s3-credentials icon indicating copy to clipboard operation
s3-credentials copied to clipboard

Published 20 hours ago verified publisher icon simonw

Research potential for an access points feature

Open simonw opened this issue 3 years ago • 3 comments

Suggestion from Reddit.

https://aws.amazon.com/s3/features/access-points/

Could provide CLI commands for creating an access point that enforces a specific policy.

From https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html :

Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations, such as GetObject and PutObject. Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point. Each access point enforces a customized access point policy that works in conjunction with the bucket policy that is attached to the underlying bucket.

This sounds like it could be the most interesting feature:

You can configure any access point to accept requests only from a virtual private cloud (VPC) to restrict Amazon S3 data access to a private network.

Useful note:

You can only use access points to perform operations on objects. You can't use access points to perform other Amazon S3 operations, such as modifying or deleting buckets.

simonw avatar Jan 18 '22 17:01 simonw

It looks like each access point gets an alias which can be used in place of a bucket name by other tools: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-alias.html

Examples here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-usage-examples.html

simonw avatar Jan 18 '22 21:01 simonw

To create an access point: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.list_access_points

access_point_name = "my-access-point"
bucket_name = "my-existing-bucket"

client = boto3.client("s3control") # Not "s3"

# The account ID is a required field
sts = boto3.client("sts")
identity = sts.get_caller_identity()
account_id = identity["Account"]

response = client.create_access_point(
    AccountId=account_id,
    Name=access_point_name,
    Bucket=bucket_name,
    # VpcConfiguration={ # Use this to limit access to a specific VPC
    #     "VpcId": vpc_name
    # },
    # PublicAccessBlockConfiguration={
    #     "BlockPublicAcls": True|False,
    #     "IgnorePublicAcls": True|False,
    #     "BlockPublicPolicy": True|False,
    #     "RestrictPublicBuckets": True|False
    # }
)

# response now has "AccessPointArn" and "Alias" keys

Documentation here: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.create_access_point - including details of the PublicAccessBlockConfiguration options which I have to admit I find very difficult to absorb.

Once created, it looks like you call put_access_point_policy to attach a policy to it: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.put_access_point_policy

Each access point can have only one policy, so a request made to this API replaces any existing policy associated with the specified access point.

simonw avatar Jan 18 '22 21:01 simonw

I just noticed that according to the documentation Bucket is not a required field for list_access_points - so maybe if you omit bucket it returns every access point for every access point in your account? https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.list_access_points

simonw avatar Jan 18 '22 21:01 simonw