AWSGlossary

S3 Access Points: What It Is and When to Use It

Definition

Amazon S3 Access Points are unique network endpoints, each with its own dedicated access policy and DNS name, that simplify managing data access at scale for shared datasets in S3 buckets. They solve the problem of large, complex bucket policies by allowing you to create many fine-grained access policies tailored to specific applications or teams, all fronting a single shared bucket.

How It Works

An S3 Access Point acts as a distinct entry point to an S3 bucket. When you create an access point, you associate it with exactly one bucket. This access point gets its own unique DNS hostname, which applications use to perform S3 object operations like GetObject and PutObject.

The core of an access point's power lies in its dedicated access policy. This policy works in conjunction with the underlying bucket policy. For a request made through an access point to succeed, the user's IAM policy, the access point policy, AND the bucket policy must all permit the action. This layered approach allows a bucket owner to delegate more specific permission management to teams who can control their own access point policies without modifying the central bucket policy.

Furthermore, an access point can be configured with network origin controls, restricting access to traffic originating from a specific Virtual Private Cloud (VPC). This creates a private network path to your S3 data, effectively firewalling it from the public internet. Each access point also has its own Block Public Access settings, which can be configured independently of the bucket's settings.

Key Features and Limits

  • Unique Hostnames: Each access point has a unique DNS name, allowing applications to connect to a dedicated endpoint instead of the standard bucket name.
  • Delegated Access Control: You can create separate, discrete access point policies for each application, breaking down what could be one large, complex bucket policy.
  • VPC Restriction: Access Points can be configured to only allow access from a specified VPC, enhancing security by ensuring data does not traverse the public internet.
  • Cross-Account Access: S3 Access Points can be created to securely grant access to buckets in other AWS accounts, simplifying cross-account data sharing without complex IAM roles or bucket policies.
  • Service Integration: Access Points are supported by a growing number of AWS services, including Amazon EMR, Amazon Redshift, Amazon SageMaker, and Amazon CloudFront, which can use access point aliases instead of bucket names.
  • Service Quotas: As of 2026, you can create up to 10,000 S3 Access Points per AWS account per Region.
  • Policy Size Limit: Access point policies are limited to 20 KB in size.
  • Security: Access points only support access over HTTPS and do not support anonymous access.

Common Use Cases

  1. Managing Shared Datasets (Data Lakes): For a central data lake bucket, you can provide different teams (e.g., data science, analytics, engineering) with their own access points. Each access point's policy grants permissions only to the specific prefixes (folders) and actions that team needs, implementing the principle of least privilege without a monolithic bucket policy.

  2. Securing VPC-Only Application Access: An application running on EC2 instances within a VPC can be forced to access S3 data through a VPC-restricted access point. This ensures that all data access stays within your private network, a common requirement for high-security and compliance workloads.

  3. Simplifying Cross-Account Data Sharing: When sharing a dataset with another AWS account, you can create a cross-account access point. The bucket owner sets a high-level permission boundary, and the consuming account can then self-serve more detailed permissions for its own users and roles via the access point policy, reducing management overhead for the bucket owner.

  4. Testing New Access Policies: You can create a new access point to test a new, restrictive access policy for an application without impacting existing users who are accessing the bucket through other means or other access points.

  5. Multi-Tenant Applications: Each tenant of a SaaS application can be assigned a unique access point that restricts their access to a specific prefix within a shared S3 bucket, providing strong data isolation between tenants.

Pricing Model

There is no additional charge for creating or using Amazon S3 Access Points. You continue to pay the standard Amazon S3 prices for requests, storage, and data transfer. For example, a GetObject request made through an access point is billed at the same rate as a GetObject request made directly to the bucket.

It is important to note that while the feature itself is free, related charges for data transfer still apply. For Multi-Region Access Points, there is an additional data routing fee.

Pros and Cons

Pros

  • Simplified Policy Management: Drastically simplifies access control for shared buckets by avoiding large, hard-to-manage bucket policies.
  • Improved Security: Enables fine-grained permissions and network-level isolation (VPC-only access), making it easier to enforce the principle of least privilege.
  • Scalability: Easily scale access management for thousands of users and applications by creating dedicated access points for each use case.
  • Clear Auditing: Access logs show which access point was used for a request, simplifying auditing and accountability.

Cons

  • Added Complexity: Introduces another layer of policy evaluation (IAM User -> Access Point -> Bucket) which can make troubleshooting permission issues more complex.
  • Single Bucket Association: An access point is tied to a single bucket and cannot be changed or span multiple buckets.
  • Management Overhead: While simplifying policies, it creates more resources (the access points themselves) that need to be managed via Infrastructure as Code or other means.

Comparison with Alternatives

  • S3 Access Points vs. Bucket Policies + IAM Policies: The traditional method involves managing access through a combination of a central bucket policy and IAM user/role policies. This can become extremely complex for shared buckets with many distinct access patterns, leading to a single, monolithic policy that is difficult to audit and maintain. Access Points decompose this problem, allowing for smaller, targeted policies that are easier to manage and reason about.

  • S3 Access Points vs. Separate S3 Buckets: Another alternative is to create a separate S3 bucket for each application or team. While this provides strong isolation, it can lead to data duplication and increased management overhead if the underlying dataset is largely shared. Access Points provide a way to get the logical isolation benefits of separate buckets while still using a single, shared dataset.

Exam Relevance

S3 Access Points are a key topic for several AWS certifications, particularly those focused on architecture and security.

  • AWS Certified Solutions Architect - Associate (SAA-C03): Candidates should understand the primary use case for Access Points—simplifying access management for shared datasets—and when to use them over a complex bucket policy. The concept of VPC-only access is also a common scenario.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Expect more in-depth questions about complex access scenarios, including cross-account access patterns and how access point policies interact with bucket policies and Service Control Policies (SCPs) in AWS Organizations.
  • AWS Certified Security - Specialty (SCS-C02): This exam will likely test your understanding of using Access Points to enforce network boundaries (VPC restrictions) and implement a defense-in-depth security posture for data in S3.

For all exams, knowing that an access point policy is evaluated in addition to the bucket policy and user policy is a critical detail.

Frequently Asked Questions

Q: How does an S3 Access Point policy interact with the bucket policy?

A: For a request made through an access point to be allowed, the access must be permitted by the IAM user/role policy, the access point policy, AND the S3 bucket policy. A deny in any of these policies will result in the request being denied. This creates a logical "AND" across all applicable policies, allowing for layered security.

Q: Can an S3 Access Point be used to make a bucket public?

A: While an access point can be configured for internet access, it has its own Block Public Access (BPA) settings that are independent of the bucket's BPA settings. Best practice is to keep both the bucket and the access point BPA settings enabled unless you have a specific, validated use case for public access, such as hosting a public website.

Q: Can I use an Access Point to access data in a different AWS account?

A: Yes, Amazon S3 supports cross-account access points. This feature is designed to simplify and scale data sharing between accounts. The bucket owner creates the access point and delegates permission management to the trusted account, which can then define granular policies for its own IAM principals to access the shared data.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 4/30/2026 / Updated: 4/30/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Storage

S3 Select: Query Data in S3 Objects with SQL

Amazon S3 Select lets you retrieve data subsets from S3 objects using SQL. Improve performance and cut costs by querying data directly. Learn when to use it.

AWS DataSync: Accelerate Data Transfer to AWS

AWS DataSync is a secure, online data transfer service that simplifies and automates moving large amounts of data to AWS Storage. Learn how it works and when to use it.

AWS Snowmobile: Exabyte-Scale Data Transfer Explained

AWS Snowmobile was an exabyte-scale data transfer service for moving massive data. Learn its historical use cases and alternatives.

AWS Snowball: Transfer Petabytes Safely

AWS Snowball transfers petabyte-scale data into/out of AWS Cloud securely, bypassing the internet. Learn how it works and when to use it.

FSx for Windows File Server: How It Works & Use Cases

Amazon FSx for Windows File Server is a managed file storage service for Windows apps on AWS. Learn its features, benefits, and when to use it.

View all Storageterms →