1 00:00:00,000 --> 00:00:02,760 ‫So now let's talk about S3 access points. 2 00:00:02,760 --> 00:00:03,660 ‫So let's take an example 3 00:00:03,660 --> 00:00:05,580 ‫of an S3 bucket that has a lot of data. 4 00:00:05,580 --> 00:00:07,817 ‫We have finance data, we have sales data, 5 00:00:07,817 --> 00:00:09,390 ‫and we have different users 6 00:00:09,390 --> 00:00:12,960 ‫or groups that want to access their data. 7 00:00:12,960 --> 00:00:16,590 ‫We could create a very complicated S3 bucket policy 8 00:00:16,590 --> 00:00:18,330 ‫and make it grow over time. 9 00:00:18,330 --> 00:00:20,340 ‫The more users, the more data you have, 10 00:00:20,340 --> 00:00:23,400 ‫the more unmanageable this may become. 11 00:00:23,400 --> 00:00:24,690 ‫So what is the solution? 12 00:00:24,690 --> 00:00:27,600 ‫Well, we can create what's called S3 access points. 13 00:00:27,600 --> 00:00:28,500 ‫So we can, for example, 14 00:00:28,500 --> 00:00:31,170 ‫create a finance access point that is going 15 00:00:31,170 --> 00:00:33,630 ‫to be connected to the finance data. 16 00:00:33,630 --> 00:00:35,640 ‫How is it connected to the finance data? 17 00:00:35,640 --> 00:00:38,426 ‫Well, we're going to define an access point policy 18 00:00:38,426 --> 00:00:42,600 ‫and this policy looks just like an S3 bucket policy 19 00:00:42,600 --> 00:00:45,930 ‫and is going to grant read write access 20 00:00:45,930 --> 00:00:48,540 ‫to the finance prefix. 21 00:00:48,540 --> 00:00:51,510 ‫Then we can define a sales access point. 22 00:00:51,510 --> 00:00:54,360 ‫And, again, this will be connected to the sales data 23 00:00:54,360 --> 00:00:56,010 ‫thanks to an access point policy, 24 00:00:56,010 --> 00:00:58,350 ‫a different one attached to this access point, 25 00:00:58,350 --> 00:01:00,870 ‫which is going to grant read and write access 26 00:01:00,870 --> 00:01:01,860 ‫to the sales prefix. 27 00:01:01,860 --> 00:01:03,986 ‫As you can see, I now have two policy 28 00:01:03,986 --> 00:01:07,080 ‫and if I want to have an analytics access point, 29 00:01:07,080 --> 00:01:10,350 ‫well, we can create it so that it points to finance 30 00:01:10,350 --> 00:01:12,420 ‫and sales, but in read only access. 31 00:01:12,420 --> 00:01:15,600 ‫So we're going to create our own read only policy 32 00:01:15,600 --> 00:01:17,760 ‫on the analytics access point. 33 00:01:17,760 --> 00:01:22,230 ‫So you can see here we have pushed the security management 34 00:01:22,230 --> 00:01:25,800 ‫from the S3 bucket policy into the access points 35 00:01:25,800 --> 00:01:29,190 ‫and each access point will have its own security. 36 00:01:29,190 --> 00:01:32,310 ‫Therefore, with the proper IAM permissions 37 00:01:32,310 --> 00:01:35,490 ‫then our users can access the finance access points 38 00:01:35,490 --> 00:01:39,210 ‫and connect only to the finance part of our bucket. 39 00:01:39,210 --> 00:01:42,750 ‫The users as well for sales can only access the sales 40 00:01:42,750 --> 00:01:45,600 ‫and the analytics group can access finance 41 00:01:45,600 --> 00:01:47,340 ‫and sales at the same time. 42 00:01:47,340 --> 00:01:50,070 ‫So by using access points, we define different ways 43 00:01:50,070 --> 00:01:51,810 ‫to access our S3 bucket. 44 00:01:51,810 --> 00:01:53,520 ‫And the result of that is that we have 45 00:01:53,520 --> 00:01:55,950 ‫a very simple way to manage security. 46 00:01:55,950 --> 00:01:58,950 ‫We have policies attached to each access point 47 00:01:58,950 --> 00:02:03,780 ‫and also we have a very simple bucket policy on Amazon S3. 48 00:02:03,780 --> 00:02:07,110 ‫Therefore, we can really scale access to our S3 buckets. 49 00:02:07,110 --> 00:02:10,080 ‫So to summarize access points, simplify security managements 50 00:02:10,080 --> 00:02:13,050 ‫for S3 buckets, and each access point will have 51 00:02:13,050 --> 00:02:14,100 ‫its own DNS name. 52 00:02:14,100 --> 00:02:16,470 ‫That's how you connect to the access point. 53 00:02:16,470 --> 00:02:19,170 ‫You can choose it to be connected to the internet 54 00:02:19,170 --> 00:02:22,080 ‫as an origin or a VPC for private traffic. 55 00:02:22,080 --> 00:02:24,600 ‫And then you attach again an access point policy 56 00:02:24,600 --> 00:02:26,940 ‫which is very similar to bucket policy. 57 00:02:26,940 --> 00:02:29,703 ‫And this allows you to manage security at scale. 58 00:02:30,570 --> 00:02:33,420 ‫Regarding the VPC origin of S3 access points, 59 00:02:33,420 --> 00:02:36,240 ‫we can define them to be privately accessible. 60 00:02:36,240 --> 00:02:38,280 ‫So that's, for example, an EC2 instance 61 00:02:38,280 --> 00:02:42,360 ‫in a VPC access says without going through the internet 62 00:02:42,360 --> 00:02:45,780 ‫our S3 bucket through the VPC access point 63 00:02:45,780 --> 00:02:47,550 ‫through a VPC origin. 64 00:02:47,550 --> 00:02:50,790 ‫So to do so, to get access to this VPC origin, 65 00:02:50,790 --> 00:02:53,490 ‫we must create what's called a VPC endpoint 66 00:02:53,490 --> 00:02:55,050 ‫to access the access point. 67 00:02:55,050 --> 00:02:58,530 ‫So it's something in our VPC that will allow us to connect 68 00:02:58,530 --> 00:03:03,510 ‫privately into the access point through our VPC origin. 69 00:03:03,510 --> 00:03:05,989 ‫And then the VPC endpoint has a policy, 70 00:03:05,989 --> 00:03:08,190 ‫and this policy must allow access 71 00:03:08,190 --> 00:03:10,920 ‫to the target buckets and the access points. 72 00:03:10,920 --> 00:03:14,670 ‫So the VPC endpoint policy will allow our EC2 instance 73 00:03:14,670 --> 00:03:18,090 ‫to connect to both the VPC, the access points 74 00:03:18,090 --> 00:03:20,610 ‫on Amazon S3 and the S3 buckets. 75 00:03:20,610 --> 00:03:23,730 ‫So in this case, we have VPC endpoint for security. 76 00:03:23,730 --> 00:03:26,250 ‫We also have security for the access point policy 77 00:03:26,250 --> 00:03:29,610 ‫and security at the S3 bucket level. 78 00:03:29,610 --> 00:03:30,960 ‫All right. That's it for access points. 79 00:03:30,960 --> 00:03:33,933 ‫I hope you liked it and I will see you in the next lecture.