This chapter covers S3 Access Points, a powerful feature for managing access to shared S3 buckets in large-scale applications. For the DVA-C02 exam, this topic appears in roughly 5-8% of questions, often integrated with questions on S3 security, networking, and multi-account architectures. Understanding Access Points is critical because they simplify bucket policy management, enable per-application network controls, and are a key component of secure, scalable S3 designs.
Jump to a section
Imagine a large corporate office building with a central mailroom that receives all packages. The mailroom has a single loading dock (the bucket policy) that must be shared by all departments. If the loading dock is too permissive, any department can receive any package; if too restrictive, every new department requires updating the dock's rules. This is unwieldy and risky. Now imagine each department gets its own dedicated mailroom entrance, with its own door policy. The shipping company (the user or application) specifies which entrance to use by addressing the package to 'Department A Entrance' instead of the main building. Each entrance has its own access rules (who can send packages, what sizes are allowed, and whether packages must be inspected for sensitive materials). The main building's overall security policy still applies, but each entrance can further restrict or customize access. This is exactly how S3 Access Points work: each access point is a separate entry point into the bucket with its own policies, network controls, and block public access settings, while still respecting the bucket's overarching policies. The main building and its central mailroom still exist, but most traffic uses the dedicated entrances, simplifying management and improving security.
What Are S3 Access Points?
Amazon S3 Access Points are named network endpoints attached to an S3 bucket that simplify managing data access at scale. Each Access Point has its own DNS name, access point policy, and network controls. Instead of writing a single, complex bucket policy that must accommodate every use case, you create separate Access Points for each application, team, or environment. Each Access Point enforces its own permissions and network restrictions, while still operating within the bucket's overall policy.
Why Access Points Exist
Before Access Points, managing access to a shared S3 bucket required a monolithic bucket policy. For example, a bucket used by analytics, backups, and a web application needed policy statements for each, often leading to overly permissive policies or complex condition keys. Any change risked affecting other users. Access Points solve this by allowing each consumer to have its own policy, network VPC endpoint, and block public access settings. The bucket policy becomes a simple guardrail (e.g., enforcing encryption), while detailed access control is delegated to Access Points.
How Access Points Work Internally
When you create an Access Point, S3 generates a unique DNS name in the format {access-point-name}-{hash}.s3-accesspoint.{region}.amazonaws.com. This DNS name resolves to an S3 endpoint that is specific to that Access Point. When a request is made to this endpoint, S3 evaluates the Access Point policy, the bucket policy, and IAM user/role policies. All three must allow the action for the request to succeed. The Access Point policy can use IAM policy conditions such as aws:SourceVpce or aws:SourceIp to restrict network access. Additionally, each Access Point has its own Block Public Access settings, independent of the bucket's settings.
Key Components and Values
Access Point Policy: A JSON policy document similar to a bucket policy but scoped to the Access Point. It can grant permissions to IAM users, roles, or AWS services. Maximum policy size is 20 KB.
Network Origin: Can be Internet (public endpoint) or VPC. If VPC, the Access Point only accepts requests from the specified VPC endpoint (VPC Endpoint or AWS PrivateLink).
Block Public Access: Four settings identical to bucket-level Block Public Access, but applied per Access Point. These settings override bucket-level settings for requests through this Access Point.
Bucket Policy: Still exists and must allow the Access Point to perform actions. A common pattern is to use a condition key s3:AccessPointNetworkOrigin in the bucket policy to restrict actions to VPC-based Access Points.
ARN Format: arn:aws:s3:region:account-id:accesspoint/access-point-name
Configuration and CLI Commands
To create an Access Point with the AWS CLI:
aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-app-access-pointTo attach a policy:
aws s3control put-access-point-policy --account-id 123456789012 --name my-app-access-point --policy file://policy.jsonExample policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:role/MyAppRole" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:us-east-1:123456789012:accesspoint/my-app-access-point/object/*"
}
]
}To use an Access Point in an S3 operation, you reference the Access Point ARN instead of the bucket name. For example, to list objects:
aws s3api list-objects-v2 --bucket arn:aws:s3:us-east-1:123456789012:accesspoint/my-app-access-pointInteraction with Related Technologies
VPC Endpoints: Access Points can be restricted to a specific VPC Endpoint by setting NetworkOrigin to VPC and specifying the VPC Endpoint ID. This ensures traffic never leaves the AWS network.
AWS PrivateLink: You can create a VPC Endpoint service for an Access Point, allowing on-premises or other VPCs to connect privately.
S3 Object Lambda: Access Points can be used with S3 Object Lambda to transform data on the fly. The Object Lambda Access Point sits in front of a supporting Access Point.
Multi-Region Access Points: For global applications, Multi-Region Access Points provide a single global endpoint that routes requests to the nearest bucket replica.
CloudFront: You can use an Access Point as the origin for a CloudFront distribution, combining CDN caching with fine-grained access control.
Defaults and Limits
Each bucket can have up to 1,000 Access Points (soft limit, can be increased).
Each Access Point can have one policy document.
Access Points cannot be used to grant anonymous access; the principal must always be specified.
When using Access Points, the Resource in IAM policies must reference the Access Point ARN, not the bucket ARN.
The bucket policy must include a statement that allows the Access Point's principal to access the bucket via the Access Point. A common bucket policy statement is:
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringEquals": {
"s3:AccessPointNetworkOrigin": "VPC"
}
}
}This allows all actions through any Access Point with VPC origin, while blocking direct bucket access.
How It Works in Practice
When an application makes a request to an Access Point, S3 performs the following checks: 1. Is the request reaching the correct Access Point endpoint? (DNS resolution) 2. Does the Access Point policy allow the action for the requesting IAM principal? 3. Does the bucket policy allow the action when accessed via this Access Point? 4. Do the IAM policies allow the action on the Access Point resource? 5. Are the Block Public Access settings satisfied? 6. Are network restrictions (VPC, IP) met?
All conditions must pass. This layered approach provides defense in depth.
Exam-Relevant Details
The DVA-C02 exam tests whether you know that Access Points have their own policies and network controls, and that they are used to simplify bucket policies.
You must understand that Access Point ARNs are used in IAM policies and S3 operations instead of bucket names.
The condition key s3:AccessPointNetworkOrigin is frequently tested to restrict access to VPC-only.
Know that Block Public Access can be set at both bucket and Access Point levels, with Access Point settings overriding for requests through that Access Point.
Be aware that Access Points cannot be used for cross-account access without additional bucket policy configuration.
The maximum number of Access Points per bucket is 1,000 (soft limit).
Create the S3 Bucket
First, you need an S3 bucket to attach the Access Point to. The bucket can be in any region and can have its own bucket policy and Block Public Access settings. The bucket policy should be minimal, often just allowing access from any Access Point with a specific network origin. For example, a bucket policy that allows all actions via VPC-based Access Points. The bucket must exist before creating an Access Point.
Create the Access Point
Use the AWS Management Console, CLI, or SDK to create an Access Point. You specify the bucket name, a unique name for the Access Point (within the account and region), and optionally the network origin (Internet or VPC). If VPC, you must provide the VPC ID. The Access Point is assigned a unique ARN and DNS name. No policy is attached yet.
Attach Access Point Policy
Write an IAM policy document that defines who can perform which actions on objects through this Access Point. The policy uses the Access Point ARN as the resource. You can use conditions like `aws:SourceIp` or `aws:SourceVpce` to restrict network access. Attach this policy using the CLI or console. The policy must be valid JSON and under 20 KB.
Update Bucket Policy (if needed)
The bucket policy must explicitly allow the Access Point to perform actions. Without this, the Access Point policy alone is insufficient. A common bucket policy uses the condition `s3:AccessPointNetworkOrigin` to allow all Access Points with VPC origin. Alternatively, you can list specific Access Point ARNs in the bucket policy. This step ensures the bucket trusts the Access Point.
Configure IAM Permissions for Users
IAM users or roles that will access the Access Point need permissions to perform S3 actions on the Access Point resource. For example, an IAM policy allowing `s3:GetObject` on the Access Point ARN. The IAM policy must use the Access Point ARN, not the bucket ARN. Additionally, the user must have `s3:ListBucket` permission on the Access Point to list objects.
Test Access via Access Point
Use the Access Point's DNS name or ARN in S3 operations. For example, to download an object: `aws s3api get-object --bucket arn:aws:s3:us-east-1:123456789012:accesspoint/my-app-access-point --key myfile.txt output.txt`. Verify that access is granted only as per the Access Point policy and network restrictions. If using VPC origin, ensure the request originates from the specified VPC.
Enterprise Scenario 1: Multi-Tenant Data Lake
A large enterprise runs a shared data lake in a single S3 bucket used by multiple teams: analytics, data science, and machine learning. Each team has different compliance requirements. Analytics data is public-facing, data science data is internal, and ML data must be restricted to a specific VPC. Without Access Points, the bucket policy becomes a tangled mess of conditions and principal ARNs. With Access Points, the team creates three Access Points: analytics-ap (Internet origin, public read), datascience-ap (VPC origin, read-write for specific IAM roles), and ml-ap (VPC origin, restricted to a specific VPC endpoint). Each team uses its own Access Point, and the bucket policy simply allows all actions from any Access Point with VPC origin, plus a separate statement for the analytics Access Point. This simplifies auditing and reduces risk of misconfiguration. In production, the bucket serves 10 TB of data daily; Access Points add negligible latency. A common mistake is forgetting to update the bucket policy to allow the Access Point, resulting in 'Access Denied' errors.
Enterprise Scenario 2: Cross-Account Data Sharing with Network Controls
A SaaS company ingests data from customers into an S3 bucket in the company's account. Each customer gets a separate Access Point restricted to their VPC or IP range. The company creates an Access Point per customer with a policy that allows only that customer's IAM role to write objects. The bucket policy includes a statement that allows access from any Access Point, but only if the request comes via a VPC endpoint (using s3:AccessPointNetworkOrigin). This ensures data never traverses the public internet. The company uses AWS PrivateLink to expose the Access Point to customer VPCs. Misconfiguring the VPC endpoint ID or forgetting to attach the VPC endpoint policy can break connectivity. At scale, the company manages hundreds of Access Points; the 1,000-per-bucket limit is a consideration, and they monitor usage to request limit increases.
Enterprise Scenario 3: S3 Object Lambda Integration
A financial services firm needs to redact sensitive data (e.g., credit card numbers) before serving objects to certain applications. They create an Object Lambda Access Point that uses a supporting Access Point. The supporting Access Point has a policy that allows only the Object Lambda function to access the bucket. The Object Lambda Access Point is used by the application. This pattern centralizes data transformation without modifying the application code. The firm must ensure the Lambda function has permissions to invoke and access the supporting Access Point. A common pitfall is misconfiguring the Lambda function's IAM role, leading to timeouts or access errors.
DVA-C02 Objective Coverage
This topic maps to Domain 1 (Development) with Objective 1.4: 'Implement access controls for S3 buckets.' The exam specifically tests your ability to use Access Points to simplify bucket policies and enforce network restrictions. Questions often combine Access Points with VPC endpoints, IAM policies, and bucket policies.
Common Wrong Answers and Why
'Access Points replace bucket policies entirely.' This is false. The bucket policy still exists and must allow the Access Point. Access Points add granularity but do not replace the bucket policy.
'Access Points can be used to grant anonymous access.' False. Access Points require a principal in the policy; they do not support anonymous access.
'You can use the bucket name in S3 operations when using an Access Point.' False. You must use the Access Point ARN or DNS name. Using the bucket name bypasses the Access Point.
'Access Points can be shared across AWS accounts without additional configuration.' False. The bucket policy must explicitly allow cross-account access, and the Access Point policy must grant access to the external principal.
Specific Numbers and Terms
Maximum Access Points per bucket: 1,000 (soft limit).
Access Point policy size limit: 20 KB.
Condition key: s3:AccessPointNetworkOrigin – values are Internet or VPC.
ARN format: arn:aws:s3:region:account-id:accesspoint/name.
DNS format: {name}-{hash}.s3-accesspoint.{region}.amazonaws.com.
Edge Cases and Exceptions
When using an Access Point with VPC origin, the request must originate from the specified VPC. If the VPC endpoint is in a different region, the request fails.
Access Points cannot be used with S3 Batch Operations directly; you must use bucket ARN.
Cross-region replication works with Access Points, but you must use the bucket ARN in the replication configuration.
Object Lambda Access Points require a supporting Access Point; you cannot use a regular Access Point directly with Object Lambda.
How to Eliminate Wrong Answers
If a question asks for a way to simplify bucket policies for multiple applications, look for 'Access Points' as the answer.
If network restriction is mentioned (e.g., 'only allow access from a specific VPC'), the answer likely involves setting Network Origin to VPC on the Access Point.
If the question involves cross-account access, ensure both bucket policy and Access Point policy are configured correctly.
Remember that IAM policies must reference the Access Point ARN, not the bucket ARN, when granting permissions through an Access Point.
S3 Access Points provide per-application access control with separate policies and network restrictions.
Each Access Point has its own DNS name and ARN; use the ARN in S3 operations, not the bucket name.
Access Point policies are evaluated together with bucket policies and IAM policies; all must allow the action.
Use the condition key 's3:AccessPointNetworkOrigin' in bucket policies to restrict access to VPC-based Access Points.
Maximum 1,000 Access Points per bucket (soft limit).
Access Points cannot grant anonymous access; a principal must always be specified.
Block Public Access settings at the Access Point level override bucket settings for requests through that Access Point.
For cross-account access, both bucket policy and Access Point policy must grant permissions.
These come up on the exam all the time. Here's how to tell them apart.
S3 Access Points
Per-application granularity with separate policies.
Can restrict network origin to VPC or Internet.
Each Access Point has its own Block Public Access settings.
Simplifies management by delegating access control.
Maximum 1,000 Access Points per bucket.
Bucket Policies
Single policy for entire bucket.
Network restrictions via condition keys (e.g., aws:SourceIp).
Single set of Block Public Access settings.
Becomes complex and error-prone with many consumers.
Only one bucket policy per bucket (20 KB limit).
Mistake
Access Points replace the need for a bucket policy entirely.
Correct
The bucket policy still exists and must allow the Access Point to perform actions. Access Points add granularity but do not remove the bucket policy.
Mistake
You can use an Access Point to grant anonymous public access to objects.
Correct
Access Point policies require a specified principal (IAM user, role, or AWS service). They do not support anonymous access.
Mistake
When using an Access Point, you can still use the bucket name in S3 operations.
Correct
You must use the Access Point ARN or DNS name. Using the bucket name bypasses the Access Point and its policies.
Mistake
Access Points automatically work across AWS accounts without additional setup.
Correct
Cross-account access requires the bucket policy to explicitly allow the external account, and the Access Point policy must grant permissions to the external principal.
Mistake
Block Public Access settings on an Access Point override the bucket settings for all requests.
Correct
Access Point Block Public Access settings only apply to requests made through that Access Point. Direct requests to the bucket use the bucket's settings.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An S3 Access Point is a separate endpoint attached to a bucket with its own policy and network controls. A bucket policy is a single policy attached directly to the bucket. Access Points allow you to delegate access control to individual applications or teams, simplifying the bucket policy. Both must allow an action for it to succeed. Access Points also support VPC origin restrictions and independent Block Public Access settings.
When creating the Access Point, set NetworkOrigin to 'VPC' and specify the VPC ID. Additionally, in the Access Point policy, you can use the condition key 'aws:SourceVpce' to restrict to a specific VPC endpoint. The bucket policy should also include a condition like 's3:AccessPointNetworkOrigin': 'VPC' to ensure only VPC-based Access Points are used.
Yes, but you must configure both the bucket policy and the Access Point policy. The bucket policy must grant permissions to the external account's IAM principal (or the Access Point itself). The Access Point policy must also grant permissions to that external principal. Additionally, the external user must have IAM permissions to use the Access Point ARN.
If you use the bucket name, the request goes directly to the bucket and is evaluated against the bucket policy and IAM policies only. The Access Point policy and its network restrictions are bypassed. This is a common mistake that can lead to unintended access. Always use the Access Point ARN or DNS name to enforce Access Point policies.
The default maximum is 1,000 Access Points per bucket. This is a soft limit that can be increased by requesting a quota increase via AWS Support.
Yes, S3 Object Lambda uses a special type of Access Point called an Object Lambda Access Point. This Access Point sits in front of a supporting Access Point and invokes a Lambda function to transform data on the fly. The supporting Access Point must allow the Lambda function to access the bucket.
Yes, you can use an S3 Access Point as the origin for a CloudFront distribution. This allows you to combine CloudFront's caching and edge delivery with the fine-grained access control of Access Points. You must use the Access Point's DNS name or ARN as the origin domain name.
You've just covered S3 Access Points for Large Applications — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?