# Working with S3 on Outposts buckets Working with S3 on Outposts buckets With Amazon S3 on Outposts, you can create S3 buckets on your AWS Outposts and easily store and retrieve objects on premises for applications that require local data access, local data processing, and data residency. S3 on Outposts provides a new storage class, S3 Outposts (`OUTPOSTS`), which uses the Amazon S3 APIs, and is designed to store data durably and redundantly across multiple devices and servers on your AWS Outposts. You can use the same APIs and features on Outpost buckets as you do on Amazon S3, including access policies, encryption, and tagging. For more information, see [What is Amazon S3 on Outposts?](S3onOutposts.md) You communicate with your Outpost buckets by using an access point and endpoint connection over a virtual private cloud (VPC). To access your S3 on Outposts buckets and objects, you must have an access point for the VPC and an endpoint for the same VPC. For more information, see [Networking for S3 on Outposts](S3OutpostsNetworking.md). ## Buckets In S3 on Outposts, bucket names are unique to an Outpost and require the AWS Region code for the Region the Outpost is homed to, AWS account ID, Outpost ID, and the bucket name to identify them. ``` arn:aws:s3-outposts:region:account-id:outpost/outpost-id/bucket/bucket-name ``` For more information, see [Resource ARNs for S3 on Outposts](S3OutpostsIAM.md#S3OutpostsARN). ## Access points Amazon S3 on Outposts supports virtual private cloud (VPC)-only access points as the only means to access your Outposts buckets. Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following example shows the ARN format that you use for S3 on Outposts access points. The access point ARN includes the AWS Region code for the Region the Outpost is homed to, AWS account ID, Outpost ID, and access point name. ``` arn:aws:s3-outposts:region:account-id:outpost/outpost-id/accesspoint/accesspoint-name ``` ## Endpoints To route requests to an S3 on Outposts access point, you must create and configure an S3 on Outposts endpoint. With S3 on Outposts endpoints, you can privately connect your VPC to your Outpost bucket. S3 on Outposts endpoints are virtual uniform resource identifiers (URIs) of the entry point to your S3 on Outposts bucket. They are horizontally scaled, redundant, and highly available VPC components. Each virtual private cloud (VPC) on your Outpost can have one associated endpoint, and you can have up to 100 endpoints per Outpost. You must create these endpoints to be able to access your Outpost buckets and perform object operations. Creating these endpoints also enables the API model and behaviors to be the same by allowing the same operations to work in S3 and S3 on Outposts. ## API operations on S3 on Outposts To manage Outpost bucket API operations, S3 on Outposts hosts a separate endpoint that is distinct from the Amazon S3 endpoint. This endpoint is `s3-outposts.region.amazonaws.com`. To use Amazon S3 API operations, you must sign the bucket and objects using the correct ARN format. You must pass ARNs to API operations so that Amazon S3 can determine whether the request is for Amazon S3 (`s3-control.region.amazonaws.com`) or for S3 on Outposts (`s3-outposts.region.amazonaws.com`). Based on the ARN format, S3 can then sign and route the request appropriately. Whenever a request is sent to the Amazon S3 control plane, the SDK extracts the components from the ARN and includes the additional header `x-amz-outpost-id`, with the `outpost-id` value extracted from the ARN. The service name from the ARN is used to sign the request before it is routed to the S3 on Outposts endpoint. This behavior applies to all API operations handled by the `s3control` client. The following table lists the extended API operations for Amazon S3 on Outposts and their changes relative to Amazon S3. | API | S3 on Outposts parameter value | | --- | --- | | `CreateBucket` | Bucket name as ARN, Outpost ID | | `ListRegionalBuckets` | Outpost ID | | `DeleteBucket` | Bucket name as ARN | | `DeleteBucketLifecycleConfiguration` | Bucket name as ARN | | `GetBucketLifecycleConfiguration` | Bucket name as ARN | | `PutBucketLifecycleConfiguration` | Bucket name as ARN | | `GetBucketPolicy` | Bucket name as ARN | | `PutBucketPolicy` | Bucket name as ARN | | `DeleteBucketPolicy` | Bucket name as ARN | | `GetBucketTagging` | Bucket name as ARN | | `PutBucketTagging` | Bucket name as ARN | | `DeleteBucketTagging` | Bucket name as ARN | | `CreateAccessPoint` | Access point name as ARN | | `DeleteAccessPoint` | Access point name as ARN | | `GetAccessPoint` | Access point name as ARN | | `GetAccessPoint` | Access point name as ARN | | `ListAccessPoints` | Access point name as ARN | | `PutAccessPointPolicy` | Access point name as ARN | | `GetAccessPointPolicy` | Access point name as ARN | | `DeleteAccessPointPolicy` | Access point name as ARN | ## Creating and managing S3 on Outposts buckets For more information about creating and managing S3 on Outposts buckets, see the following topics. **Topics** # Creating an S3 on Outposts bucket Creating a bucket With Amazon S3 on Outposts, you can create S3 buckets on your AWS Outposts and easily store and retrieve objects on premises for applications that require local data access, local data processing, and data residency. S3 on Outposts provides a new storage class, S3 Outposts (`OUTPOSTS`), which uses the Amazon S3 APIs, and is designed to store data durably and redundantly across multiple devices and servers on your AWS Outposts. You communicate with your Outpost bucket by using an access point and endpoint connection over a virtual private cloud (VPC). You can use the same APIs and features on Outpost buckets as you do on Amazon S3 buckets, including access policies, encryption, and tagging. You can use S3 on Outposts through the AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. For more information, see [What is Amazon S3 on Outposts?](S3onOutposts.md) **Note** The AWS account that creates the bucket owns it and is the only one that can commit actions to it. Buckets have configuration properties, such as Outpost, tag, default encryption, and access point settings. The access point settings include the virtual private cloud (VPC), the access point policy for accessing the objects in the bucket, and other metadata. For more information, see [S3 on Outposts specifications](S3OnOutpostsRestrictionsLimitations.md#S3OnOutpostsSpecifications). If you want to create a bucket that uses AWS PrivateLink to provide bucket and endpoint management access through *interface VPC endpoints* in your virtual private cloud (VPC), see [AWS PrivateLink for S3 on Outposts](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-outposts-privatelink-interface-endpoints.html). The following examples show you how to create an S3 on Outposts bucket by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose **Create Outposts bucket**. 1. For **Bucket name**, enter a Domain Name System (DNS)-compliant name for your bucket. The bucket name must: + Be unique within the AWS account, the Outpost, and the AWS Region that the Outpost is homed to. + Be 3–63 characters long. + Not contain uppercase characters. + Start with a lowercase letter or number. After you create the bucket, you can't change its name. For information about naming buckets, see [General purpose bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon S3 User Guide*. **Important** Avoid including sensitive information such as account numbers in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket. 1. For **Outpost**, choose the Outpost where you want the bucket to reside. 1. Under **Bucket Versioning**, set the S3 Versioning state for your S3 on Outposts bucket to one of the following options: + **Disable** (default) – The bucket remains unversioned. + **Enable** – Enables S3 Versioning for the objects in the bucket. All objects added to the bucket receive a unique version ID. For more information about S3 Versioning, see [Managing S3 Versioning for your S3 on Outposts bucket](S3OutpostsManagingVersioning.md). 1. (Optional) Add any **optional tags** that you would like to associate with the Outposts bucket. You can use tags to track criteria for individual projects or groups of projects, or to label your buckets by using cost-allocation tags. By default, all objects stored in your Outposts bucket are stored by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). You can also explicitly choose to store objects by using server-side encryption with customer-provided encryption keys (SSE-C). To change the encryption type, you must use the REST API, AWS Command Line Interface (AWS CLI), or AWS SDKs. 1. In the **Outposts access point settings** section, enter the access point name. S3 on Outposts access points simplify managing data access at scale for shared datasets in S3 on Outposts. Access points are named network endpoints that are attached to Outposts buckets that you can use to perform S3 object operations. For more information, see [Access points](S3OutpostsWorkingBuckets.md#S3OutpostsAP). Access point names must be unique within the account for this Region and Outpost, and comply with the [access point restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-restrictions-limitations.html). 1. Choose the **VPC** for this Amazon S3 on Outposts access point. If you don't have a VPC, choose **Create VPC**. For more information, see [Creating access points restricted to a virtual private cloud (VPC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-vpc.html) in the *Amazon S3 User Guide*. A virtual private cloud (VPC) enables you to launch AWS resources into a virtual network that you define. This virtual network closely resembles a traditional network that you would operate in your own data center, with the benefits of using the scalable infrastructure of AWS. 1. (Optional for an existing VPC) Choose an **Endpoint subnet** for your endpoint. A subnet is a range of IP addresses in your VPC. If you don't have the subnet that you want, choose **Create subnet**. For more information, see [Networking for S3 on Outposts](S3OutpostsNetworking.md). 1. (Optional for an existing VPC) Choose an **Endpoint security group** for your endpoint. A [security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) acts as a virtual firewall to control inbound and outbound traffic. 1. (Optional for an existing VPC) Choose the **Endpoint access type**: + **Private** – To be used with the VPC. + **Customer owned IP** – To be used with a customer-owned IP address pool (CoIP pool) from within your on-premises network. 1. (Optional) Specify the **Outpost access point policy**. The console automatically displays the **Amazon Resource Name (ARN)** for the access point, which you can use in the policy. 1. Choose **Create Outposts bucket**. **Note** It can take up to 5 minutes for your Outpost endpoint to be created and your bucket to be ready to use. To configure additional bucket settings, choose **View details**. ## Using the AWS CLI **Example** The following example creates an S3 on Outposts bucket (`s3-outposts:CreateBucket`) by using the AWS CLI. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control create-bucket --bucket example-outposts-bucket --outpost-id op-01ac5d28a6a232904 ``` ## Using the AWS SDK for Java **Example** For examples of how to create an S3 Outposts bucket with the AWS SDK for Java, see [CreateOutpostsBucket.java](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/outposts/CreateOutpostsBucket.java) in the *AWS SDK for Java 2.x Code Examples*. # Adding tags for S3 on Outposts buckets Adding tags You can add tags for your Amazon S3 on Outposts buckets to track storage costs and other criteria for individual projects or groups of projects. **Note** The AWS account that creates the bucket owns it and is the only one that can change its tags. ## Using the S3 console 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket whose tags you want to edit. 1. Choose the **Properties** tab. 1. Under **Tags**, choose **Edit**. 1. Choose **Add new tag**, and enter the **Key** and optional **Value**. Add any tags that you would like to associate with an Outposts bucket to track other criteria for individual projects or groups of projects. 1. Choose **Save changes**. ## Using the AWS CLI The following AWS CLI example applies a tagging configuration to an S3 on Outposts bucket by using a JSON document in the current folder that specifies tags (`tagging.json`). To use this example, replace each `user input placeholder` with your own information. ``` aws s3control put-bucket-tagging --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket --tagging file://tagging.json tagging.json { "TagSet": [ { "Key": "organization", "Value": "marketing" } ] } ``` The following AWS CLI example applies a tagging configuration to an S3 on Outposts bucket directly from the command line. ``` aws s3control put-bucket-tagging --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket --tagging 'TagSet=[{Key=organization,Value=marketing}]' ``` For more information about this command, see [put-bucket-tagging](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-bucket-tagging.html) in the *AWS CLI Reference*. # Managing access to an Amazon S3 on Outposts bucket using a bucket policy Using bucket policies A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies). You can update your bucket policy to manage access to your Amazon S3 on Outposts bucket. For more information, see the following topics. **Topics** + [ # Adding or editing a bucket policy for an Amazon S3 on Outposts bucket ](S3OutpostsBucketPolicyEdit.md) + [ # Viewing the bucket policy for your Amazon S3 on Outposts bucket ](S3OutpostsBucketPolicyGet.md) + [ # Deleting the bucket policy for your Amazon S3 on Outposts bucket ](S3OutpostsBucketPolicyDelete.md) + [ # Bucket policy examples ](S3Outposts-example-bucket-policies.md) # Adding or editing a bucket policy for an Amazon S3 on Outposts bucket Adding a bucket policy A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies). The following topics show you how to update your Amazon S3 on Outposts bucket policy by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDK for Java. ## Using the S3 console **To create or edit a bucket policy** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket whose bucket policy you want to edit. 1. Choose the **Permissions** tab. 1. In the **Outposts bucket policy** section, to create or edit new policy, choose **Edit**. You can now add or edit the S3 on Outposts bucket policy. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). ## Using the AWS CLI The following AWS CLI example puts a policy on an Outposts bucket. 1. Save the following bucket policy to a JSON file. In this example, the file is named `policy1.json`. Replace the `user input placeholders` with your own information. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id":"testBucketPolicy", "Statement":[ { "Sid":"st1", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::123456789012:root" }, "Action":[ "s3-outposts:GetObject", "s3-outposts:PutObject", "s3-outposts:DeleteObject", "s3-outposts:ListBucket" ], "Resource":"arn:aws:s3-outposts:us-east-1:123456789012:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket" } ] } ``` ------ 1. Submit the JSON file as part of the `put-bucket-policy` CLI command. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control put-bucket-policy --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket --policy file://policy1.json ``` ## Using the AWS SDK for Java The following SDK for Java example puts a policy on an Outposts bucket. ``` import com.amazonaws.services.s3control.model.*; public void putBucketPolicy(String bucketArn) { String policy = "{\"Version\":\"2012-10-17\",\"Id\":\"testBucketPolicy\",\"Statement\":[{\"Sid\":\"st1\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"" + AccountId+ "\"},\"Action\":\"s3-outposts:*\",\"Resource\":\"" + bucketArn + "\"}]}"; PutBucketPolicyRequest reqPutBucketPolicy = new PutBucketPolicyRequest() .withAccountId(AccountId) .withBucket(bucketArn) .withPolicy(policy); PutBucketPolicyResult respPutBucketPolicy = s3ControlClient.putBucketPolicy(reqPutBucketPolicy); System.out.printf("PutBucketPolicy Response: %s%n", respPutBucketPolicy.toString()); } ``` # Viewing the bucket policy for your Amazon S3 on Outposts bucket Viewing a bucket policy A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies). The following topics show you how to view your Amazon S3 on Outposts bucket policy by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDK for Java. ## Using the S3 console **To create or edit a bucket policy** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket whose permission you want to edit. 1. Choose the **Permissions** tab. 1. In the **Outposts bucket policy** section, you can review your existing bucket policy. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). ## Using the AWS CLI The following AWS CLI example gets a policy for an Outposts bucket. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control get-bucket-policy --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket ``` ## Using the AWS SDK for Java The following SDK for Java example gets a policy for an Outposts bucket. ``` import com.amazonaws.services.s3control.model.*; public void getBucketPolicy(String bucketArn) { GetBucketPolicyRequest reqGetBucketPolicy = new GetBucketPolicyRequest() .withAccountId(AccountId) .withBucket(bucketArn); GetBucketPolicyResult respGetBucketPolicy = s3ControlClient.getBucketPolicy(reqGetBucketPolicy); System.out.printf("GetBucketPolicy Response: %s%n", respGetBucketPolicy.toString()); } ``` # Deleting the bucket policy for your Amazon S3 on Outposts bucket Deleting a bucket policy A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies). The following topics show you how to view your Amazon S3 on Outposts bucket policy by using the AWS Management Console or AWS Command Line Interface (AWS CLI). ## Using the S3 console **To delete a bucket policy** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket whose permission you want to edit. 1. Choose the **Permissions** tab. 1. In the **Outposts bucket policy** section, choose **Delete**. 1. Confirm the deletion. ## Using the AWS CLI The following example deletes the bucket policy for an S3 on Outposts bucket (`s3-outposts:DeleteBucket`) by using the AWS CLI. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control delete-bucket-policy --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket ``` # Bucket policy examples With S3 on Outposts bucket policies, you can secure access to objects in your S3 on Outposts buckets, so that only users with the appropriate permissions can access them. You can even prevent authenticated users without the appropriate permissions from accessing your S3 on Outposts resources. This section presents examples of typical use cases for S3 on Outposts bucket policies. To test these policies, replace the `user input placeholders` with your own information (such as your bucket name). To grant or deny permissions to a set of objects, you can use wildcard characters (`*`) in Amazon Resource Names (ARNs) and other values. For example, you can control access to groups of objects that begin with a common [prefix](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#keyprefix) or end with a given extension, such as `.html`. For more information about AWS Identity and Access Management (IAM) policy language, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). **Note** When testing [https://docs.aws.amazon.com/cli/latest/reference/s3outposts/](https://docs.aws.amazon.com/cli/latest/reference/s3outposts/) permissions by using the Amazon S3 console, you must grant additional permissions that the console requires, such as `s3outposts:createendpoint`, `s3outposts:listendpoints`, and so on. **Additional resources for creating bucket policies** + For a list of the IAM policy actions, resources, and condition keys you can use when creating an S3 on Outposts bucket policy, see [Actions, resources, and condition keys for Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html). + For guidance on creating your S3 on Outposts policy, see [Adding or editing a bucket policy for an Amazon S3 on Outposts bucket](S3OutpostsBucketPolicyEdit.md). **Topics** + [ ## Managing access to an Amazon S3 on Outposts bucket based on specific IP addresses ](#S3OutpostsBucketPolicyManageIPaccess) ## Managing access to an Amazon S3 on Outposts bucket based on specific IP addresses Restricting access to specific IP addresses A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner. Bucket policies are limited to 20 KB in size. For more information, see [Bucket policy](S3onOutposts.md#S3OutpostsBucketPolicies). ### Restrict access to specific IP addresses The following example denies all users from performing any [S3 on Outposts operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3OutpostsWorkingBuckets.html) on objects in the specified buckets unless the request originates from the specified range of IP addresses. **Note** When restricting access to a specific IP address, make sure that you also specify which VPC endpoints, VPC source IP addresses, or external IP addresses can access the S3 on Outposts bucket. Otherwise, you might lose access to the bucket if your policy denies all users from performing any [https://docs.aws.amazon.com/cli/latest/reference/s3outposts/](https://docs.aws.amazon.com/cli/latest/reference/s3outposts/) operations on objects in your S3 on Outposts bucket without the proper permissions already in place. This policy's `Condition` statement identifies *`192.0.2.0/24`* as the range of allowed IP version 4 (IPv4) IP addresses. The `Condition` block uses the `NotIpAddress` condition and the `aws:SourceIp` condition key, which is an AWS wide condition key. The `aws:SourceIp` condition key can only be used for public IP address ranges. For more information about these condition keys, see [Actions, resources, and condition keys for S3 on Outposts](https://docs.aws.amazon.com//service-authorization/latest/reference/list_amazons3onoutposts.html). The `aws:SourceIp` IPv4 values use standard CIDR notation. For more information, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Conditions_IPAddress) in the *IAM User Guide*. **Warning** Before using this S3 on Outposts policy, replace the *`192.0.2.0/24`* IP address range in this example with an appropriate value for your use case. Otherwise, you'll lose the ability to access your bucket. ``` 1. { 2. "Version": "2012-10-17", 3. "Id": "S3OutpostsPolicyId1", 4. "Statement": [ 5. { 6. "Sid": "IPAllow", 7. "Effect": "Deny", 8. "Principal": "*", 9. "Action": "s3-outposts:*", 10. "Resource": [ 11. "arn:aws:aws:s3-outposts:region:111122223333:outpost/OUTPOSTS-ID/accesspoint/EXAMPLE-ACCESS-POINT-NAME", 12. "arn:aws:aws:s3-outposts:region:111122223333:outpost/OUTPOSTS-ID/bucket/amzn-s3-demo-bucket" 13. ], 14. "Condition": { 15. "NotIpAddress": { 16. "aws:SourceIp": "192.0.2.0/24" 17. } 18. } 19. } 20. ] 21. } ``` ### Allow both IPv4 and IPv6 addresses When you start using IPv6 addresses, we recommend that you update all of your organization's policies with your IPv6 address ranges in addition to your existing IPv4 ranges. Doing this will help to make sure that the policies continue to work as you make the transition to IPv6. The following S3 on Outposts example bucket policy shows how to mix IPv4 and IPv6 address ranges to cover all of your organization's valid IP addresses. The example policy allows access to the example IP addresses *`192.0.2.1`* and *`2001:DB8:1234:5678::1`* and denies access to the addresses *`203.0.113.1`* and *`2001:DB8:1234:5678:ABCD::1`*. The `aws:SourceIp` condition key can only be used for public IP address ranges. The IPv6 values for `aws:SourceIp` must be in standard CIDR format. For IPv6, we support using `::` to represent a range of 0s (for example, `2001:DB8:1234:5678::/64`). For more information, see [IP address condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IPAddress) in the *IAM User Guide*. **Warning** Replace the IP address ranges in this example with appropriate values for your use case before using this S3 on Outposts policy. Otherwise, you might lose the ability to access your bucket. ------ #### [ JSON ] **** ``` { "Id": "S3OutpostsPolicyId2", "Version":"2012-10-17", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "s3-outposts:GetObject", "s3-outposts:PutObject", "s3-outposts:ListBucket" ], "Resource": [ "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket", "arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket/*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "192.0.2.0/24", "2001:DB8:1234:5678::/64" ] }, "NotIpAddress": { "aws:SourceIp": [ "203.0.113.0/24", "2001:DB8:1234:5678:ABCD::/80" ] } } } ] } ``` ------ # Listing Amazon S3 on Outposts buckets Listing buckets With Amazon S3 on Outposts, you can create S3 buckets on your AWS Outposts and easily store and retrieve objects on premises for applications that require local data access, local data processing, and data residency. S3 on Outposts provides a new storage class, S3 Outposts (`OUTPOSTS`), which uses the Amazon S3 APIs, and is designed to store data durably and redundantly across multiple devices and servers on your AWS Outposts. You communicate with your Outpost bucket by using an access point and endpoint connection over a virtual private cloud (VPC). You can use the same APIs and features on Outpost buckets as you do on Amazon S3 buckets, including access policies, encryption, and tagging. You can use S3 on Outposts through the AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. For more information, see [What is Amazon S3 on Outposts?](S3onOutposts.md) For more information about working with buckets in S3 on Outposts, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). The following examples show you how to return a list of your S3 on Outposts buckets by using the AWS Management Console, AWS CLI, and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Under **Outposts buckets**, review your list of S3 on Outposts buckets. ## Using the AWS CLI The following AWS CLI example gets a list of buckets in an Outpost. To use this command, replace each `user input placeholder` with your own information. For more information about this command, see [list-regional-buckets](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/list-regional-buckets.html) in the *AWS CLI Reference*. ``` aws s3control list-regional-buckets --account-id 123456789012 --outpost-id op-01ac5d28a6a232904 ``` ## Using the AWS SDK for Java The following SDK for Java example gets a list of buckets in an Outpost. For more information, see [ListRegionalBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListRegionalBuckets.html) in the *Amazon Simple Storage Service API Reference*. ``` import com.amazonaws.services.s3control.model.*; public void listRegionalBuckets() { ListRegionalBucketsRequest reqListBuckets = new ListRegionalBucketsRequest() .withAccountId(AccountId) .withOutpostId(OutpostId); ListRegionalBucketsResult respListBuckets = s3ControlClient.listRegionalBuckets(reqListBuckets); System.out.printf("ListRegionalBuckets Response: %s%n", respListBuckets.toString()); } ``` # Getting an S3 on Outposts bucket by using the AWS CLI and the SDK for Java Getting a bucket With Amazon S3 on Outposts, you can create S3 buckets on your AWS Outposts and easily store and retrieve objects on premises for applications that require local data access, local data processing, and data residency. S3 on Outposts provides a new storage class, S3 Outposts (`OUTPOSTS`), which uses the Amazon S3 APIs, and is designed to store data durably and redundantly across multiple devices and servers on your AWS Outposts. You communicate with your Outpost bucket by using an access point and endpoint connection over a virtual private cloud (VPC). You can use the same APIs and features on Outpost buckets as you do on Amazon S3 buckets, including access policies, encryption, and tagging. You can use S3 on Outposts through the AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. For more information, see [What is Amazon S3 on Outposts?](S3onOutposts.md) The following examples show you how to get an S3 on Outposts bucket by using the AWS CLI and AWS SDK for Java. **Note** When you're working with Amazon S3 on Outposts through the AWS CLI or AWS SDKs, you provide the access point ARN for the Outpost in place of the bucket name. The access point ARN takes the following form, where `region` is the AWS Region code for the Region that the Outpost is homed to: `arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point` For more information about S3 on Outposts ARNs, see [Resource ARNs for S3 on Outposts](S3OutpostsIAM.md#S3OutpostsARN). ## Using the AWS CLI The following S3 on Outposts example gets a bucket by using the AWS CLI. To use this command, replace each `user input placeholder` with your own information. For more information about this command, see [get-bucket](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-bucket.html) in the *AWS CLI Reference*. ``` aws s3control get-bucket --account-id 123456789012 --bucket "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket" ``` ## Using the AWS SDK for Java The following S3 on Outposts example gets a bucket by using the SDK for Java. For more information, see [GetBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetBucket.html) in the *Amazon Simple Storage Service API Reference*. ``` import com.amazonaws.services.s3control.model.*; public void getBucket(String bucketArn) { GetBucketRequest reqGetBucket = new GetBucketRequest() .withBucket(bucketArn) .withAccountId(AccountId); GetBucketResult respGetBucket = s3ControlClient.getBucket(reqGetBucket); System.out.printf("GetBucket Response: %s%n", respGetBucket.toString()); } ``` # Deleting your Amazon S3 on Outposts bucket Deleting your bucket With Amazon S3 on Outposts, you can create S3 buckets on your AWS Outposts and easily store and retrieve objects on premises for applications that require local data access, local data processing, and data residency. S3 on Outposts provides a new storage class, S3 Outposts (`OUTPOSTS`), which uses the Amazon S3 APIs, and is designed to store data durably and redundantly across multiple devices and servers on your AWS Outposts. You communicate with your Outpost bucket by using an access point and endpoint connection over a virtual private cloud (VPC). You can use the same APIs and features on Outpost buckets as you do on Amazon S3 buckets, including access policies, encryption, and tagging. You can use S3 on Outposts through the AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. For more information, see [What is Amazon S3 on Outposts?](S3onOutposts.md) For more information about working with buckets in S3 on Outposts, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). The AWS account that creates the bucket owns it and is the only one that can delete it. **Note** Outposts buckets must be empty before they can be deleted. The Amazon S3 console doesn't support S3 on Outposts object actions. To delete objects in an S3 on Outposts bucket, you must use the REST API, AWS CLI, or AWS SDKs. Before you can delete an Outposts bucket, you must delete any Outposts access points for the bucket. For more information, see [Deleting an access point](S3OutpostsAccessPointsDelete.md). You cannot recover a bucket after it has been deleted. The following examples show you how to delete an S3 on Outposts bucket by using the AWS Management Console and AWS Command Line Interface (AWS CLI). ## Using the S3 console 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the bucket that you want to delete, and choose **Delete**. 1. Confirm the deletion. ## Using the AWS CLI The following example deletes an S3 on Outposts bucket (`s3-outposts:DeleteBucket`) by using the AWS CLI. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control delete-bucket --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket ``` # Working with Amazon S3 on Outposts access points Working with access points To access your Amazon S3 on Outposts bucket, you must create and configure an access point. Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. **Note** The AWS account that creates the Outposts bucket owns it and is the only one that can assign access points to it. The following sections describe how to create and manage access points for S3 on Outposts buckets. **Topics** + [ # Creating an S3 on Outposts access point ](S3OutpostsCreateAccessPoint.md) + [ # Using a bucket-style alias for your S3 on Outposts bucket access point ](s3-outposts-access-points-alias.md) + [ # Viewing information about an access point configuration ](S3OutpostsAccessPointGet.md) + [ # View a list of your Amazon S3 on Outposts access points ](S3OutpostsAccessPointList.md) + [ # Deleting an access point ](S3OutpostsAccessPointsDelete.md) + [ # Adding or editing an access point policy ](S3OutpostsAccessPointEditPolicy.md) + [ # Viewing an access point policy for an S3 on Outposts access point ](S3OutpostsAccessPointGetPolicy.md) # Creating an S3 on Outposts access point Creating an access point To access your Amazon S3 on Outposts bucket, you must create and configure an access point. Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following examples show you how to create an S3 on Outposts access point by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. **Note** The AWS account that creates the Outposts bucket owns it and is the only one that can assign access points to it. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket that you want to create an Outposts access point for. 1. Choose the **Outposts access points** tab. 1. In the **Outposts access points** section, choose **Create Outposts access point**. 1. In **Outposts access point settings**, enter a name for the access point, and then choose the virtual private cloud (VPC) for the access point. 1. If you want to add a policy for your access point, enter it in the **Outposts access point policy** section. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). ## Using the AWS CLI **Example** The following AWS CLI example creates an access point for an Outposts bucket. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control create-access-point --account-id 123456789012 --name example-outposts-access-point --bucket "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket" --vpc-configuration VpcId=example-vpc-12345 ``` ## Using the AWS SDK for Java **Example** For examples of how to create an access point for an S3 Outposts bucket with the AWS SDK for Java, see [CreateOutpostsAccessPoint.java](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/outposts/CreateOutpostsAccessPoint.java) in the *AWS SDK for Java 2.x Code Examples*. # Using a bucket-style alias for your S3 on Outposts bucket access point Using a bucket-style alias for your access point With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Every time you create an access point for a bucket, S3 on Outposts automatically generates an access point alias. You can use this access point alias instead of an access point ARN for any data plane operation. For example, you can use an access point alias to perform object-level operations such as PUT, GET, LIST, and more. For a list of these operations, see [Amazon S3 API operations for managing objects](S3OutpostsAPI.md#S3OutpostsAPIsObject). The following examples show an ARN and access point alias for an access point named `my-access-point`. + **Access point ARN** – `arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/my-access-point` + **Access point alias** – `my-access-po-o01ac5d28a6a232904e8xz5w8ijx1qzlbp3i3kuse10--op-s3` For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. For more information about access point aliases, see the following topics. **Topics** + [ ## Access point aliases ](#access-points-alias-name-s3-outposts) + [ ## Using an access point alias in an S3 on Outposts object operation ](#access-points-alias-use-case-s3-outposts) + [ ## Limitations ](#access-points-alias-limitations-s3-outposts) ## Access point aliases Access point aliases An access point alias is created within the same namespace as an S3 on Outposts bucket. When you create an access point, S3 on Outposts automatically generates an access point alias that cannot be changed. An access point alias meets all the requirements of a valid S3 on Outposts bucket name and consists of the following parts: `access point name prefix-metadata--op-s3` **Note** The `--op-s3` suffix is reserved for access point aliases, we recommend that you don't use it for bucket or access point names. For more information about S3 on Outposts bucket-naming rules, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). ### Finding the access point alias The following examples show you how to find an access point alias by using the Amazon S3 console and the AWS CLI. **Example : Find and copy an access point alias in the Amazon S3 console** After you create an access point in the console, you can get the access point alias from the **Access Point alias** column in the **Access Points** list. **To copy an access point alias** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. To copy the access point alias, do one of the following: + In the **Access Points** list, select the option button next to the access point name, and then choose **Copy Access Point alias**. + Choose the access point name. Then, under **Outposts access point overview**, copy the access point alias. **Example : Create an access point by using the AWS CLI and find the access point alias in the response** The following AWS CLI example for the `create-access-point` command creates the access point and returns the automatically generated access point alias. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control create-access-point --bucket example-outposts-bucket --name example-outposts-access-point --account-id 123456789012 { "AccessPointArn": "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point", "Alias": "example-outp-o01ac5d28a6a232904e8xz5w8ijx1qzlbp3i3kuse10--op-s3" } ``` **Example : Get an access point alias by using the AWS CLI** The following AWS CLI example for the `get-access-point` command returns information about the specified access point. This information includes the access point alias. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control get-access-point --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket --name example-outposts-access-point --account-id 123456789012 { "Name": "example-outposts-access-point", "Bucket": "example-outposts-bucket", "NetworkOrigin": "Vpc", "VpcConfiguration": { "VpcId": "vpc-01234567890abcdef" }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true }, "CreationDate": "2022-09-18T17:49:15.584000+00:00", "Alias": "example-outp-o0b1d075431d83bebde8xz5w8ijx1qzlbp3i3kuse10--op-s3" } ``` **Example : List access points to find an access point alias by using the AWS CLI** The following AWS CLI example for the `list-access-points` command lists information about the specified access point. This information includes the access point alias. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control list-access-points --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket { "AccessPointList": [ { "Name": "example-outposts-access-point", "NetworkOrigin": "Vpc", "VpcConfiguration": { "VpcId": "vpc-01234567890abcdef" }, "Bucket": "example-outposts-bucket", "AccessPointArn": "arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point", "Alias": "example-outp-o0b1d075431d83bebde8xz5w8ijx1qzlbp3i3kuse10--op-s3" } ] } ``` ## Using an access point alias in an S3 on Outposts object operation When adopting access points, you can use access point alias without requiring extensive code changes. This AWS CLI example shows a `get-object` operation for an S3 on Outposts bucket. This example uses the access point alias as the value for `--bucket` instead of the full access point ARN. ``` aws s3api get-object --bucket my-access-po-o0b1d075431d83bebde8xz5w8ijx1qzlbp3i3kuse10--op-s3 --key testkey sample-object.rtf { "AcceptRanges": "bytes", "LastModified": "2020-01-08T22:16:28+00:00", "ContentLength": 910, "ETag": "\"00751974dc146b76404bb7290f8f51bb\"", "VersionId": "null", "ContentType": "text/rtf", "Metadata": {} } ``` ## Limitations + Aliases cannot be configured by customers. + Aliases cannot be deleted or modified or disabled on an access point. + You can't use an access point alias for S3 on Outposts control plane operations. For a list of S3 on Outposts control plane operations, see [Amazon S3 Control API operations for managing buckets](S3OutpostsAPI.md#S3OutpostsAPIsBucket). + Aliases cannot be used in AWS Identity and Access Management (IAM) policies. # Viewing information about an access point configuration Viewing access point configuration Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following topics show you how to return configuration information for an S3 on Outposts access point by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Choose the Outposts access point that you want to view configuration details for. 1. Under **Outposts access point overview**, review the access point configuration details. ## Using the AWS CLI The following AWS CLI example gets an access point for an Outposts bucket. Replace the `user input placeholders` with your own information. ``` aws s3control get-access-point --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point ``` ## Using the AWS SDK for Java The following SDK for Java example gets an access point for an Outposts bucket. ``` import com.amazonaws.services.s3control.model.*; public void getAccessPoint(String accessPointArn) { GetAccessPointRequest reqGetAP = new GetAccessPointRequest() .withAccountId(AccountId) .withName(accessPointArn); GetAccessPointResult respGetAP = s3ControlClient.getAccessPoint(reqGetAP); System.out.printf("GetAccessPoint Response: %s%n", respGetAP.toString()); } ``` # View a list of your Amazon S3 on Outposts access points Listing access points Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following topics show you how to return a list of your S3 on Outposts access points by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Under **Outposts access points**, review your list of S3 on Outposts access points. ## Using the AWS CLI The following AWS CLI example lists the access points for an Outposts bucket. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control list-access-points --account-id 123456789012 --bucket arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/bucket/example-outposts-bucket ``` ## Using the AWS SDK for Java The following SDK for Java example lists the access points for an Outposts bucket. ``` import com.amazonaws.services.s3control.model.*; public void listAccessPoints(String bucketArn) { ListAccessPointsRequest reqListAPs = new ListAccessPointsRequest() .withAccountId(AccountId) .withBucket(bucketArn); ListAccessPointsResult respListAPs = s3ControlClient.listAccessPoints(reqListAPs); System.out.printf("ListAccessPoints Response: %s%n", respListAPs.toString()); } ``` # Deleting an access point Access points simplify managing data access at scale for shared datasets in Amazon S3. Access points are named network endpoints that are attached to buckets that you can use to perform Amazon S3 object operations, such as `GetObject` and `PutObject`. With S3 on Outposts, you must use access points to access any object in an Outposts bucket. Access points support only virtual-host-style addressing. The following examples show you how to delete an access point by using the AWS Management Console and the AWS Command Line Interface (AWS CLI). ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. In the **Outposts access points** section, choose the Outposts access point that you want to delete. 1. Choose **Delete**. 1. Confirm the deletion. ## Using the AWS CLI The following AWS CLI example deletes an Outposts access point. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control delete-access-point --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point ``` # Adding or editing an access point policy Adding an access point policy Access points have distinct permissions and network controls that Amazon S3 on Outposts applies for any request that is made through that access point. Each access point enforces a customized access point policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For more information, see [Access points](S3OutpostsWorkingBuckets.md#S3OutpostsAP). The following topics show you how to add or edit the access point policy for your S3 on Outposts access point by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts buckets**. 1. Choose the Outposts bucket that you want to edit the access point policy for. 1. Choose the **Outposts access points** tab. 1. In the **Outposts access points** section, choose the access point whose policy you want to edit, and choose **Edit policy**. 1. Add or edit the policy in the **Outposts access point policy** section. For more information, see [Setting up IAM with S3 on Outposts](S3OutpostsIAM.md). ## Using the AWS CLI The following AWS CLI example puts a policy on an Outposts access point. 1. Save the following access point policy to a JSON file. In this example, the file is named `appolicy1.json`. Replace the `user input placeholders` with your own information. ``` { "Version":"2012-10-17", "Id":"exampleAccessPointPolicy", "Statement":[ { "Sid":"st1", "Effect":"Allow", "Principal":{ "AWS":"123456789012" }, "Action":"s3-outposts:*", "Resource":"arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point } ] } ``` 1. Submit the JSON file as part of the `put-access-point-policy` CLI command. Replace the `user input placeholders` with your own information. ``` aws s3control put-access-point-policy --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point --policy file://appolicy1.json ``` ## Using the AWS SDK for Java The following SDK for Java example puts a policy on an Outposts access point. ``` import com.amazonaws.services.s3control.model.*; public void putAccessPointPolicy(String accessPointArn) { String policy = "{\"Version\":\"2012-10-17\",\"Id\":\"testAccessPointPolicy\",\"Statement\":[{\"Sid\":\"st1\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"" + AccountId + "\"},\"Action\":\"s3-outposts:*\",\"Resource\":\"" + accessPointArn + "\"}]}"; PutAccessPointPolicyRequest reqPutAccessPointPolicy = new PutAccessPointPolicyRequest() .withAccountId(AccountId) .withName(accessPointArn) .withPolicy(policy); PutAccessPointPolicyResult respPutAccessPointPolicy = s3ControlClient.putAccessPointPolicy(reqPutAccessPointPolicy); System.out.printf("PutAccessPointPolicy Response: %s%n", respPutAccessPointPolicy.toString()); printWriter.printf("PutAccessPointPolicy Response: %s%n", respPutAccessPointPolicy.toString()); } ``` # Viewing an access point policy for an S3 on Outposts access point Viewing an access point policy Access points have distinct permissions and network controls that Amazon S3 on Outposts applies for any request that is made through that access point. Each access point enforces a customized access point policy that works in conjunction with the bucket policy that is attached to the underlying bucket. For more information, see [Access points](S3OutpostsWorkingBuckets.md#S3OutpostsAP). For more information about working with access points in S3 on Outposts, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). The following topics show you how to view your S3 on Outposts access point policy by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Choose the Outposts access point that you want to view the policy for. 1. On the **Permissions** tab, review the S3 on Outposts access point policy. 1. To edit the access point policy, see [Adding or editing an access point policy](S3OutpostsAccessPointEditPolicy.md). ## Using the AWS CLI The following AWS CLI example gets a policy for an Outposts access point. To run this command, replace the `user input placeholders` with your own information. ``` aws s3control get-access-point-policy --account-id 123456789012 --name arn:aws:s3-outposts:region:123456789012:outpost/op-01ac5d28a6a232904/accesspoint/example-outposts-access-point ``` ## Using the AWS SDK for Java The following SDK for Java example gets a policy for an Outposts access point. ``` import com.amazonaws.services.s3control.model.*; public void getAccessPointPolicy(String accessPointArn) { GetAccessPointPolicyRequest reqGetAccessPointPolicy = new GetAccessPointPolicyRequest() .withAccountId(AccountId) .withName(accessPointArn); GetAccessPointPolicyResult respGetAccessPointPolicy = s3ControlClient.getAccessPointPolicy(reqGetAccessPointPolicy); System.out.printf("GetAccessPointPolicy Response: %s%n", respGetAccessPointPolicy.toString()); printWriter.printf("GetAccessPointPolicy Response: %s%n", respGetAccessPointPolicy.toString()); } ``` # Working with Amazon S3 on Outposts endpoints Working with endpoints To route requests to an Amazon S3 on Outposts access point, you must create and configure an S3 on Outposts endpoint. In order to create an endpoint, you will need an active connection with your service link to your Outposts home region. Each virtual private cloud (VPC) on your Outpost can have one associated endpoint. For more information about endpoint quotas, see [S3 on Outposts network requirements](S3OnOutpostsRestrictionsLimitations.md#S3OnOutpostsConnectivityRestrictions). You must create an endpoint to be able to access your Outposts buckets and perform object operations. For more information, see [Endpoints](S3OutpostsWorkingBuckets.md#S3OutpostsEP). After you create an endpoint, you can use the ‘Status’ field, to understand the state of the endpoint. If your Outposts is offline, it will return a CREATE\$1FAILED. You can check your service link connection, delete the endpoint, and retry the create operation after your connection has resumed. For a list of additional error codes, see below. For more information, see [Endpoints](S3OutpostsWorkingBuckets.md#S3OutpostsEP). | API | Status | Failed Reason Error Code | Message - Failed Reason | | --- | --- | --- | --- | | CreateEndpoint | Create\$1Failed | OutpostNotReachable | Endpoint could not be created as the service link connection to your Outposts home Region is down. Check your connection, delete the endpoint, and try again. | | CreateEndpoint | Create\$1Failed | InternalError | Endpoint could not be created due to Internal Error. Please delete the endpoint and create again. | | DeleteEndpoint | Delete\$1Failed | OutpostNotReachable | Endpoint could not be deleted as the service link connection to your Outposts home Region is down. Check your connection and please try again. | | DeleteEndpoint | Delete\$1Failed | InternalError | Endpoint could not be deleted due to Internal Error. Please try again. | For more information about working with buckets on S3 on Outposts, see [Working with S3 on Outposts buckets](S3OutpostsWorkingBuckets.md). The following sections describe how to create and manage endpoints for S3 on Outposts. **Topics** + [ # Creating an endpoint on an Outpost ](S3OutpostsCreateEndpoint.md) + [ # Viewing a list of your Amazon S3 on Outposts endpoints ](S3OutpostsListEndpoints.md) + [ # Deleting an Amazon S3 on Outposts endpoint ](S3OutpostsDeleteEndpoints.md) # Creating an endpoint on an Outpost Creating an endpoint To route requests to an Amazon S3 on Outposts access point, you must create and configure an S3 on Outposts endpoint. In order to create an endpoint, you will need an active connection with your service link to your Outposts home region. Each virtual private cloud (VPC) on your Outpost can have one associated endpoint. For more information about endpoint quotas, see [S3 on Outposts network requirements](S3OnOutpostsRestrictionsLimitations.md#S3OnOutpostsConnectivityRestrictions). You must create an endpoint to be able to access your Outposts buckets and perform object operations. For more information, see [Endpoints](S3OutpostsWorkingBuckets.md#S3OutpostsEP). **Permissions** For more information about the permissions that are required to create an endpoint, see [Permissions for S3 on Outposts endpoints](S3OutpostsIAM.md#S3OutpostsEndpointPermissions). When you create an endpoint, S3 on Outposts also creates a service-linked role in your AWS account. For more information, see [Using service-linked roles for Amazon S3 on Outposts](S3OutpostsServiceLinkedRoles.md). The following examples show you how to create an S3 on Outposts endpoint by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. Choose the **Outposts endpoints** tab. 1. Choose **Create Outposts endpoint**. 1. Under **Outpost**, choose the Outpost to create this endpoint on. 1. Under **VPC**, choose a VPC that does not yet have an endpoint and that also complies with the rules for Outposts endpoints. A virtual private cloud (VPC) enables you to launch AWS resources into a virtual network that you define. This virtual network closely resembles a traditional network that you would operate in your own data center, with the benefits of using the scalable infrastructure of AWS. If you don’t have a VPC, choose **Create VPC**. For more information, see [Creating access points restricted to a virtual private cloud (VPC)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-vpc.html) in the *Amazon S3 User Guide*. 1. Choose **Create Outposts endpoint**. ## Using the AWS CLI **Example** The following AWS CLI example creates an endpoint for an Outpost by using the VPC resource access type. The VPC is derived from the subnet. To run this command, replace the `user input placeholders` with your own information. ``` aws s3outposts create-endpoint --outpost-id op-01ac5d28a6a232904 --subnet-id subnet-8c7a57c5 --security-group-id sg-ab19e0d1 ``` The following AWS CLI example creates an endpoint for an Outpost by using the customer-owned IP address pool (CoIP pool) access type. To run this command, replace the `user input placeholders` with your own information. ``` aws s3outposts create-endpoint --outpost-id op-01ac5d28a6a232904 --subnet-id subnet-8c7a57c5 --security-group-id sg-ab19e0d1 --access-type CustomerOwnedIp --customer-owned-ipv4-pool ipv4pool-coip-12345678901234567 ``` ## Using the AWS SDK for Java **Example** For examples of how to create an endpoint for an S3 Outpost with the AWS SDK for Java, see [CreateOutpostsEndPoint.java](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/outposts/CreateOutpostsEndPoint.java) in the *AWS SDK for Java 2.x Code Examples*. # Viewing a list of your Amazon S3 on Outposts endpoints Listing endpoints To route requests to an Amazon S3 on Outposts access point, you must create and configure an S3 on Outposts endpoint. In order to create an endpoint, you will need an active connection with your service link to your Outposts home region. Each virtual private cloud (VPC) on your Outpost can have one associated endpoint. For more information about endpoint quotas, see [S3 on Outposts network requirements](S3OnOutpostsRestrictionsLimitations.md#S3OnOutpostsConnectivityRestrictions). You must create an endpoint to be able to access your Outposts buckets and perform object operations. For more information, see [Endpoints](S3OutpostsWorkingBuckets.md#S3OutpostsEP). The following examples show you how to return a list of your S3 on Outposts endpoints by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. On the **Outposts access points** page, choose the **Outposts endpoints** tab. 1. Under **Outposts endpoints**, you can view a list of your S3 on Outposts endpoints. ## Using the AWS CLI The following AWS CLI example lists the endpoints for the AWS Outposts resources that are associated with your account. For more information about this command, see [list-endpoints](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3outposts/list-endpoints.html) in the *AWS CLI Reference*. ``` aws s3outposts list-endpoints ``` ## Using the AWS SDK for Java The following SDK for Java example lists the endpoints for an Outpost. For more information, see [ListEndpoints](https://docs.aws.amazon.com/AmazonS3/latest/API/API_s3outposts_ListEndpoints.html) in the *Amazon Simple Storage Service API Reference*. ``` import com.amazonaws.services.s3outposts.AmazonS3Outposts; import com.amazonaws.services.s3outposts.AmazonS3OutpostsClientBuilder; import com.amazonaws.services.s3outposts.model.ListEndpointsRequest; import com.amazonaws.services.s3outposts.model.ListEndpointsResult; public void listEndpoints() { AmazonS3Outposts s3OutpostsClient = AmazonS3OutpostsClientBuilder .standard().build(); ListEndpointsRequest listEndpointsRequest = new ListEndpointsRequest(); ListEndpointsResult listEndpointsResult = s3OutpostsClient.listEndpoints(listEndpointsRequest); System.out.println("List endpoints result is " + listEndpointsResult); } ``` # Deleting an Amazon S3 on Outposts endpoint Deleting an endpoint To route requests to an Amazon S3 on Outposts access point, you must create and configure an S3 on Outposts endpoint. In order to create an endpoint, you will need an active connection with your service link to your Outposts home region. Each virtual private cloud (VPC) on your Outpost can have one associated endpoint. For more information about endpoint quotas, see [S3 on Outposts network requirements](S3OnOutpostsRestrictionsLimitations.md#S3OnOutpostsConnectivityRestrictions). You must create an endpoint to be able to access your Outposts buckets and perform object operations. For more information, see [Endpoints](S3OutpostsWorkingBuckets.md#S3OutpostsEP). The following examples show you how to delete your S3 on Outposts endpoints by using the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Outposts access points**. 1. On the **Outposts access points** page, choose the **Outposts endpoints** tab. 1. Under **Outposts endpoints**, choose the endpoint that you want to delete, and choose **Delete**. ## Using the AWS CLI The following AWS CLI example deletes an endpoint for an Outpost. To run this command, replace the `user input placeholders` with your own information. ``` aws s3outposts delete-endpoint --endpoint-id example-endpoint-id --outpost-id op-01ac5d28a6a232904 ``` ## Using the AWS SDK for Java The following SDK for Java example deletes an endpoint for an Outpost. To use this example, replace the `user input placeholders` with your own information. ``` import com.amazonaws.arn.Arn; import com.amazonaws.services.s3outposts.AmazonS3Outposts; import com.amazonaws.services.s3outposts.AmazonS3OutpostsClientBuilder; import com.amazonaws.services.s3outposts.model.DeleteEndpointRequest; public void deleteEndpoint(String endpointArnInput) { String outpostId = "op-01ac5d28a6a232904"; AmazonS3Outposts s3OutpostsClient = AmazonS3OutpostsClientBuilder .standard().build(); Arn endpointArn = Arn.fromString(endpointArnInput); String[] resourceParts = endpointArn.getResource().getResource().split("/"); String endpointId = resourceParts[resourceParts.length - 1]; DeleteEndpointRequest deleteEndpointRequest = new DeleteEndpointRequest() .withEndpointId(endpointId) .withOutpostId(outpostId); s3OutpostsClient.deleteEndpoint(deleteEndpointRequest); System.out.println("Endpoint with id " + endpointId + " is deleted."); } ```