AWS S3 Access Points in 2025 using CLI

AWS S3 Access Points in 2025 using CLI

posted Originally published at korla.hashnode.dev 6 min read

Hello, Machas!

Today, I’m here to demystify S3 Access Points. No promises of turning you into a superhero, but by the end of this blog, you’ll at least upgrade from a curious bystander to the protagonist of your own AWS journey. Let’s dive in and make you the star of this S3 saga!.

I hope you might have already known what are bucket polices. If you don’t know I just give you a quick recap: bucket policies are used to restrict/allow access to any user/group/role to access bucket and its objects.

Use of Access points

Lets consider a scenario today if you want to give read permissions to some objects for a user , you will use simply bucket policy to do that .

Tomorrow if you want to give some other permissions to a role you will again use the same bucket policy.

Other day when you want to give permissions to a group if you keep on using this bucket policy this will grow and it becomes hard to read .
image

That’s where access points comes in rescue , instead of giving permissions to every one in one bucket policy you will create individual access points
for each one and give permissions to these access points and all these access points are attached to the bucket.

image

In this way bucket policy wont grow .

Now its time to get our hands dirty .

StickyHandsGIF (2)

Let’s consider a scenario where you need to allow access to the objects in your bucket only through access points ,
and also grant access to a specific user in another account . Sounds simple, right?"

NAAM CHOTA HAI LEKIN SOUND BADA HAI

1. Firstly let’s create access point.

`

aws s3control create-access-point --account-id 9848032919 --name my-access-point \
--bucket my-bucket

`

Now this will create access point its network origin is internet if you want to create VPC as network origin then No internet access.
Requests are made over a specified VPC only. This will create access point and is attached to the bucket.

Grab the access point arn.

2. Next let’s grant permissions to this access point

I will now grant user KGF to access the bucket and its objects its simple!!! only if you know already know how to write bucket policy.
That’s why have a quick glance at my above attached blog.

Access point policy is similar to bucket policy.

Lets grant KGF user, get object and list bucket permissions , in the access point policy Resource is arn of the access point .
`
// access-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam::9848032919:user/KGF" },
        "Action": [
          "s3:GetObject",
          "s3:ListBucket" 
        ],
        "Resource": [
          "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point",
          "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point/object/*"
        ]
      }
    ]
  }

`
Now KGF user will be having get object and list bucket permission on the bucket to which this access point was attached.

3. Attach the permissions to access point

Now attach this access point policy to the access point.
`

aws s3control put-access-point-policy --account-id 9848032919 --name my-access-point \
 --policy file://access-policy.json

Now if KGF user tries to access the bucket using …

aws s3 ls my-bucket

`
You will get error as KGF is fresh user this user doesn’t have any IAM permissions to access the object.

image

If KGF user has IAM permissions then this user will be able to . But we are interested in accessing the objects in the bucket using access point .

image

Now also we got same error .

4. Access Point-Based Bucket Permissions

Now we have to configure bucket policy such that this will receive permissions from access point policy on the bucket/objects.
`

// bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:DataAccessPointArn": "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point"
        }
      }
    }
  ]
}

`
There is one condition called DataAccessPointArn which identifies that access is coming from which accesspoint.

Now this policy allows permissions from accesspoint.

Uploading this bucket policy ..
`

aws s3api put-bucket-policy --bucket my-bucket --policy file://bucket-policy.json

`
Now If I try to access the objects again as a KGF user …
image

I got the result ..

Now that we have allowed KGF user using access point , now our mini goal is to allow users to access the bucket/objects only via access point.

5. Allowing traffic only through access point.

As you guessed we have to change bucket policy to do that.
`

//bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "s3:DataAccessPointArn": "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
       "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:DataAccessPointArn": "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point"
        }
      }
    }
  ]
}

`
Don’t get panic I am here to explain this.

1st rule is to deny every traffic unless it is made through access point .

2nd rule is to allow traffic from access point .

Seems Confusing right ? Deny rules has more precedence than allow rules, so deny rule here in bucket policy ,denies every one even access point permissions and over writes the access point policy , and we are again allowing permissions to flow from access point .

Uploading this bucket policy ..
`

 aws s3api put-bucket-policy --bucket my-bucket --policy file://bucket-policy.json

`
When I access as KGF user …
image

This worked ..

OK but lets try accessing the objects in the bucket using normal S3 URI instead of access point .
image

I got explicit deny error and that’s worked hurray!!!

6.Cross Account Access

Now we have almost completed our requirement, next step is we have to allow user from the other account to access objects in the bucket in our account .

If you give arn of the user in the other account as a Principal in the access point policy, only this is not enough to do so. The User in the other account must have IAM permissions to access the s3 bucket as well as this access point in our account..

IAM policy to access S3 in other account :
`

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

`
As the bucket names are unique that’s why no Account IDs in resource .

IAM policy to access the access point
`

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:*"
],
 "Resource": [
              "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point",
              "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point/object/*"    
            ]
}
]
}

`
Now if the user has these 2 IAM Policies ,then after adding user arn as the Principal in the access point policy.

I have created user named Ali in the other account and also Ali has 2 IAM policies set.
`

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": { "AWS": 
                     ["arn:aws:iam::9848032919:user/KGF",
                       "arn:aws:iam::9848022338:user/Ali" ] 
                         },
        "Action": [
          "s3:GetObject",
          "s3:ListBucket" 
        ],
        "Resource": [
          "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point",
          "arn:aws:s3:ap-south-1:9848032919:accesspoint/my-access-point/object/*"
        ]
      }
    ]
  }

`
When I try to access the bucket as Ali user…
image

I named Ali user as Goutham-Ali on my CLI . This works!!!

OK If I try to access using Normal S3 URI
image

This will not work..

This brings us to end of this article.

That’s it we have allowed access to the bucket/objects only using access point and also allowed cross account access using access point .

Thanks for reading my blog, leave a like and comment if you read something useful, have a great day.

If you read this far, tweet to the author to show them you care. Tweet a Thanks
Great post!  But I'm curious—how would you approach scenarios where access points need to scale across hundreds of buckets in an enterprise setup? Would maintaining individual access points still be practical, or do you recommend a hybrid approach with centralized policies for some cases?

Also, love the mix of humor and technical depth in your writing—it keeps things lively! Anyone else here tried implementing access points? Would love to hear about your experiences or challenges!
Hi James,

First of all, thank you for asking such a wonderful question! I’m still learning, so please feel free to correct me if I’m wrong.

One access point can be attached to multiple buckets. If you want to grant similar permissions to users, roles, etc., on those buckets/objects, you can use a single access point. However, if you need to grant different permissions to different users/roles on buckets/objects, it’s better to have multiple access points.

The main goal of access points is to reduce the size and complexity of bucket policies. If we use access points for different users to grant different permissions, it somewhat defeats that purpose, don’t you think?

I hope I’ve answered your question correctly. If not, feel free to ask further!
One thing I can conclude is that AWS CLI is a unified tool that allows AWS customers to manage AWS services from the command line shell, as well as automate those services using scripts. And you really did justice to it in this article.

More Posts

Rust: Demystifying Middleware in Actix Web

Jeff Mitchell - Jan 11

Building Trust in Remote Teams

DanSchaefer.dev - Jan 6

Using Docker As Stand-Alone Host For Deploying All-in-One Website or Code Base

Gift Balogun - Oct 17, 2024

How I optimized slow loading time using service workers in frontend

Nikola Perisic - Jan 7

The machine learning project on predicting In-Hospital mortality rate using machine learning and PyCaret beyond basic

Onumaku C Victory - Jun 22, 2024
chevron_left