Introduction to Amazon S3 Access Points
Simplifying S3 Access Management with Access Points
Every year, millions of records are stolen or compromised because of improper access to S3 buckets. Amazon S3 Access Points is a feature of S3 used to address this problem and simplify access to shared data sets. This means no more complicated bucket policies. S3 Access Points can create application-specific access points that permit access to shared data sets with policies tailored to the specific application. According to AWS, the main features of and use cases for S3 Access Points include:
- Large shared data sets
- Restrict access to VPC
- Test new access policies
- Limited access to specific account IDs
- Provide a unique name
To learn more, visit the AWS documentation on managing data access with Amazon S3 Access Points.
You’ll see frequently in the news that there was an S3 bucket that had improper permissions on it and there was sensitive data that was available publicly. Sometimes we criticize that and say, “How could they do that? It’s so simple.” But really, it’s not simple managing buckets. A lot of times, we’ll say that complexity is the enemy of security. The more complex something is, the more difficult it is to implement security standards and practices to protect the thing that we’re designing in a complex way. That is true of S3 buckets. You can have a single bucket that’s being used by hundreds of people, hundreds of applications, and to manage a single bucket policy for dozens of permission levels becomes very complex very quickly. I don’t fault people who make these mistakes when permission changes occur because a lot of time, people hesitate making changes to the bucket policy because they’re afraid if they make one change, it’s going to affect all these other permissions. Therefore, they’ll just allow this larger set of permissions that maybe isn’t a good idea. That’s exactly why mistakes occur when you’re managing S3 bucket policies.
So now, AWS has come out with S3 Access Points. I think this is a great solution to this problem. The access points are customized permissions for an application or a team who need to access the bucket and the data that’s within the bucket. If you just think about the name that they chose for this, Access Points, you might think in terms of wireless access points that people access in order to get access to the same thing which is the main network behind it. But you might have different permissions and different groups that are connecting to each access point. That’s what an S3 Access Points is doing. Each access point is named with an access point name followed by the Amazon ID, and this naming convention can keep permissions separated from the bucket policy itself. Really, the goal is to keep the bucket policy simple so you can focus on security and having a strong bucket policy. But now you can manage permissions and network controls through the access point in order to give unique permissions for an application or a team through this new capability with AWS. Check out S3 Access Points, I think you’ll that it will greatly simplify your life and allow you to manage those permissions a little bit more adeptly.