# Working with Amazon S3 on Outposts access points Working with access points To access your Amazon S3 on Outposts bucket, you must create and configure an access point. Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. **Note** The AWS account that creates the Outposts bucket owns it and is the only one that can assign access points to it. The following sections describe how to create and manage access points for S3 on Outposts buckets. **Topics** + [ # Creating an S3 on Outposts access point ](S3OutpostsCreateAccessPoint.md) + [ # Using a bucket-style alias for your S3 on Outposts bucket access point ](s3-outposts-access-points-alias.md) + [ # Viewing information about an access point configuration ](S3OutpostsAccessPointGet.md) + [ # View a list of your Amazon S3 on Outposts access points ](S3OutpostsAccessPointList.md) + [ # Deleting an access point ](S3OutpostsAccessPointsDelete.md) + [ # Adding or editing an access point policy ](S3OutpostsAccessPointEditPolicy.md) + [ # Viewing an access point policy for an S3 on Outposts access point ](S3OutpostsAccessPointGetPolicy.md) # Creating an S3 on Outposts access point Creating an access point To access your Amazon S3 on Outposts bucket, you must create and configure an access point. Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following examples show you how to create an S3 on Outposts access point by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. **Note** The AWS account that creates the Outposts bucket owns it and is the only one that can assign access points to it. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket that you want to create an Outposts access point for. 1. Choose the **Outposts access points** tab. 1. In the **Outposts access points** section, choose **Create Outposts access point**. 1. In **Outposts access point settings**, enter a name for the access point, and then choose the virtual private cloud (VPC) for the access point. 1. If you want to add a policy for your access point, enter it in the **Outposts access point policy** section. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). ## Using the AWS CLI **Example** The following AWS CLI example creates an access point for an Outposts bucket. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control create-access-point --account-id 123456789012 --name example-outposts-access-point --bucket "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket" --vpc-configuration VpcId=example-vpc-12345 ``` ## Using the AWS SDK for Java **Example** For examples of how to create an access point for an S3 Outposts bucket with the AWS SDK for Java, see [CreateOutpostsAccessPoint.java](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/outposts/CreateOutpostsAccessPoint.java) in the *AWS SDK for Java 2.x Code Examples*. # Using a bucket-style alias for your S3 on Outposts bucket access point Using a bucket-style alias for your access point With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Every time you create an access point for a bucket, S3 on Outposts automatically generates an access point alias. You can use this access point alias instead of an access point ARN for any data plane operation. For example, you can use an access point alias to perform object-level operations such as PUT, GET, LIST, and more. For a list of these operations, see [Amazon S3 API operations for managing objects](S3OutpostsAPI.md#S3OutpostsAPIsObject). The following examples show an ARN and access point alias for an access point named `my-access-point`. + **Access point ARN** – `arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/my-access-point` + **Access point alias** – `my-access-po-o01ac5d28a6a232904e8xz5w8ijx1qzlbp3i3kuse10--op-s3` For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. For more information about access point aliases, see the following topics. **Topics** + [ ## Access point aliases ](#access-points-alias-name-s3-outposts) + [ ## Using an access point alias in an S3 on Outposts object operation ](#access-points-alias-use-case-s3-outposts) + [ ## Limitations ](#access-points-alias-limitations-s3-outposts) ## Access point aliases Access point aliases An access point alias is created within the same namespace as an S3 on Outposts bucket. When you create an access point, S3 on Outposts automatically generates an access point alias that cannot be changed. An access point alias meets all the requirements of a valid S3 on Outposts bucket name and consists of the following parts: `access point name prefix-metadata--op-s3` **Note** The `--op-s3` suffix is reserved for access point aliases, we recommend that you don't use it for bucket or access point names. For more information about S3 on Outposts bucket-naming rules, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). ### Finding the access point alias The following examples show you how to find an access point alias by using the Amazon S3 console and the AWS CLI. **Example : Find and copy an access point alias in the Amazon S3 console** After you create an access point in the console, you can get the access point alias from the **Access Point alias** column in the **Access Points** list. **To copy an access point alias** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. To copy the access point alias, do one of the following: + In the **Access Points** list, select the option button next to the access point name, and then choose **Copy Access Point alias**. + Choose the access point name. Then, under **Outposts access point overview**, copy the access point alias. **Example : Create an access point by using the AWS CLI and find the access point alias in the response** The following AWS CLI example for the `create-access-point` command creates the access point and returns the automatically generated access point alias. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control create-access-point --bucket example-outposts-bucket --name example-outposts-access-point --account-id 123456789012 { "AccessPointArn": "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point", "Alias": "example-outp-o01ac5d28a6a232904e8xz5w8ijx1qzlbp3i3kuse10--op-s3" } ``` **Example : Get an access point alias by using the AWS CLI** The following AWS CLI example for the `get-access-point` command returns information about the specified access point. This information includes the access point alias. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control get-access-point --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket --name example-outposts-access-point --account-id 123456789012 { "Name": "example-outposts-access-point", "Bucket": "example-outposts-bucket", "NetworkOrigin": "Vpc", "VpcConfiguration": { "VpcId": "vpc-01234567890abcdef" }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true }, "CreationDate": "2022-09-18T17:49:15.584000+00:00", "Alias": "example-outp-o0b1d075431d83bebde8xz5w8ijx1qzlbp3i3kuse10--op-s3" } ``` **Example : List access points to find an access point alias by using the AWS CLI** The following AWS CLI example for the `list-access-points` command lists information about the specified access point. This information includes the access point alias. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control list-access-points --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket { "AccessPointList": [ { "Name": "example-outposts-access-point", "NetworkOrigin": "Vpc", "VpcConfiguration": { "VpcId": "vpc-01234567890abcdef" }, "Bucket": "example-outposts-bucket", "AccessPointArn": "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point", "Alias": "example-outp-o0b1d075431d83bebde8xz5w8ijx1qzlbp3i3kuse10--op-s3" } ] } ``` ## Using an access point alias in an S3 on Outposts object operation When adopting access points, you can use access point alias without requiring extensive code changes. This AWS CLI example shows a `get-object` operation for an S3 on Outposts bucket. This example uses the access point alias as the value for `--bucket` instead of the full access point ARN. ``` aws s3api get-object --bucket my-access-po-o0b1d075431d83bebde8xz5w8ijx1qzlbp3i3kuse10--op-s3 --key testkey sample-object.rtf { "AcceptRanges": "bytes", "LastModified": "2020-01-08T22:16:28+00:00", "ContentLength": 910, "ETag": "\"00751974dc146b76404bb7290f8f51bb\"", "VersionId": "null", "ContentType": "text/rtf", "Metadata": {} } ``` ## Limitations + Aliases cannot be configured by customers. + Aliases cannot be deleted or modified or disabled on an access point. + You can't use an access point alias for S3 on Outposts control plane operations. For a list of S3 on Outposts control plane operations, see [Amazon S3 Control API operations for managing buckets](S3OutpostsAPI.md#S3OutpostsAPIsBucket). + Aliases cannot be used in AWS Identity and Access Management (IAM) policies. # Viewing information about an access point configuration Viewing access point configuration Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following topics show you how to return configuration information for an S3 on Outposts access point by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Choose the Outposts access point that you want to view configuration details for. 1. Under **Outposts access point overview**, review the access point configuration details. ## Using the AWS CLI The following AWS CLI example gets an access point for an Outposts bucket. Replace the `user input placeholders` with your own information. ``` aws s3control get-access-point --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point ``` ## Using the AWS SDK for Java The following SDK for Java example gets an access point for an Outposts bucket. ``` import com.amazonaws.services.s3control.model.*; public void getAccessPoint(String accessPointArn) { GetAccessPointRequest reqGetAP = new GetAccessPointRequest() .withAccountId(AccountId) .withName(accessPointArn); GetAccessPointResult respGetAP = s3ControlClient.getAccessPoint(reqGetAP); System.out.printf("GetAccessPoint Response: %s%n", respGetAP.toString()); } ``` # View a list of your Amazon S3 on Outposts access points Listing access points Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following topics show you how to return a list of your S3 on Outposts access points by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Under **Outposts access points**, review your list of S3 on Outposts access points. ## Using the AWS CLI The following AWS CLI example lists the access points for an Outposts bucket. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control list-access-points --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket ``` ## Using the AWS SDK for Java The following SDK for Java example lists the access points for an Outposts bucket. ``` import com.amazonaws.services.s3control.model.*; public void listAccessPoints(String bucketArn) { ListAccessPointsRequest reqListAPs = new ListAccessPointsRequest() .withAccountId(AccountId) .withBucket(bucketArn); ListAccessPointsResult respListAPs = s3ControlClient.listAccessPoints(reqListAPs); System.out.printf("ListAccessPoints Response: %s%n", respListAPs.toString()); } ``` # Deleting an access point Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following examples show you how to delete an access point by using the AWS Management Console and the AWS Command Line Interface (AWS CLI). ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. In the **Outposts access points** section, choose the Outposts access point that you want to delete. 1. Choose **Delete**. 1. Confirm the deletion. ## Using the AWS CLI The following AWS CLI example deletes an Outposts access point. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control delete-access-point --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point ``` # Adding or editing an access point policy Adding an access point policy Access points have distinct permissions and network controls that Amazon S3 on Outposts applies for any request that is made through that access point. Each access point enforces a customized access point policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For more information, see [Access points](S3OutpostsWorkingBuckets.md#S3OutpostsAP). The following topics show you how to add or edit the access point policy for your S3 on Outposts access point by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket that you want to edit the access point policy for. 1. Choose the **Outposts access points** tab. 1. In the **Outposts access points** section, choose the access point whose policy you want to edit, and choose **Edit policy**. 1. Add or edit the policy in the **Outposts access point policy** section. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). ## Using the AWS CLI The following AWS CLI example puts a policy on an Outposts access point. 1. Save the following access point policy to a JSON file. In this example, the file is named `appolicy1.json`. Replace the `user input placeholders` with your own information. ``` { "Version":"2012-10-17", "Id":"exampleAccessPointPolicy", "Statement":[ { "Sid":"st1", "Effect":"Allow", "Principal":{ "AWS":"123456789012" }, "Action":"s3-outposts:*", "Resource":"arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point } ] } ``` 1. Submit the JSON file as part of the `put-access-point-policy` CLI command. Replace the `user input placeholders` with your own information. ``` aws s3control put-access-point-policy --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point --policy file://appolicy1.json ``` ## Using the AWS SDK for Java The following SDK for Java example puts a policy on an Outposts access point. ``` import com.amazonaws.services.s3control.model.*; public void putAccessPointPolicy(String accessPointArn) { String policy = "{\"Version\":\"2012-10-17\",\"Id\":\"testAccessPointPolicy\",\"Statement\":[{\"Sid\":\"st1\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"" + AccountId + "\"},\"Action\":\"s3-outposts:*\",\"Resource\":\"" + accessPointArn + "\"}]}"; PutAccessPointPolicyRequest reqPutAccessPointPolicy = new PutAccessPointPolicyRequest() .withAccountId(AccountId) .withName(accessPointArn) .withPolicy(policy); PutAccessPointPolicyResult respPutAccessPointPolicy = s3ControlClient.putAccessPointPolicy(reqPutAccessPointPolicy); System.out.printf("PutAccessPointPolicy Response: %s%n", respPutAccessPointPolicy.toString()); printWriter.printf("PutAccessPointPolicy Response: %s%n", respPutAccessPointPolicy.toString()); } ``` # Viewing an access point policy for an S3 on Outposts access point Viewing an access point policy Access points have distinct permissions and network controls that Amazon S3 on Outposts applies for any request that is made through that access point. Each access point enforces a customized access point policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For more information, see [Access points](S3OutpostsWorkingBuckets.md#S3OutpostsAP). For more information about working with access points in S3 on Outposts, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). The following topics show you how to view your S3 on Outposts access point policy by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Choose the Outposts access point that you want to view the policy for. 1. On the **Permissions** tab, review the S3 on Outposts access point policy. 1. To edit the access point policy, see [Adding or editing an access point policy](S3OutpostsAccessPointEditPolicy.md). ## Using the AWS CLI The following AWS CLI example gets a policy for an Outposts access point. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control get-access-point-policy --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point ``` ## Using the AWS SDK for Java The following SDK for Java example gets a policy for an Outposts access point. ``` import com.amazonaws.services.s3control.model.*; public void getAccessPointPolicy(String accessPointArn) { GetAccessPointPolicyRequest reqGetAccessPointPolicy = new GetAccessPointPolicyRequest() .withAccountId(AccountId) .withName(accessPointArn); GetAccessPointPolicyResult respGetAccessPointPolicy = s3ControlClient.getAccessPointPolicy(reqGetAccessPointPolicy); System.out.printf("GetAccessPointPolicy Response: %s%n", respGetAccessPointPolicy.toString()); printWriter.printf("GetAccessPointPolicy Response: %s%n", respGetAccessPointPolicy.toString()); } ```