DEV Community

harsh patel
harsh patel

Posted on

Managing Data Access with Amazon S3 Access Points

#aws #s3 #devops #cloud

Amazon S3 Access Points are a powerful feature that simplify how organizations control and manage access to their data. Instead of relying solely on complex bucket policies, Access Points allow you to create dedicated entry points with tailored permissions. This provides more flexibility, especially when working with teams, applications, or VPCs that require different levels of access.

In today's world where secure and efficient data handling is critical, mastering S3 Access Points sets you apart as someone who understands not just storage, but also governance and access control in the cloud.

In this Cloud Lab, we'll explore:

  • Creating an S3 bucket for sensitive data
  • Configuring a VPC-bound S3 Access Point
  • Testing access from both an allowed VPC and a default VPC using AWS Lambda
  • Understanding how these controls enforce network-level security

By the end, you'll have hands-on experience with S3 Access Points and the skills to design secure data access patterns for real-world cloud applications.

Step 1: Create an S3 Bucket

The first step is to provision an Amazon S3 bucket that will act as the primary storage location for sensitive documents. We'll later use S3 Access Points to control how this data is accessed and processed.

Creating the S3 Bucket

  1. Navigate to the AWS Management Console and search for S3.
  2. Select the S3 service from the results.
  3. Click Create bucket.
  4. Enter a globally unique name in the format: s3-bucket-<random_text>
  5. Replace <random_text> with any string that ensures uniqueness across AWS accounts.
  6. Under Block Public Access settings, make sure Block all public access is selected.
  7. Scroll down and click Create bucket to finalize.

At this point, your S3 bucket is ready to securely store documents.

Uploading the Document

  1. Create a simple text file called sampledata.txt on your local machine (e.g., with content like "This is sensitive organizational data.").
  2. In the S3 Dashboard, select the newly created bucket (s3-bucket-<random_text>).
  3. Click Upload → Add files, and choose the sampledata.txt file.
  4. Click Upload to complete the process.

Outcome: You now have a secure S3 bucket with a sensitive file in place, ready to be accessed and controlled using Amazon S3 Access Points.

Step 2: Create a VPC-Bound Access Point

Amazon S3 Access Points make it easier to define fine-grained permissions, ensuring that specific applications, users, or roles get only the access they need. This is particularly useful in environments where multiple teams or services share the same dataset.

In this step, we'll create an S3 Access Point bound to a specific VPC. This ensures that sensitive data stored in our bucket is accessible only through that VPC.

Step 2.1: Create the VPC

  1. In the AWS Management Console, search for VPC and open the service.
  2. From the left menu, select Your VPCs → Create VPC.
  3. Under Resources to create, choose VPC and more.
  4. In the Name tag auto-generation field, replace the default value with org.
  5. Configure the following:
    • Number of public subnets → 0
    • Number of private subnets → 2
    • VPC endpoints → Select S3 Gateway
  6. Click Create VPC.
  7. Once provisioned, click View VPC and copy the VPC ID for later use.

Step 2.2: Create the Access Point

  1. Open the S3 service in the AWS Console.
  2. From the left menu, select Access Points for general purpose buckets.
  3. Click Create access point.
  4. Name it: vpc-bound-access-point
  5. Under Bucket name, select the S3 bucket created earlier.
  6. Under Network origin, choose Virtual private cloud (VPC).
  7. Paste the VPC ID of the org-vpc.
  8. Ensure Block all public access is enabled.
  9. Add the following policy (replace <Account ID> with your AWS account ID and <VPC ID> with the ID you copied in the previous step): 
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:us-east-1:<Account ID>:accesspoint/vpc-bound-access-point/object/*", "Condition": { "StringEquals": { "aws:SourceVpc": "<VPC ID>" } } } ] }
Enter fullscreen mode Exit fullscreen mode

Click Create access point.

Outcome: The Access Point now enforces that objects in the bucket can only be retrieved from the org-vpc.

Step 3: Test the VPC-Bound Access Point

To validate the policy behavior, we'll create an AWS Lambda function. First, we'll deploy it inside the org-vpc and confirm access. Then, we'll move it to the default VPC to ensure access is denied.

Note: This step assumes you have a basic IAM role (e.g., LambdaExecutionRole) with permissions for Lambda and S3 access. You may need to create this role first if it doesn't exist.

Step 3.1: Create a Lambda Function in org-vpc

  1. In the AWS Console, search for Lambda.
  2. Go to Functions → Create function → Author from scratch.
  3. Configure:
    • Function name: accesspoint_function
    • Runtime: Python 3.11
    • Execution role: Use an existing role → LambdaExecutionRole
  4. Expand Advanced settings → Enable VPC → Select:
    • VPC: org-vpc
    • Subnets: Select the two private subnets (e.g., org-subnet-private1-us-east-1a, org-subnet-private2-us-east-1b)
    • Security group: Default
  5. Click Create function.

Step 3.2: Add the Lambda Code

Replace the default code in the Lambda function editor with the following Python code.

(Remember to replace <Account ID> with your actual AWS account ID.)

import boto3 from botocore.client import Config # Initialize S3 client s3 = boto3.client('s3', config=Config(signature_version='s3v4')) def getObject(bucket, key): response = s3.get_object(Bucket=bucket, Key=key) data = response['Body'].read().decode('utf-8') print(data) return data def lambda_handler(event, context): return getObject( "arn:aws:s3:us-east-1:<Account ID>:accesspoint/vpc-bound-access-point", "sampledata.txt" )
Enter fullscreen mode Exit fullscreen mode

Step 3.3: Test from org-vpc

  1. Click Deploy to save your code changes.
  2. Click Test to configure a test event. Use the default "Hello World" template and give it a name.
  3. Click Test to run the function.

Result: The execution should succeed. The file contents will appear in the function's logs because the Lambda function runs inside the allowed VPC.

Step 3.4: Test from Default VPC

  1. In the Lambda function, go to the Configuration tab and select the VPC section.
  2. Click Edit.
  3. Switch the VPC to the default VPC and select two of its subnets.
  4. Select the default security group.
  5. Click Save.
  6. Wait for the network changes to apply, then click Test again to run the function.

Result: The function execution will now fail with an error like AccessDenied or 403 Forbidden. No data is retrieved because the Access Point policy correctly restricts access to only the org-vpc.

Conclusion

Amazon S3 Access Points provide a powerful mechanism for implementing fine-grained access control to your S3 data. By binding access points to specific VPCs, you can enforce network-level security that complements traditional IAM policies. This approach is particularly valuable in multi-tenant environments, compliance scenarios, or when you need to isolate data access to specific network segments.

This hands-on exercise demonstrated how to:

  • Create a secure S3 bucket with sensitive data.
  • Configure a VPC-bound access point with appropriate policies.
  • Test access patterns from both allowed and restricted networks.

This knowledge empowers you to design more secure and manageable data access patterns in your AWS environments, ensuring that your sensitive data remains protected while still being accessible to authorized services and applications.

Top comments (0)