WEEKLY BRIEF AWS Weekly Brief

← The Brief

Tightening S3 access with Access Points

Why a single fat bucket policy is a liability, and how Access Points let you scope access per workload.

If a bucket is shared by more than one workload, the bucket policy slowly turns into an unreadable wall of Condition blocks that nobody dares to touch. S3 Access Points exist to break that up.

Each access point is its own named entry to the bucket, with its own policy and its own network controls. Point each app or team at its own access point and the per-workload rules live there — the bucket policy stays small.

A VPC-only access point is the quick win. It refuses any request that doesn't arrive through your VPC endpoint, so data can't be pulled from the public internet even if a credential leaks:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": "arn:aws:s3:eu-central-1:123456789012:accesspoint/reports/*",
  "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-0abc123" } }
}

This week's move: find your most-shared bucket, list who actually reads and writes it, and give each one a scoped access point. Keep Block Public Access on at the account level regardless.