As our application scales and many services are accessing a multitude of data points for each workload needed, it is difficult to ensure each part of the system has the right set of data access permissions.

In today’s world, one of the worse nightmares of a software business is data leaking and data privacy issues. Not only it affects the brand reputation, but could also expose the company to heavy fines and other regulatory sanctions.

Thankfully, AWS has just announced at re:Invent a new feature to help in solving this problem: S3 Access Points.

An Access Point is a network hostname tied to a particular S3 Bucket. This hostname carries permissions indicating which operations requesters are allowed to perform and to which objects within the bucket.

Access Points allows to customize permissions based on object tags and prefixes, making it flexible enough to cover our use cases. Through an Access Point, requesters can only perform object-related operations, not any other S3-related operation.

This feature makes it much easier to control application data access permissions in comparison to a single bucket policy, especially for systems that have complex permission rules and policies. All requests to Access Points are logged and traced in CloudWatch and CloudTrail, which provides auditing capacity.

Each Access Point has a unique ARN, which can be used to request operations on objects.

In the AWS CLI, for example, this is how we get a report.pdf document object using an Access Point:

aws s3api get-object --key report.pdf --bucket arn:aws:s3:us-east-1:

#serverless