76404bb7290f8f51bb\"",
"VersionId": "null",
"ContentType": "text/rtf",
"Metadata": {}
}
```
#### Access point alias limitations
+ Aliases cannot be configured by customers.
+ Aliases cannot be deleted or modified or disabled on an access point.
+ You can use this access point alias name instead of an Amazon S3 bucket name in some data plane operations. For a list of these operations, see [Access points compatibility with S3 operations](access-points-service-api-support.md#access-points-operations-support).
+ You can't use an access point alias name for Amazon S3 control plane operations. For a list of Amazon S3 control plane operations, see [Amazon S3 Control](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_AWS_S3_Control.html) in the *Amazon Simple Storage Service API Reference*.
+ You can't use S3 access point aliases as the source or destination for **Move** operations in the Amazon S3 console.
+ Aliases cannot be used in AWS Identity and Access Management (IAM) policies.
+ Aliases cannot be used as a logging destination for S3 server access logs.
+ Aliases cannot be used as a logging destination for AWS CloudTrail logs.
+ Amazon SageMaker AI GroundTruth does not support access point aliases.
## Virtual-hosted–style URI
Access points only support virtual-host-style addressing. In a virtual-hosted–style URI, the access point name, AWS account, and AWS Region is part of the domain name in the URL. For more information about virtual hosting, see [Virtual hosting of general purpose buckets](VirtualHosting.md).
Virtual-hosted–style URI for access points use the following format:
```
https://access-point-name-account-id.s3-accesspoint.region.amazonaws.com
```
**Note**
If your access point name includes dash (-) characters, include the dashes in the URL and insert another dash before the account ID. For example, to use an access point named *`finance-docs`* owned by account *`123456789012`* in the Region *`us-west-2`*, the appropriate URL would be `https://finance-docs-123456789012.s3-accesspoint.us-west-2.amazonaws.com`.
S3 access points don't support access through HTTP. Access points support only secure access through HTTPS.
# Access point compatibility
You can use access points to access objects using the following subset of Amazon S3 APIs. All the operations listed below can accept either access point ARNs or access point aliases.
For examples of using access points to perform operations on objects, see [Using Amazon S3 access points for general purpose buckets](using-access-points.md).
## Access points compatibility with S3 operations
The following table is a partial list of Amazon S3 operations and if they are compatible with access points. All operations below are supported by access points using an S3 bucket as its data source, while only some operations are supported by access points using an FSx for ONTAP or FSx for OpenZFS volume as a data source.
For more information see, access point compatibility in the [https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/access-points-for-fsxn-object-api-support.html](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/access-points-for-fsxn-object-api-support.html) or the [https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/access-points-object-api-support.html](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/access-points-object-api-support.html).
| S3 operation | Access point attached to an S3 bucket | Access point attached to an FSx for OpenZFS volume |
| --- | --- | --- |
| `[AbortMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html)` | Supported | Supported |
| `[CompleteMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html)` | Supported | Supported |
| `[CopyObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html)` (same-Region copies only) | Supported | Supported, if source and destination are the same access point |
| `[CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html)` | Supported | Supported |
| `[DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)` | Supported | Supported |
| `[DeleteObjects](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html)` | Supported | Supported |
| `[DeleteObjectTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectTagging.html)` | Supported | Supported |
| `[GetBucketAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html)` | Supported | Not supported |
| `[GetBucketCors](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketCors.html)` | Supported | Not supported |
| `[GetBucketLocation](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLocation.html)` | Supported | Supported |
| `[GetBucketNotificationConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotificationConfiguration.html)` | Supported | Not supported |
| `[GetBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html)` | Supported | Not supported |
| `[GetObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html)` | Supported | Supported |
| `[GetObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html)` | Supported | Not supported |
| `[GetObjectAttributes](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html)` | Supported | Supported |
| `[GetObjectLegalHold](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html)` | Supported | Not supported |
| `[GetObjectRetention](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html)` | Supported | Not supported |
| `[GetObjectTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html)` | Supported | Supported |
| `[HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html)` | Supported | Supported |
| `[HeadObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html)` | Supported | Supported |
| `[ListMultipartUploads](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html)` | Supported | Supported |
| `[ListObjects](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html)` | Supported | Supported |
| `[ListObjectsV2](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html)` | Supported | Supported |
| `[ListObjectVersions](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectVersions.html)` | Supported | Not supported |
| `[ListParts](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html)` | Supported | Supported |
| `[Presign](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html)` | Supported | Supported |
| `[PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)` | Supported | Supported |
| `[PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html)` | Supported | Not supported |
| `[PutObjectLegalHold](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html)` | Supported | Not supported |
| `[PutObjectRetention](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html)` | Supported | Not supported |
| `[PutObjectTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html)` | Supported | Supported |
| `[RestoreObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html)` | Supported | Not supported |
| `[UploadPart](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html)` | Supported | Supported |
| `[UploadPartCopy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html)` (same-Region copies only) | Supported | Supported, if source and destination are the same access point |
# Configuring IAM policies for using access points
Amazon S3 access points support AWS Identity and Access Management (IAM) resource policies that allow you to control the use of the access point by resource, user, or other conditions. For an application or user to be able to access objects through an access point, both the access point and the underlying bucket or Amazon FSx file system must permit the request.
**Important**
Restrictions that you include in an access point policy apply only to requests made through that access point. Attaching an access point to a bucket does not change underlying resource's behavior. All existing operations against the bucket not made through your access point will continue to work as before.
When you're using IAM resource policies, make sure to resolve security warnings, errors, general warnings, and suggestions from AWS Identity and Access Management Access Analyzer before you save your policy. IAM Access Analyzer runs policy checks to validate your policy against IAM [policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) and [best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). These checks generate findings and provide recommendations to help you author policies that are functional and conform to security best practices.
To learn more about validating policies by using IAM Access Analyzer, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see [IAM Access Analyzer policy check reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html).
## Policy examples for access points
The following examples demonstrate how to create IAM policies to control requests made through an access point.
**Note**
Permissions granted in an access point policy are effective only if the underlying bucket also allows the same access. You can accomplish this in two ways:
**(Recommended)** Delegate access control from the bucket to the access point, as described in [Delegating access control to access points](#access-points-delegating-control).
Add the same permissions contained in the access point policy to the underlying bucket's policy. The Example 1 access point policy example demonstrates how to modify the underlying bucket policy to allow the necessary access.
**Example 1 – Access point policy grant**
The following access point policy grants IAM user `Jane` in account `123456789012` permissions to `GET` and `PUT` objects with the prefix `Jane/` through the access point *`my-access-point`* in account *`123456789012`*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Jane"
},
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/Jane/*"
}]
}
```
**Note**
For the access point policy to effectively grant access to *`Jane`*, the underlying bucket must also allow the same access to *`Jane`*. You can delegate access control from the bucket to the access point as described in [Delegating access control to access points](#access-points-delegating-control). Or, you can add the following policy to the underlying bucket to grant the necessary permissions to Jane. Note that the `Resource` entry differs between the access point and bucket policies.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Jane"
},
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/Jane/*"
}]
}
```
**Example 2 – Access point policy with tag condition**
The following access point policy grants IAM user *`Mateo`* in account *`123456789012`* permissions to `GET` objects through the access point *`my-access-point`* in the account *`123456789012`* that have the tag key *`data`* set with a value of *`finance`*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Mateo"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/data": "finance"
}
}
}]
}
```
**Example 3 – Access point policy that allows bucket listing**
The following access point policy allows IAM user `Arnav` in the account *`123456789012`* permission to view the objects contained in the bucket underlying the access point *`my-access-point`* in the account *`123456789012`*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Arnav"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point"
}]
}
```
**Example 4 – Service control policy**
The following service control policy requires all new access points to be created with a virtual private cloud (VPC) network origin. With this policy in place, users in your organization can't create new access points that are accessible from the internet.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:CreateAccessPoint",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:AccessPointNetworkOrigin": "VPC"
}
}
}]
}
```
**Example 5 – Bucket policy to limit S3 operations to VPC network origins**
The following bucket policy limits access to all S3 object operations for the bucket `amzn-s3-demo-bucket` to access points with a VPC network origin.
Before using a statement like the one shown in this example, make sure that you don't need to use features that aren't supported by access points, such as Cross-Region Replication.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:AbortMultipartUpload",
"s3:BypassGovernanceRetention",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging",
"s3:RestoreObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:AccessPointNetworkOrigin": "VPC"
}
}
}
]
}
```
## Condition keys
S3 access points have condition keys that you can use in IAM policies to control access to your resources. The following condition keys represent only part of an IAM policy. For full policy examples, see [Policy examples for access points](#access-points-policy-examples), [Delegating access control to access points](#access-points-delegating-control), and [Granting permissions for cross-account access points](#access-points-cross-account).
**`s3:DataAccessPointArn`**
This example shows a string that you can use to match on an access point ARN. The following example matches all access points for AWS account *`123456789012`* in Region *`us-west-2`*:
```
"Condition" : {
"StringLike": {
"s3:DataAccessPointArn": "arn:aws:s3:us-west-2:123456789012:accesspoint/*"
}
}
```
**`s3:DataAccessPointAccount`**
This example shows a string operator that you can use to match on the account ID of the owner of an access point. The following example matches all access points that are owned by the AWS account *`123456789012`*.
```
"Condition" : {
"StringEquals": {
"s3:DataAccessPointAccount": "123456789012"
}
}
```
**`s3:AccessPointNetworkOrigin`**
This example shows a string operator that you can use to match on the network origin, either `Internet` or `VPC`. The following example matches only access points with a VPC origin.
```
"Condition" : {
"StringEquals": {
"s3:AccessPointNetworkOrigin": "VPC"
}
}
```
For more information about using condition keys with Amazon S3, see [ Actions, resources, and condition keys for Amazon S3](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) in the *Service Authorization Reference*.
For more information about the permissions to S3 API operations by S3 resource types, see [Required permissions for Amazon S3 API operations](using-with-s3-policy-actions.md).
## Delegating access control to access points
You can delegate access control for a bucket to the bucket's access points. The following example bucket policy allows full access to all access points that are owned by the bucket owner's account. Thus, all access to this bucket is controlled by the policies attached to its access points. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket.
**Example 6 – Bucket policy that delegates access control to access points**
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "*",
"Resource" : [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*"],
"Condition": {
"StringEquals" : { "s3:DataAccessPointAccount" : "111122223333" }
}
}]
}
```
## Granting permissions for cross-account access points
To create an access point to a bucket that's owned by another account, you must first create the access point by specifying the bucket name and account owner ID. Then, the bucket owner must update the bucket policy to authorize requests from the access point. Creating an access point is similar to creating a DNS CNAME in that the access point doesn't provide access to the bucket contents. All bucket access is controlled by the bucket policy. The following example bucket policy allows `GET` and `LIST` requests on the bucket from an access point that's owned by a trusted AWS account.
Replace *Bucket ARN* with the ARN of the bucket.
**Example 7 – Bucket policy delegating permissions to another AWS account**
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : ["s3:GetObject","s3:ListBucket"],
"Resource" : ["arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*"],
"Condition": {
"StringEquals" : { "s3:DataAccessPointAccount" : "Access point owner's account ID" }
}
}]
}
```
Cross-account access points are only available for access points attached to S3 buckets. You cannot attach an access point to a volume on an Amazon FSx file system owned by another AWS account.
# Monitoring and logging access points
Amazon S3 logs requests made through access points and requests made to the API operations that manage access points, such as `CreateAccessPoint` and `GetAccessPointPolicy`. To monitor and manage usage patterns, you can also configure Amazon CloudWatch Logs request metrics for access points.
**Topics**
+ [
## CloudWatch request metrics
](#request-metrics-access-points)
+ [
## AWS CloudTrail logs for requests made through access points
](#logging-access-points)
## CloudWatch request metrics
To understand and improve the performance of applications that are using access points, you can use CloudWatch for Amazon S3 request metrics. Request metrics help you monitor Amazon S3 requests to quickly identify and act on operational issues.
By default, request metrics are available at the bucket level. However, you can define a filter for request metrics using a shared prefix, object tags, or an access point. When you create an access point filter, the request metrics configuration includes requests to the access point that you specify. You can receive metrics, set alarms, and access dashboards to view real-time operations performed through this access point.
You must opt in to request metrics by configuring them in the console or by using the Amazon S3 API. Request metrics are available at 1-minute intervals after some latency for processing. Request metrics are billed at the same rate as CloudWatch custom metrics. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
To create a request metrics configuration that filters by access point, see [Creating a metrics configuration that filters by prefix, object tag, or access point](metrics-configurations-filter.md).
## AWS CloudTrail logs for requests made through access points
You can log requests made through access points and requests made to the APIs that manage access points, such as `CreateAccessPoint` and `GetAccessPointPolicy,` by using server access logging and AWS CloudTrail.
CloudTrail log entries for requests made through access points include the access point ARN in the `resources` section of the log.
For example, suppose you have the following configuration:
+ A bucket named *`amzn-s3-demo-bucket1`* in Region *`us-west-2`* that contains an object named *`my-image.jpg`*
+ An access point named *`my-bucket-ap`* that is associated with *`amzn-s3-demo-bucket1`*
+ An AWS account ID of *`123456789012`*
The following example shows the `resources` section of a CloudTrail log entry for the preceding configuration:
```
"resources": [
{"type": "AWS::S3::Object",
"ARN": "arn:aws:s3:::amzn-s3-demo-bucket1/my-image.jpg"
},
{"accountId": "123456789012",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::amzn-s3-demo-bucket1"
},
{"accountId": "123456789012",
"type": "AWS::S3::AccessPoint",
"ARN": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-bucket-ap"
}
]
```
If you are using an access point attached to a volume on an Amazon FSx file system, the `resources` section of a CloudTrail log entry will look different. For example:
```
"resources": [
{
"accountId": "123456789012",
"type": "AWS::FSx::Volume",
"ARN": "arn:aws:fsx:us-east-1:123456789012:volume/fs-0123456789abcdef9/fsvol-01234567891112223"
}
]
```
For more information about S3 Server Access Logs, see [Logging requests with server access logging](ServerLogs.md). For more information about AWS CloudTrail, see [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *AWS CloudTrail User Guide*.
# Creating an access point
You can create S3 access points by using the AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API. Access points are named network endpoints that are attached to a data source such as a bucket, Amazon FSx for ONTAP volume, or Amazon FSx for OpenZFS volume.
By default, you can create up to 10,000 access points per Region for each of your AWS accounts. If you need more than 10,000 access points for a single account in a single Region, you can request a service quota increase. For more information about service quotas and requesting an increase, see [AWS Service Quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) in the *AWS General Reference*.
**Topics**
+ [
## Creating access points with S3 buckets
](#create-access-points)
+ [
## Creating access points with Amazon FSx
](#create-access-points-with-fsx)
+ [
# Creating access points restricted to a virtual private cloud
](access-points-vpc.md)
+ [
# Managing public access to access points for general purpose buckets
](access-points-bpa-settings.md)
## Creating access points with S3 buckets
An access point is associated with exactly one Amazon S3 general purpose bucket. If you want to use a bucket in your AWS account, you must first create a bucket. For more information about creating buckets, see [Creating, configuring, and working with Amazon S3 general purpose buckets](creating-buckets-s3.md).
You can also create a cross-account access point that's associated with a bucket in another AWS account, as long as you know the bucket name and the bucket owner's account ID. However, creating cross-account access points doesn't grant you access to data in the bucket until you are granted permissions from the bucket owner. The bucket owner must grant the access point owner's account (your account) access to the bucket through the bucket policy. For more information, see [Granting permissions for cross-account access points](access-points-policies.md#access-points-cross-account).
### Using the S3 console
**To create an access point**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region in which you want to create an access point. The access point must be created in the same Region as the associated bucket.
1. In the left navigation pane, choose **Access Points**.
1. On the **Access Points** page, choose **Create access point**.
1. In the **Access point name** field, enter the name for the access point. For more information about naming access points, see [Naming rules for access points](access-points-restrictions-limitations-naming-rules.md#access-points-names).
1. For **Data source**, specify the S3 bucket that you want to use with the access point.
To use a bucket in your account, choose **Choose a bucket in this account**, and enter or browse for the bucket name.
To use a bucket in a different AWS account, choose **Specify a bucket in another account**, and enter the AWS account ID and name of the bucket. If you're using a bucket in a different AWS account, the bucket owner must update the bucket policy to authorize requests from the access point. For an example bucket policy, see [Granting permissions for cross-account access points](access-points-policies.md#access-points-cross-account).
**Note**
For information about using an FSx for OpenZFS volume as a data source, see [Creating access points with Amazon FSx](#create-access-points-with-fsx).
1. Choose a **Network origin**, either **Internet** or **virtual private cloud (VPC)**. If you choose **virtual private cloud (VPC)**, enter the **VPC ID** that you want to use with the access point.
For more information about network origins for access points, see [Creating access points restricted to a virtual private cloud](access-points-vpc.md).
1. Under **Block Public Access settings for this Access Point**, select the block public access settings that you want to apply to the access point. All block public access settings are enabled by default for new access points. We recommend that you keep all settings enabled unless you know that you have a specific need to disable any of them.
**Note**
After you create an access point, you can't change its block public access settings.
For more information about using Amazon S3 Block Public Access with access points, see [Managing public access to access points for general purpose buckets](access-points-bpa-settings.md).
1. (Optional) Under **Access Point policy - *optional***, specify the access point policy. Before you save your policy, make sure to resolve any security warnings, errors, general warnings, and suggestions. For more information about specifying an access point policy, see [Policy examples for access points](access-points-policies.md#access-points-policy-examples).
1. Choose **Create access point**.
### Using the AWS CLI
The following example command creates an access point named *`example-ap`* for the bucket *`amzn-s3-demo-bucket`* in the account *`111122223333`*. To create the access point, you send a request to Amazon S3 that specifies the following:
+ The access point name. For information about naming rules, see [Naming rules for access points](access-points-restrictions-limitations-naming-rules.md#access-points-names).
+ The name of the bucket that you want to associate the access point with.
+ The account ID for the AWS account that owns the access point.
```
aws s3control create-access-point --name example-ap --account-id 111122223333 --bucket amzn-s3-demo-bucket
```
When you're creating an access point by using a bucket in a different AWS account, include the `--bucket-account-id` parameter. The following example command creates an access point in the AWS account *`111122223333`*, using the bucket *`amzn-s3-demo-bucket2`*, which is in the AWS account *`444455556666`*.
```
aws s3control create-access-point --name example-ap --account-id 111122223333 --bucket amzn-s3-demo-bucket --bucket-account-id 444455556666
```
### Using the REST API
You can use the REST API to create an access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateAccessPoint.html) in the *Amazon Simple Storage Service API Reference*.
## Creating access points with Amazon FSx
You can create and attach an access point to an FSx for OpenZFS volume using the Amazon FSx console, AWS CLI, or API. Once attached, you can use the S3 object APIs to access your file data. Your data continues to reside on the Amazon FSx file system and continues to be directly accessible for your existing workloads. You continue to manage your storage using all the FSx for OpenZFS storage management capabilities, including backups, snapshots, user and group quotas, and compression.
For instructions on creating an access point and attaching it to an FSx for OpenZFS volume see, [Creating an access point](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/create-access-points.html) in the *FSx for OpenZFS User Guide*.
# Creating access points restricted to a virtual private cloud
When you create an access point you can choose to make the access point accessible from the internet, or you can specify that all requests made through that access point must originate from a specific virtual private cloud (VPC). An access point that's accessible from the internet is said to have a network origin of `Internet`. It can be used from anywhere on the internet, subject to any other access restrictions in place for the access point, underlying data source, and related resources, such as the requested objects. An access point that's only accessible from a specified VPC has a network origin of `VPC`, and Amazon S3 rejects any request made to the access point that doesn't originate from that VPC.
**Important**
You can only specify an access point's network origin when you create the access point. After you create the access point, you can't change its network origin.
To restrict an access point to VPC-only access, you include the `VpcConfiguration` parameter with the request to create the access point. In the `VpcConfiguration` parameter, you specify the VPC ID that you want to be able to use the access point. If a request is made through the access point, the request must originate from the VPC or Amazon S3 will reject it.
You can retrieve an access point's network origin using the AWS CLI, AWS SDKs, or REST APIs. If an access point has a VPC configuration specified, its network origin is `VPC`. Otherwise, the access point's network origin is `Internet`.
## Example: Create and restrict an access point to a VPC ID
The following example creates an access point named `example-vpc-ap` for bucket `amzn-s3-demo-bucket` in account `123456789012` that allows access only from the `vpc-1a2b3c` VPC. The example then verifies that the new access point has a network origin of `VPC`.
------
#### [ AWS CLI ]
```
aws s3control create-access-point --name example-vpc-ap --account-id 123456789012 --bucket amzn-s3-demo-bucket --vpc-configuration VpcId=vpc-1a2b3c
```
```
aws s3control get-access-point --name example-vpc-ap --account-id 123456789012
{
"Name": "example-vpc-ap",
"Bucket": "amzn-s3-demo-bucket",
"NetworkOrigin": "VPC",
"VpcConfiguration": {
"VpcId": "vpc-1a2b3c"
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"CreationDate": "2019-11-27T00:00:00Z"
}
```
------
To use an access point with a VPC, you must modify the access policy for your VPC endpoint. VPC endpoints allow traffic to flow from your VPC to Amazon S3. They have access control policies that control how resources within the VPC are allowed to interact with Amazon S3. Requests from your VPC to Amazon S3 only succeed through an access point if the VPC endpoint policy grants access to both the access point and the underlying bucket.
**Note**
To make resources accessible only within a VPC, make sure to create a [private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html) for your VPC endpoint. To use a private hosted zone, [modify your VPC settings](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating) so that the [VPC network attributes](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support) `enableDnsHostnames` and `enableDnsSupport` are set to `true`.
The following example policy statement configures a VPC endpoint to allow calls to `GetObject` for a bucket named `awsexamplebucket1` and an access point named `example-vpc-ap`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:us-west-2:123456789012:accesspoint/example-vpc-ap/object/*"
]
}]
}
```
------
**Note**
The `"Resource"` declaration in this example uses an Amazon Resource Name (ARN) to specify the access point. For more information about access point ARNs, see [Referencing access points with ARNs, access point aliases, or virtual-hosted–style URIs](access-points-naming.md).
For more information about VPC endpoint policies, see [Using endpoint policies for Amazon S3](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html#vpc-endpoints-policies-s3) in the *VPC User Guide*.
For a tutorial on creating access points with VPC endpoints, see [Managing Amazon S3 access with VPC endpoints and access points](https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/).
## Example: Create and restrict an access point attached to an FSx for OpenZFS volume to a VPC ID
You can create an access point that is attached it to an FSx for OpenZFS volume using the Amazon FSx console, AWS CLI, or API. Once attached, you can use the S3 object APIs to access your file data from a specified VPC.
For instructions on creating and restricting an access point attached to an FSx for OpenZFS volume see, the [Creating access points restricted to a virtual private cloud (VPC)](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/create-access-points.html) in the *FSx for OpenZFS User Guide*.
## Example: Create and restrict an access point attached to an FSX for ONTAP volume to a VPC ID
You can create an access point that is attached it to an FSx for ONTAP volume using the Amazon FSx console, AWS CLI, or API. Once attached, you can use the S3 object APIs to access your file data from a specified VPC.
For instructions on creating and restricting an access point attached to an FSx for ONTAP volume see, the [https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/access-points-for-fsxn-vpc.html](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/access-points-for-fsxn-vpc.html).
# Managing public access to access points for general purpose buckets
Amazon S3 access points support independent *block public access* settings for each access point. When you create an access point, you can specify block public access settings that apply to that access point. For any request made through an access point, Amazon S3 evaluates the block public access settings for that access point, the underlying bucket, and the bucket owner's account. If any of these settings indicate that the request should be blocked, Amazon S3 rejects the request.
For more information about the S3 Block Public Access feature, see [Blocking public access to your Amazon S3 storage](access-control-block-public-access.md).
**Important**
All block public access settings are enabled by default for access points. You must explicitly disable any settings that you don't want during access point creation.
You can not turn off any block public access settings when creating or using an access point attached to an Amazon FSx file system.
After you create an access point, you can't change its block public access settings.
**Example**
***Example: Create an access point with Custom Block Public Access Settings***
This example creates an access point named `example-ap` for bucket `amzn-s3-demo-bucket` in account `123456789012` with non-default Block Public Access settings. The example then retrieves the new access point's configuration to verify its Block Public Access settings.
```
aws s3control create-access-point --name example-ap --account-id 123456789012 --bucket amzn-s3-demo-bucket--public-access-block-configuration BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=true,RestrictPublicBuckets=true
```
```
aws s3control get-access-point --name example-ap --account-id 123456789012
{
"Name": "example-ap",
"Bucket": "amzn-s3-demo-bucket",
"NetworkOrigin": "Internet",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"IgnorePublicAcls": false,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"CreationDate": "2019-11-27T00:00:00Z"
}
```
# Managing your Amazon S3 access points for general purpose buckets
This section explains how to manage your Amazon S3 access points for general purpose buckets using the AWS Management Console, AWS Command Line Interface, or REST API. For information on managing access points attached to an FSx for OpenZFS volume, see [Managing your Amazon S3 access points](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/access-points-manage.html) in the *FSx for OpenZFS User Guide*.
**Note**
You can only use access points to perform operations on objects. You can't use access points to perform other Amazon S3 operations, such as deleting buckets or creating S3 Replication configurations. For a complete list of S3 operations that support access points, see [Access point compatibility](access-points-service-api-support.md).
**Topics**
+ [
# List your access points for general purpose buckets
](access-points-list.md)
+ [
# View details for your access point for general purpose buckets
](access-points-details.md)
+ [
# Delete your access point for a general purpose bucket
](access-points-delete.md)
# List your access points for general purpose buckets
This section explains how to list your access points for general purpose buckets using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To list access points in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
## Using the AWS CLI
The following `list-access-points` example command shows how you can use the AWS CLI to list your access points.
The following command lists access points for AWS account *111122223333*.
```
aws s3control list-access-points --account-id 111122223333
```
The following command lists access points for AWS account *111122223333* that are attached to bucket *amzn-s3-demo-bucket*.
```
aws s3control list-access-points --account-id 111122223333 --bucket amzn-s3-demo-bucket
```
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/list-access-points.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/list-access-points.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to list your access points. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListAccessPoints.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListAccessPoints.html) in the *Amazon Simple Storage Service API Reference*.
# View details for your access point for general purpose buckets
This section explains how to view details for your access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To view details for your access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Select the **Properties** tab to view the access point data source, account ID, AWS Region, creation date, network origin, S3 URI, ARN, and access point alias for the selected access point.
1. Select the **Permissions** tab to view the block public access settings and access point policy for the selected access point.
**Note**
You can't change any block public access settings for an access point after the access point is created.
## Using the AWS CLI
The following `get-access-point` example command shows how you can use the AWS CLI to view details for your access point.
The following command lists details for the access point *my-access-point* for AWS account *111122223333* attached to S3 bucket *amzn-s3-demo-bucket*.
```
aws s3control get-access-point --name my-access-point --account-id 111122223333
```
Example output:
```
{
"Name": "my-access-point",
"Bucket": "amzn-s3-demo-bucket",
"NetworkOrigin": "Internet",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"CreationDate": "2016-08-29T22:57:52Z",
"Alias": "my-access-point-u1ny6bhm7moymqx8cuon8o1g4mwikuse2a-s3alias",
"AccessPointArn": "arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point",
"Endpoints": {
"ipv4": "s3-accesspoint.AWS Region.amazonaws.com",
"fips": "s3-accesspoint-fips.AWS Region.amazonaws.com",
"fips_dualstack": "s3-accesspoint-fips.dualstack.AWS Region.amazonaws.com",
"dualstack": "s3-accesspoint.dualstack.AWS Region.amazonaws.com"
},
"BucketAccountId": "111122223333"
}
```
The following command lists details for the access point *example-fsx-ap* for AWS account *444455556666*. This access point is attached to an Amazon FSx file system.
```
aws s3control get-access-point --name example-fsx-ap --account-id 444455556666
```
Example output:
```
{
"Name": "example-fsx-ap",
"Bucket": "",
"NetworkOrigin": "Internet",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"CreationDate": "2025-01-19T14:16:12Z",
"Alias": "example-fsx-ap-qrqbyebjtsxorhhaa5exx6r3q7-ext-s3alias",
"AccessPointArn": "arn:aws:s3:AWS Region:444455556666:accesspoint/example-fsx-ap",
"Endpoints": {
"ipv4": "s3-accesspoint.AWS Region.amazonaws.com",
"fips": "s3-accesspoint-fips.AWS Region.amazonaws.com",
"fips_dualstack": "s3-accesspoint-fips.dualstack.AWS Region.amazonaws.com",
"dualstack": "s3-accesspoint.dualstack.AWS Region.amazonaws.com"
},
"DataSourceId": "arn:aws::fsx:AWS Region:444455556666:file-system/fs-5432106789abcdef0/volume/vol-0123456789abcdef0",
"DataSourceType": "FSX_OPENZFS"
}
```
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to view details for your access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPoint.html) in the *Amazon Simple Storage Service API Reference*.
# Delete your access point for a general purpose bucket
This section explains how to delete your access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To delete for your access points in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. From the **Access Point** page, select **Delete** to delete the access point you've selected.
1. To confirm deletion, type the name of the access point and choose **Delete**.
## Using the AWS CLI
The following `delete-access-point` example command shows how you can use the AWS CLI to delete your access point.
The following command deletes the access point *my-access-point* for AWS account *111122223333*.
```
aws s3control delete-access-point --name my-access-point --account-id 111122223333
```
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to view details for your access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPoint.html) in the *Amazon Simple Storage Service API Reference*.
# Using Amazon S3 access points for general purpose buckets
The following examples demonstrate how to use access points for general purpose buckets with compatible operations in Amazon S3.
**Note**
S3 automatically generate access point aliases for all access points and these aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
You can only use access points for general purpose buckets to perform operations on objects. You can't use access points to perform other Amazon S3 operations, such as modifying or deleting buckets. For a complete list of S3 operations that support access points, see [Access point compatibility](access-points-service-api-support.md).
**Topics**
+ [
# List objects through an access point for a general purpose bucket
](list-object-ap.md)
+ [
# Download an object through an access point for a general purpose bucket
](get-object-ap.md)
+ [
# Configure access control lists (ACLs) through an access point for a general purpose bucket
](put-acl-permissions-ap.md)
+ [
# Upload an object through an access point for a general purpose bucket
](put-object-ap.md)
+ [
# Add a tag-set through an access point for a general purpose bucket
](add-tag-set-ap.md)
+ [
# Delete an object through an access point for a general purpose bucket
](delete-object-ap.md)
# List objects through an access point for a general purpose bucket
This section explains how to list your objects through an access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To list your objects through an access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Under the **Objects** tab, you can view the name of objects that you want to access through the access point. While you're using the access point, you can only perform the object operations that are allowed by the access point permissions.
**Note**
The console view always shows all objects in the bucket. Using an access point as described in this procedure restricts the operations you can perform on those objects, but not whether you can see that they exist in the bucket.
The AWS Management Console doesn't support using virtual private cloud (VPC) access points to access bucket resources. To access bucket resources from a VPC access point, use the AWS CLI, AWS SDKs, or Amazon S3 REST APIs.
## Using the AWS CLI
The following `list-objects-v2` example command shows how you can use the AWS CLI to list your object through an access point.
The following command lists objects for AWS account *111122223333* using access point *my-access-point*.
```
aws s3api list-objects-v2 --bucket arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point
```
**Note**
S3 automatically generate access point aliases for all access points and these aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-objects-v2.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-objects-v2.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to list your access points. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html) in the *Amazon Simple Storage Service API Reference*.
# Download an object through an access point for a general purpose bucket
This section explains how to download an object through an access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To download an object through an access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Under the **Objects** tab, select the name of object that you want to download.
1. Choose **Download**.
## Using the AWS CLI
The following `get-object` example command shows how you can use the AWS CLI to download an object through an access point.
The following command downloads the object `puppy.jpg` for AWS account *111122223333* using access point *my-access-point*. You must include an `outfile`, which is a file name for the downloaded object, such as `my_downloaded_image.jpg`.
```
aws s3api get-object --bucket arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point --key puppy.jpg my_downloaded_image.jpg
```
**Note**
S3 automatically generate access point aliases for all access points and these aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-object.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-object.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to download an object through an access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) in the *Amazon Simple Storage Service API Reference*.
## Using the AWS SDKs
You can use the AWS SDK for Python to download an object through an access point.
------
#### [ Python ]
In the following example, the file named `hello.txt` is downloaded for AWS account *111122223333* using the access point named *my-access-point*.
```
import boto3
s3 = boto3.client('s3')
s3.download_file('arn:aws:s3:us-east-1:111122223333:accesspoint/my-access-point', 'hello.txt', '/tmp/hello.txt')
```
------
# Configure access control lists (ACLs) through an access point for a general purpose bucket
This section explains how to configure ACLs through an access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API. For more information about ACLs, see [Access control list (ACL) overview](acl-overview.md).
## Using the S3 console
**To configure ACLs through an access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Under the **Objects** tab, select the name of the object you wish to configure an ACL for.
1. Under the **Permissions** tab, select **Edit** to configure the object ACL.
**Note**
Amazon S3 currently doesn't support changing an access point's block public access settings after the access point has been created.
## Using the AWS CLI
The following `put-object-acl` example command shows how you can use the AWS CLI to configure access permissions through an access point using an ACL.
The following command applies an ACL to an existing object `puppy.jpg` through an access point owned by AWS account *111122223333*.
```
aws s3api put-object-acl --bucket arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point --key puppy.jpg --acl private
```
**Note**
S3 automatically generate access point aliases for all access points and these aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-object-acl.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-object-acl.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to configure access permissions through an access point using an ACL. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html) in the *Amazon Simple Storage Service API Reference*.
# Upload an object through an access point for a general purpose bucket
This section explains how to upload an object through an access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To upload an object through an access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Under the **Objects** tab, select **Upload**.
1. Drag and drop files and folders you want to upload here, or choose **Add files** or **Add folder**.
**Note**
The maximum size of a file that you can upload by using the Amazon S3 console is 160 GB. To upload a file larger than 160 GB, use the AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API.
1. To change access control list permissions, choose **Permissions**.
1. Under **Access control list (ACL)**, edit the permissions.
For information about object access permissions, see [Using the S3 console to set ACL permissions for an object](managing-acls.md#set-object-permissions). You can grant read access to your objects to the public (everyone in the world) for all of the files that you're uploading. However, we recommend not changing the default setting for public read access. Granting public read access is applicable to a small subset of use cases, such as when buckets are used for websites. You can always change the object permissions after you upload the object.
1. To configure other additional properties, choose **Properties**.
1. Under **Storage class**, choose the storage class for the files that you're uploading.
For more information about storage classes, see [Understanding and managing Amazon S3 storage classes](storage-class-intro.md).
1. To update the encryption settings for your objects, under **Server-side encryption settings**, do the following.
1. Choose **Specify an encryption key**.
1. Under **Encryption settings**, choose **Use bucket settings for default encryption** or **Override bucket settings for default encryption**.
1. If you chose **Override bucket settings for default encryption**, you must configure the following encryption settings.
+ To encrypt the uploaded files by using keys that are managed by Amazon S3, choose **Amazon S3 managed key (SSE-S3)**.
For more information, see [Using server-side encryption with Amazon S3 managed keys (SSE-S3)](UsingServerSideEncryption.md).
+ To encrypt the uploaded files by using keys stored in AWS Key Management Service (AWS KMS), choose **AWS Key Management Service key (SSE-KMS)**. Then choose one of the following options for **AWS KMS key**:
+ To choose from a list of available KMS keys, choose **Choose from your AWS KMS keys**, and then choose your **KMS key** from the list of available keys.
Both the AWS managed key (`aws/s3`) and your customer managed keys appear in this list. For more information about customer managed keys, see [Customer keys and AWS keys](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#key-mgmt) in the *AWS Key Management Service Developer Guide*.
+ To enter the KMS key ARN, choose **Enter AWS KMS key ARN**, and then enter your KMS key ARN in the field that appears.
+ To create a new customer managed key in the AWS KMS console, choose **Create a KMS key**.
For more information about creating an AWS KMS key, see [Creating keys](https://docs.aws.amazon.com//kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.
**Important**
You can use only KMS keys that are available in the same AWS Region as the bucket. The Amazon S3 console lists only the first 100 KMS keys in the same Region as the bucket. To use a KMS key that is not listed, you must enter your KMS key ARN. If you want to use a KMS key that is owned by a different account, you must first have permission to use the key and then you must enter the KMS key ARN.
Amazon S3 supports only symmetric encryption KMS keys, and not asymmetric KMS keys. For more information, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com//kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide*.
1. To use additional checksums, choose **On**. Then for **Checksum function**, choose the function that you would like to use. Amazon S3 calculates and stores the checksum value after it receives the entire object. You can use the **Precalculated value** box to supply a precalculated value. If you do, Amazon S3 compares the value that you provided to the value that it calculates. If the two values do not match, Amazon S3 generates an error.
Additional checksums enable you to specify the checksum algorithm that you would like to use to verify your data. For more information about additional checksums, see [Checking object integrity in Amazon S3](checking-object-integrity.md).
1. To add tags to all of the objects that you are uploading, choose **Add tag**. Enter a tag name in the **Key** field. Enter a value for the tag.
Object tagging gives you a way to categorize storage. Each tag is a key-value pair. Key and tag values are case sensitive. You can have up to 10 tags per object. A tag key can be up to 128 Unicode characters in length, and tag values can be up to 255 Unicode characters in length. For more information about object tags, see [Categorizing your objects using tags](object-tagging.md).
1. To add metadata, choose **Add metadata**.
1. Under **Type**, choose **System defined** or **User defined**.
For system-defined metadata, you can select common HTTP headers, such as **Content-Type** and **Content-Disposition**. For a list of system-defined metadata and information about whether you can add the value, see [System-defined object metadata](UsingMetadata.md#SysMetadata). Any metadata starting with the prefix `x-amz-meta-` is treated as user-defined metadata. User-defined metadata is stored with the object and is returned when you download the object. Both the keys and their values must conform to US-ASCII standards. User-defined metadata can be as large as 2 KB. For more information about system-defined and user-defined metadata, see [Working with object metadata](UsingMetadata.md).
1. For **Key**, choose a key.
1. Type a value for the key.
1. To upload your objects, choose **Upload**.
Amazon S3 uploads your object. When the upload completes, you can see a success message on the **Upload: status** page.
## Using the AWS CLI
The following `put-object` example command shows how you can use the AWS CLI to upload an object through an access point.
The following command uploads the object `puppy.jpg` for AWS account *111122223333* using access point *my-access-point*.
```
aws s3api put-object --bucket arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point --key puppy.jpg --body puppy.jpg
```
**Note**
S3 automatically generate access point aliases for all access points and access point aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-object.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-object.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to upload an object through an access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) in the *Amazon Simple Storage Service API Reference*.
## Using the AWS SDKs
You can use the AWS SDK for Python to upload an object through an access point.
------
#### [ Python ]
In the following example, the file named `hello.txt` is uploaded for AWS account *111122223333* using the access point named *my-access-point*.
```
import boto3
s3 = boto3.client('s3')
s3.upload_file('/tmp/hello.txt', 'arn:aws:s3:us-east-1:111122223333:accesspoint/my-access-point', 'hello.txt')
```
------
# Add a tag-set through an access point for a general purpose bucket
This section explains how to add a tag-set through an access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API. For more information, see [Categorizing your objects using tags](object-tagging.md).
## Using the S3 console
**To add a tag-set through an access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Under the **Objects** tab, select the name of the object you wish to add a tag-set to.
1. Under the **Properties** tab, find the **Tags** sub-header and choose **Edit**.
1. Review the objects listed, and choose **Add tag**.
1. Each object tag is a key-value pair. Enter a **Key** and a **Value**. To add another tag, choose **Add Tag**.
You can enter up to 10 tags for an object.
1. Choose **Save changes**.
## Using the AWS CLI
The following `put-object-tagging` example command shows how you can use the AWS CLI to add a tag-set through an access point.
The following command adds a tag-set for existing object `puppy.jpg` using access point *my-access-point*.
```
aws s3api put-object-tagging --bucket arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point --key puppy.jpg --tagging TagSet=[{Key="animal",Value="true"}]
```
**Note**
S3 automatically generate access point aliases for all access points and access point aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-object-tagging.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-object-tagging.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to add a tag-set to an object through an access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html) in the *Amazon Simple Storage Service API Reference*.
# Delete an object through an access point for a general purpose bucket
This section explains how to delete an object through an access point for a general purpose bucket using the AWS Management Console, AWS Command Line Interface, or REST API.
## Using the S3 console
**To delete an object or objects through an access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access Points**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage or use.
1. Under the **Objects** tab, select the name of the object or objects you wish to delete.
1. Review the objects listed for deletion, and type *delete* in the confirmation box.
1. Choose **Delete objects**.
## Using the AWS CLI
The following `delete-object` example command shows how you can use the AWS CLI to delete an object through an access point.
The following command deletes the existing object `puppy.jpg` using access point *my-access-point*.
```
aws s3api delete-object --bucket arn:aws:s3:AWS Region:111122223333:accesspoint/my-access-point --key puppy.jpg
```
**Note**
S3 automatically generate access point aliases for all access points and access point aliases can be used anywhere a bucket name is used to perform object-level operations. For more information, see [Access point aliases](access-points-naming.md#access-points-alias).
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-object.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-object.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to delete an object through an access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) in the *Amazon Simple Storage Service API Reference*.
# Using tags with S3 Access Points for general purpose buckets
An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 Access Points. You can tag access points when you create them or manage tags on existing access points. For general information about tags, see [Tagging for cost allocation or attribute-based access control (ABAC)](tagging.md).
**Note**
There is no additional charge for using tags on access points beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
## Common ways to use tags with access points
Attribute-based access control (ABAC) allows you to scale access permissions and grant access to access points based on their tags. For more information about ABAC in Amazon S3, see [Using tags for ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#).
### ABAC for S3 Access Points
Amazon S3 Access Points support attribute-based access control (ABAC) using tags. Use tag-based condition keys in your AWS organizations, IAM, and Access Points policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple AWS accounts.
In your IAM policies, you can control access to access points based on the access points's tags by using the following [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys):
+ `aws:ResourceTag/key-name`
**Important**
The `aws:ResourceTag` condition key can only be used for S3 actions performed via an access point ARN for general purpose buckets and covers the underlying access point tags only.
+ Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `Dept` with the value `Marketing`. For more information, see [Controlling access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources).
+ `aws:RequestTag/key-name`
+ Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key `Dept` and that it has the value `Accounting`. For more information, see [Controlling access during AWS requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests). You can use this condition key to restrict which tag key-value pairs can be passed during the `TagResource` and `CreateAccessPoint` API operations.
+ `aws:TagKeys`
+ Use this key to compare the tag keys in a request with the keys that you specify in the policy. We recommend that when you use policies to control access using tags, use the `aws:TagKeys` condition key to define what tag keys are allowed. For example policies and more information, see [Controlling access based on tag keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys). You can create an access point with tags. To allow tagging during the `CreateAccessPoint` API operation, you must create a policy that includes both the `s3:TagResource` and `s3:CreateAccessPoint` actions. You can then use the `aws:TagKeys` condition key to enforce using specific tags in the `CreateAccessPoint` request.
+ `s3:AccessPointTag/tag-key`
+ Use this condition key to grant permissions to specific data via access points using tags. When using `aws:ResourceTag/tag-key` in an IAM policy, both the access point as well as the bucket to which the access point points to are required to have the same tag as they are both considered during authorization. If you want to control access to your data specifically via the access-point tag only, you can use `s3:AccessPointTag/tag-key` condition key.
### Example ABAC policies for access points
See the following example ABAC policies for Amazon S3 Access Points.
#### 1.1 - IAM policy to create or modify buckets with specific tags
In this IAM policy, users or roles with this policy can only create access points if they tag the access points with the tag key `project` and tag value `Trinity` in the access points creation request. They can also add or modify tags on existing access points as long as the `TagResource` request includes the tag key-value pair `project:Trinity`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccessPointWithTags",
"Effect": "Allow",
"Action": [
"s3:CreateAccessPoint",
"s3:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/project": [
"Trinity"
]
}
}
}
]
}
```
#### 1.2 - Access Point policy to restrict operations on the access point using tags
In this Access Point policy, IAM principals (users and roles) can perform operations using the `GetObject` action on the access point only if the value of the access point's `project` tag matches the value of the principal's `project` tag.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectOperations",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "s3:GetObject",
"Resource": "arn:aws::s3:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"aws:ResourceTag/project": "${aws:PrincipalTag/project}"
}
}
}
]
}
```
#### 1.3 - IAM policy to modify tags on existing resources maintaining tagging governence
In this IAM policy, IAM principals (users or roles) can modify tags on an access point only if the value of the access point's `project` tag matches the value of the principal's `project` tag. Only the four tags `project`, `environment`, `owner`, and `cost-center` specified in the `aws:TagKeys` condition keys are permitted for these access points. This helps enforce tag governance, prevents unauthorized tag modifications, and keeps the tagging schema consistent across your access points.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceTaggingRulesOnModification",
"Effect": "Allow",
"Action": [
"s3:TagResource"
],
"Resource": "arn:aws::s3:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"aws:ResourceTag/project": "${aws:PrincipalTag/project}"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
"environment",
"owner",
"cost-center"
]
}
}
}
]
}
```
#### 1.4 - Using the s3:AccessPointTag condition key
In this IAM policy, the condition statement allows access to the bucket's data if the access point has the tag key `Environment` and tag value `Production`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSpecificAccessPoint",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws::s3:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"s3:AccessPointTag/Environment": "Production"
}
}
}
]
}
```
#### 1.5 - Using a bucket delegate policy
In Amazon S3, you can delegate access to or control of your S3 bucket policy to another AWS account or to a specific AWS Identity and Access Management (IAM) user or role in the other account. The delegate bucket policy grants this other account, user, or role permission to your bucket and its objects. For more information, see [Permission delegation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html#permission-delegation).
If using a delegate bucket policy, such as the following:
```
{
"Version": "2012-10-17",
"Statement": {
"Principal": {"AWS": "*"},
"Effect": "Allow",
"Action": ["s3:*"],
"Resource":["arn:aws::s3:::amzn-s3-demo-bucket/*", "arn:aws::s3:::amzn-s3-demo-bucket"],
"Condition": {
"StringEquals" : {
"s3:DataAccessPointAccount" : "111122223333"
}
}
}
}
```
In the following IAM policy, the condition statement allows access to the bucket's data if the access point has the tag key `Environment` and tag value `Production`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSpecificAccessPoint",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws::s3:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"s3:AccessPointTag/Environment": "Production"
}
}
}
]
}
```
## Working with tags for access points for general purpose buckets
You can add or manage tags for access points using the Amazon S3 Console, the AWS Command Line Interface (CLI), the AWS SDKs, or using the S3 APIs: [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html), [UntagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html), and [ListTagsForResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html). For more information, see:
**Topics**
+ [
## Common ways to use tags with access points
](#common-ways-to-use-tags-directory-bucket)
+ [
## Working with tags for access points for general purpose buckets
](#working-with-tags-access-points)
+ [
# Creating access points with tags
](access-points-create-tag.md)
+ [
# Adding a tag to an access point
](access-points-tag-add.md)
+ [
# Viewing access point tags
](access-points-tag-view.md)
+ [
# Deleting a tag from an access point
](access-points-tag-delete.md)
# Creating access points with tags
You can tag access points when you create them. There is no additional charge for using tags on access points beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://docs.aws.amazon.com/s3/pricing/). For more information about tagging access points, see [Using tags with S3 Access Points for general purpose buckets](access-points-tagging.md).
## Permissions
To create an access point with tags, you must have the following permissions:
+ `s3:CreateBucket`
+ `s3:TagResource`
## Troubleshooting errors
If you encounter an error when attempting to create an access point with tags, you can do the following:
+ Verify that you have the required [Permissions](#access-points-create-tag-permissions) to create the access point and add a tag to it.
+ Check your IAM user policy for any attribute-based access control (ABAC) conditions. You may be required to label your access points only with specific tag keys and values. For more information, see [Using tags for attribute-based access control (ABAC)](tagging.md#using-tags-for-abac).
## Steps
You can create an access point with tags applied by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To create an access point with tags using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (General Purpose Buckets)**.
1. Choose **create access point** to create a new access point.
1. On the **Create access point** page, **Tags** is an option when creating a new access point.
1. Enter a name for the access point. For more information, see [Access points naming rules, restrictions, and limitations](access-points-restrictions-limitations-naming-rules.md).
1. Choose **Add new Tag** to open the **Tags** editor and enter a tag key-value pair. The tag key is required, but the value is optional.
1. To add another tag, select **Add new Tag** again. You can enter up to 50 tag key-value pairs.
1. After you complete specifying the options for your new access point, choose **Create access point**.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to create an access point with tags by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
CreateAccessPointRequest createAccessPointRequest = CreateAccessPointRequest.builder()
.accountId(111122223333)
.name(my-access-point)
.bucket(amzn-s3-demo-bucket)
.tags(Collections.singletonList(Tag.builder().key("key1").value("value1").build()))
.build();
awss3Control.createAccessPoint(createAccessPointRequest);
```
------
## Using the REST API
For information about the Amazon S3 REST API support for creating an access point with tags, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [CreateAccessPoint](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateAccessPoint.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to create an access point with tags by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control create-access-point --name my-access-point \
--bucket amzn-s3-demo-bucket \
--account-id 111122223333 \ --profile personal \
--tags [{Key=key1,Value=value1},{Key=key2,Value=value2}] \
--region region
```
# Adding a tag to an access point
You can add tags to Amazon S3 Access Points and modify these tags. There is no additional charge for using tags on access points beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://docs.aws.amazon.com/s3/pricing/). For more information about tagging access points, see [Using tags with S3 Access Points for general purpose buckets](access-points-tagging.md).
## Permissions
To add a tag to an access point, you must have the following permission:
+ `s3:TagResource`
## Troubleshooting errors
If you encounter an error when attempting to add a tag to an access point, you can do the following:
+ Verify that you have the required [Permissions](#access-points-tag-add-permissions) to add a tag to an access point.
+ If you attempted to add a tag key that starts with the AWS reserved prefix `aws:`, change the tag key and try again.
## Steps
You can add tags to access points by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To add tags to an access point using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (General Purpose Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section and choose **Add new Tag**.
1. This opens the **Add Tags** page. You can enter up to 50 tag key value pairs.
1. If you add a new tag with the same key name as an existing tag, the value of the new tag overrides the value of the existing tag.
1. You can also edit the values of existing tags on this page.
1. After you have added the tag(s), choose **Save changes**.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to add tags to an access point by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
TagResourceRequest tagResourceRequest = TagResourceRequest.builder().resourceArn(arn:aws::s3:region:111122223333:accesspoint/my-access-point/*)
.accountId(111122223333)
.tags(List.of(Tag.builder().key("key1").value("value1").build(),
Tag.builder().key("key2").value("value2").build()))
.build();
awss3Control.tagResource(tagResourceRequest);
```
------
## Using the REST API
For information about the Amazon S3 REST API support for adding tags to an access point, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to add tags to an access point by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control tag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3:region:111122223333:accesspoint/my-access-point/* \
--tags "Key=key1,Value=value1"
```
**Response:**
```
{
"ResponseMetadata": {
"RequestId": "EXAMPLE123456789",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"date": "Wed, 19 Jun 2025 10:30:00 GMT",
"content-length": "0"
},
"RetryAttempts": 0
}
}
```
# Viewing access point tags
You can view or list tags applied to access points. For more information about tags, see [Using tags with S3 Access Points for general purpose buckets](access-points-tagging.md).
## Permissions
To view tags applied to an access point, you must have the following permission:
+ `s3:ListTagsForResource`
## Troubleshooting errors
If you encounter an error when attempting to list or view the tags of an access point, you can do the following:
+ Verify that you have the required [Permissions](#access-points-tag-view-permissions) to view or list the tags of the access point.
## Steps
You can view tags applied to access points by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To view tags applied to an access point using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (General Purpose Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section to view all of the tags applied to the access point.
1. The **Tags** section shows the **User-defined tags** by default. You can select the **AWS-generated tags** tab to view tags applied to your access point by AWS services.
## Using the AWS SDKs
This section provides an example of how to view tags applied to an access point by using the AWS SDKs.
------
#### [ SDK for Java 2.x ]
This example shows you how to view tags applied to an access point by using the AWS SDK for Java 2.x.
```
ListTagsForResourceRequest listTagsForResourceRequest = ListTagsForResourceRequest
.builder().resourceArn(arn:aws::s3:region:111122223333:accesspoint/my-access-point/*)
.accountId(111122223333).build();
awss3Control.listTagsForResource(listTagsForResourceRequest);
```
------
## Using the REST API
For information about the Amazon S3 REST API support for viewing the tags applied to an access point, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [ListTagsforResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to view tags applied to an access point. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control list-tags-for-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3:region:444455556666:bucket/prefix--use1-az4--x-s3 \
```
**Response - tags present:**
```
{
"Tags": [
{
"Key": "MyKey1",
"Value": "MyValue1"
},
{
"Key": "MyKey2",
"Value": "MyValue2"
},
{
"Key": "MyKey3",
"Value": "MyValue3"
}
]
}
```
**Response - no tags present:**
```
{
"Tags": []
}
```
# Deleting a tag from an access point
You can remove tags from Amazon S3 Access Points. An AWS tag is a key-value pair that holds metadata about resources, in this case Access Points. For more information about tags, see [Using tags with S3 Access Points for general purpose buckets](access-points-tagging.md).
**Note**
If you delete a tag and later learn that it was being used to track costs or for access control, you can add the tag back to the access point.
## Permissions
To delete a tag from an access point, you must have the following permission:
+ `s3:UntagResource`
## Troubleshooting errors
If you encounter an error when attempting to delete a tag from an access point, you can do the following:
+ Verify that you have the required [Permissions](access-points-db-tag-delete.md#access-points-db-tag-delete-permissions) to delete a tag from an access point.
## Steps
You can delete tags from access points by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To delete tags from an access point using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (General Purpose Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section and select the checkbox next to the tag or tags that you would like to delete.
1. Choose **Delete**.
1. The **Delete user-defined tags** pop-up appears and asks you to confirm the deletion of the tag or tags you selected.
1. Choose **Delete** to confirm.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to delete tags from an access point by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
UntagResourceRequest tagResourceRequest = UntagResourceRequest.builder()
.resourceArn(arn:aws::s3:region:111122223333:accesspoint/my-access-point/*)
.accountId(111122223333)
.tagKeys(List.of("key1", "key2")).build();
awss3Control.untagResource(tagResourceRequest);
```
------
## Using the REST API
For information about the Amazon S3 REST API support for deleting tags from an access point, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [UnTagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to delete tags from an access point by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control untag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3:region:444455556666:access-point/my-access-point \
--tag-keys "tagkey1" "tagkey2"
aws s3control untag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3:region:444455556666:accesspointmy-access-point/* \
--tag-keys "key1" "key2"
```
**Response:**
```
{
"ResponseMetadata": {
"RequestId": "EXAMPLE123456789",
"HTTPStatusCode": 204,
"HTTPHeaders": {
"date": "Wed, 19 Jun 2025 10:30:00 GMT",
"content-length": "0"
},
"RetryAttempts": 0
}
}
```