Countries

Global – English

Austria – German

Belgium – English

Denmark – Dansk

Denmark – English

France – Français

Germany – Deutsch

Italy – Italian

Italy – English

Luxembourg – English

Netherlands – English

Netherlands – Dutch

Norway – Norsk

Portugal – English

Portugal – Portuguese

Serbia – English

Serbia – Serbian

Spain – Español

Sweden – English

Turkey – English

UK – English

Regions

Africa (Morocco, Tunisia) – English

Alps (Austria, Czech Rep, Switzerland, Slovakia) – English

Alps – German

Alps – French

Middle East (Saudi Arabia, United Arab Emirates, Jordan) – English

Middle East – Arabic

Strategic Partners

AWS

Google Cloud

Microsoft

ServiceNow

DevoteamInsightsHow S3 Access Grants simplifies S3 Access Management at scale in AWS

How S3 Access Grants simplifies S3 Access Management at scale in AWS

Author

Ziad Abdel Ghany
Cloud Architect

As organisations grow, managing access to multiple S3 buckets becomes increasingly complex. While effective for individual buckets, traditional bucket policies can become more challenging to operate at scale. Integrating with identity providers for S3 access also becomes difficult. AWS S3 Access Grants offer a solution to this challenge, providing centralised access management across multiple buckets. In this post, we’ll explore how S3 Access Grants address the limitations of bucket policies and simplify access control for S3 deployments.

Source: AWS

The Challenge of S3 Access Management at Scale

As businesses expand their AWS cloud infrastructure, AWS Security becomes crucial. Organisations often manage hundreds or thousands of S3 buckets. This growth presents several challenges:

Policy Complexity: Managing individual bucket policies becomes time-consuming and error-prone.
Size Limitations: Bucket policies have size constraints, limiting their effectiveness for complex access scenarios.
Governance: With traditional methods, ensuring the least privileged access controls and access visibility across multiple buckets is challenging.

Enter AWS S3 Access Grants

S3 Access Grants provide a centralised solution for managing access across multiple S3 buckets. Key benefits include:

Centralised Management: Define access permissions once and apply them to multiple buckets.
Scalability: Easily manage access for a large number of buckets.
Flexibility: Implement fine-grained control over access permissions.
Overcoming Policy Size Limitations: Address the size constraints of bucket policies.

Implementing S3 Access Grants: A Practical Example

Let’s walk through implementing S3 Access Grants using AWS CloudFormation:

Step 1: Create an S3 Access Grants Instance

The Access Instance serves as a grouping for access grants per region per account.

S3AccessInstance:
  Type: AWS::S3::AccessGrantsInstance
  Properties:
    Tags:
      - Key: Name
        Value: !Sub ${ProjectName}-${EnvironmentSuffix}

Step 2: Define the Access Grants Location

This configuration creates an S3 Access Grants location, assigning the IAM role (AccessRole) with the necessary permissions and trust relationship with the S3 Access Grants service. The LocationScope property defines the S3 bucket to which this location applies.

S3AccessGrantLocation:
  Type: AWS::S3::AccessGrantsLocation
  Properties:
    IamRoleArn: !GetAtt AccessRole.Arn
    LocationScope: s3://example-bucket

Step 3: Create the Access Grant

This configuration creates an access grant that gives the specified grantee (in this case, the LambdaExecutionRole) READ permission to the S3 data. The grantee is identified by its ARN and specified as an IAM role. The grantee can also be a corporate directory user or group.

S3AccessGrant:
  Type: AWS::S3::AccessGrant
  Properties:
    AccessGrantsLocationId: !Ref S3AccessGrantLocation
    AccessGrantsLocationConfiguration:
      S3SubPrefix: '*'
    Grantee:
      GranteeIdentifier: !GetAtt LambdaExecutionRole.Arn
      GranteeType: IAM
    Permission: READ

Step 4: Using Access Grants in Your Application

Here’s an example of how to use the access grant in a Lambda function:

import boto3

def lambda_handler(event, context):
    control_client = boto3.client('s3control')
    response = control_client.get_data_access(
        AccountId='123456789012',
        Target='s3://example-bucket/*',
        Permission='READ',
        DurationSeconds=900
    )
    credentials = response['Credentials']
    
    s3_client = boto3.client(
        's3',
        aws_access_key_id=credentials['AccessKeyId'],
        aws_secret_access_key=credentials['SecretAccessKey'],
        aws_session_token=credentials['SessionToken']
    )
    
    objects = s3_client.list_objects_v2(Bucket='example-bucket')
    print(objects)

Conclusion

AWS S3 Access Grants offer a powerful solution for managing S3 access at scale. Centralising access management and overcoming the limitations of traditional bucket policies enables organisations to implement more efficient and secure access controls for their S3 resources.

As demonstrated in our example, implementing this is straightforward and can significantly simplify your S3 access management processes.

Explore S3 Access Grants today and see how it can transform your S3 access management.

How S3 Access Grants simplifies S3 Access Management at scale in AWS

AWS

Transform Your Business with Award-Winning AWS Solutions

Use Amazon Web Services to build a flexible business for the future.

Explore AWS Services