Access Points and Object Lambda

Learn how to provide access to the users or user groups using S3 access points.

We'll cover the following

Access Points
Object Lambda Access Points
Use case: Remove sensitive information

We have already discussed that by default, S3 only allows the bucket owner to read and write to a bucket. We have to explicitly grant permissions to other accounts and users to access a bucket. The S3 access points are one such way to grant access.

Access Points

S3 Access Points are HTTP endpoints attached to the bucket, which allow us to create multiple access configurations to a single bucket. These endpoints allow us to perform basic operations such as GetObject and PutObject on the entire objects or a subset of objects in the bucket. To manage access, each access point has its own access policy attached. Furthermore, we can control network access and allow the entire internet or a specific VPC to access the bucket.

Press + to interact

Access policy for access points

The access policy of an endpoint works in conjunction with the access policy of the bucket. For example, if the access point’s policy allows a user to write to a bucket, the bucket policy should allow it as well. Otherwise the user might not be able to write objects to the bucket. However, managing access at multiple places can be difficult, especially with multiple users and access points. To simplify it, we can configure a bucket policy to delegate access to Access Points. This would grant access to the user based on the access policy of the Access Point only. It is ideal for use cases where we do not allow direct access to the bucket.

Press + to interact

In addition, each Access Point has its own Block Public Access setting. Thus, when a request arrives at the endpoint, S3 allows access only after checking the Block Public Access setting of the access point, underlying bucket, and bucket owner.

Network access control

To control the bucket’s network access, we can restrict the access point to a single VPC. An Access Point that accepts requests from anywhere on the internet is said to have a network origin of Internet. Similarly, the access point that allows requests from a specific VPC is said to have a network origin of a VPC. To allow requests from a specific VPC, we specify the VPC ID while configuring the access point. This setting can not be modified once the access point is created.

Multi-Region Access Points

Amazon S3 allows us to create global access points available in multiple regions. These access points route the requests through the AWS global network to the closest S3. While creating a Multi-Region Access Point, we can define the regions where we want the data to be served. To replicate and synchronize data between these regions, we can use Cross Region Replication (CRR) in S3 buckets.

Press + to interact

Use case: Remove sensitive information

S3 Object Lambda Access Points are used for various purposes, such as masking sensitive data for security and compliance, compressing objects, changing data formats for compatibility, and filtering data to deliver specific information.

Consider one such application where a healthcare organization stores patient records in S3 buckets. These records contain sensitive information such as medical history, treatment plans, and test results. To comply with regulations, the organization must ensure that only authorized personnel can access patient data and that sensitive information is protected from unauthorized disclosure.

The application consists of two main dashboards to list user information: the administrator and the health care provider. Both dashboards fetch information from the same data store; however, the healthcare provider shall receive a masked version of the object, removing the sensitive information. Meanwhile, the administrator requires the entire object.

Press + to interact

In this scenario, the organization can use the Lambda function to dynamically redact sensitive information from patient records before authorized users retrieve them. For example, when a healthcare provider requests a patient’s medical record from the S3 bucket, the Object Lambda Access Point intercepts the request and applies redaction logic to mask or remove sensitive details such as the patient’s name, address, and social security number. The redacted record is then returned to the requester, ensuring that only necessary information is disclosed and patient privacy is maintained.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena