# Managing access to shared datasets in directory buckets with access points
Amazon S3 Access Points simplify managing data access at scale for shared datasets in Amazon S3. Access points are unique hostnames you create to enforce distinct permissions and network controls for all requests made through an access point. You can create hundreds of access points per bucket, each with a distinct name and permissions customized for each application. Each access point works in conjunction with the bucket policy that is attached to the underlying bucket.
In directory buckets, an access point name consists of a base name you provide, followed by the Zone ID (AWS Availability Zone or Local Zone) of your directory bucket location, and then `--xa-s3`. For example, `accesspointname--zoneID--xa-s3`. After you create an access point, you can't change the name or the Zone ID.
With access points for directory buckets, you can use the access point scope to restrict access to specific prefixes or API operations. You can specify any amount of prefixes, but the total length of characters of all prefixes must be less than 256 bytes.
You can configure any access point to accept requests only from a virtual private cloud (VPC). This restricts Amazon S3 data access to a private network.
In this section, the topics explain how to use access points for directory buckets. For information about directory buckets, see [Working with directory buckets](directory-buckets-overview.md).
**Topics**
+ [Access points for directory buckets naming rules, restrictions, and limitations](access-points-directory-buckets-restrictions-limitations-naming-rules.md)
+ [Referencing access points for directory buckets](access-points-directory-buckets-naming.md)
+ [Object operations for access points for directory buckets](access-points-directory-buckets-service-api-support.md)
+ [Configuring IAM policies for using access points for directory buckets](access-points-directory-buckets-policies.md)
+ [Monitoring and logging access points for directory buckets](access-points-directory-buckets-monitoring-logging.md)
+ [Creating access points for directory buckets](creating-access-points-directory-buckets.md)
+ [Managing your access points for directory buckets](access-points-directory-buckets-manage.md)
+ [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md)
# Access points for directory buckets naming rules, restrictions, and limitations
Access points simplify managing data access at scale for shared datasets in Amazon S3. The following topics provide information about access point naming rules and restrictions and limitations.
**Topics**
+ [Naming rules for access points for directory buckets](#access-points-directory-buckets-names)
+ [Restrictions and limitations for access points for directory buckets](#access-points-directory-buckets-restrictions-limitations)
## Naming rules for access points for directory buckets
An access point must be created in the same zone that the bucket is in. An access point name must be unique within the zone.
Access point names must be DNS-compliant and must meet the following conditions:
+ Must begin with a number or lowercase letter
+ The base name you provide must be between 3 and 50 characters long
+ Can't begin or end with a hyphen (`-`)
+ Can't contain underscores (`_`), uppercase letters, spaces, or periods (`.`)
+ Must end with the suffix `zoneid--xa--s3`.
## Restrictions and limitations for access points for directory buckets
Access points for directory buckets have the following restrictions and limitations:
+ Each access point is associated to one directory bucket. After you create an access point, you can't associate it to a different bucket. However, you can delete an access point, and then create a new one with the same name and associate it to a different bucket.
+ After you create an access point, you can't change its virtual private cloud (VPC) configuration.
+ Access point policies are limited to 20 KB in size.
+ Access point scope prefixes are limited to 256 bytes in total size.
+ You can create a maximum of 10,000 access points per AWS account per AWS Region. If you need more than 10,000 access points for a single account in a single Region, you can request a service quota increase. For more information about service quotas and requesting an increase, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) in the *AWS General Reference*.
+ You can only use access points to perform operations on objects. You can't use access points to perform Amazon S3 bucket operations, such as modifying or deleting buckets. For a complete list of supported operations, see [Object operations for access points for directory buckets](access-points-directory-buckets-service-api-support.md).
+ You can refer to access points by name, access point alias, or virtual-hosted-style URI. You cannot address access points by ARN. For more information, see [Referencing access points for directory buckets](access-points-directory-buckets-naming.md).
+ API operations that control access point functionality (for example, `PutAccessPointPolicy` and `GetAccessPointPolicy`) must specify the AWS account that owns the access point.
+ You must use AWS Signature Version 4 when making requests to an access point by using the REST API. For more information about authenticating requests, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon Simple Storage Service API Reference*.
+ Access points only support requests over HTTPS. Amazon S3 will automatically respond with an HTTP redirect for any requests made through HTTP, to upgrade the request to HTTPS.
+ Access points don't support anonymous access.
+ If you create an access point to a bucket that's owned by another account (a cross-account access point), the cross-account access point doesn't grant you access to data until the bucket owner grants you permission to access the bucket. The bucket owner always retains ultimate control over access to the data and must update the bucket policy to authorize requests from the cross-account access point. To view a bucket policy example, see [Configuring IAM policies for using access points for directory buckets](access-points-directory-buckets-policies.md).
# Referencing access points for directory buckets
After you create an access point, you can use it as an endpoint to preform object operations. For access points for directory buckets, the access point alias is the same as the access point name. You can use the access point name instead of a bucket name for all data operations. For a list of these supported operations, see [Object operations for access points for directory buckets](access-points-directory-buckets-service-api-support.md).
## Referring to access points by virtual-hosted-style URIs
Access points only support virtual-host-style addressing. Access points use the same format as directory bucket endpoints. For more information, see [Regional and Zonal endpoints for directory buckets](s3-express-Regions-and-Zones.md).
S3 access points don't support access through HTTP. Access points support only secure access through HTTPS.
# Object operations for access points for directory buckets
You can use access points to access an object using the following S3 data operations.
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html)
+ [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html)
# Configuring IAM policies for using access points for directory buckets
Access points support AWS Identity and Access Management (IAM) resource policies that allow you to control the use of the access point by resource, user, or other conditions. For an application or user to access objects through an access point, both the access point and the underlying bucket policy must permit the request.
**Important**
Adding an access point to a directory bucket doesn't change the bucket's behavior when the bucket is accessed directly through the bucket's name. All existing operations against the bucket will continue to work as before. Restrictions that you include in an access point policy or access point scope apply only to requests made through that access point.
When using IAM resource policies, make sure to resolve security warnings, errors, general warnings, and suggestions from AWS Identity and Access Management Access Analyzer before you save your policy. IAM Access Analyzer runs policy checks to validate your policy against IAM [policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) and [best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). These checks generate findings and provide recommendations to help you author policies that are functional and conform to security best practices.
To learn more about validating policies by using IAM Access Analyzer, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see [IAM Access Analyzer policy check reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html).
## Access points for directory buckets policy examples
The following access point policies demonstrate how to control requests to a directory bucket. Access point policies require bucket ARNs or access point ARNs. Access point aliases are not supported in policies. Following is an example of an access point ARN:
```
arn:aws:s3express:region:account-id:accesspoint/myaccesspoint--zoneID--xa-s3
```
You can view the access point ARN in the details of an access point. For more information, see [View details for your access points for directory buckets](access-points-directory-buckets-details.md).
**Note**
Permissions granted in an access point policy are effective only if the underlying bucket also allows the same access. You can accomplish this in two ways:
**(Recommended)** Delegate access control from the bucket to the access point, as described in [Delegating access control to access points](#access-points-directory-buckets-delegating-control).
Add the same permissions contained in the access point policy to the underlying bucket's policy.
**Example 1 – Service control policy to limit access points to VPC network origins**
The following service control policy requires all new access points are to be created with a virtual private cloud (VPC) network origin. With this policy in place, users in your organization can't create any access point that is accessible from the internet.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3express:CreateAccessPoint",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3express:AccessPointNetworkOrigin": "VPC"
}
}
}
]
}
```
**Example 2 – Access point policy to limit bucket access to access points with VPC network origin**
The following access point policy limits all access to the bucket *amzn-s3-demo-bucket--zoneID--x-s3* to an access point with a VPC networking origin.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyCreateSessionFromNonVPC",
"Principal": "*",
"Action": "s3express:CreateSession",
"Effect": "Deny",
"Resource": "arn:aws:s3express:us-east-1:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3"
}
]
}
```
## Condition keys
Access points for directory buckets have condition keys that you can use in IAM policies to control access to your resources. The following condition keys represent only part of an IAM policy. For full policy examples, see [Access points for directory buckets policy examples](#access-points-directory-buckets-policy-examples), [Delegating access control to access points](#access-points-directory-buckets-delegating-control), and [Granting permissions for cross-account access points](#access-points-directory-buckets-cross-account).
**`s3express:DataAccessPointArn`**
This example shows how to filter access by the Amazon resource name (ARN) of an access point and matches all access points for AWS account *111122223333* in Region *region*:
```
"Condition" : {
"StringLike": {
"s3express:DataAccessPointArn": "arn:aws:s3express:region:111122223333:accesspoint/*"
}
}
```
**`s3express:DataAccessPointAccount`**
This example shows a string operator that you can use to match on the account ID of the owner of an access point. The following example matches all access points that are owned by the AWS account *`111122223333`*.
```
"Condition" : {
"StringEquals": {
"s3express:DataAccessPointAccount": "111122223333"
}
}
```
**`s3express:AccessPointNetworkOrigin`**
This example shows a string operator that you can use to match on the network origin, either `Internet` or `VPC`. The following example matches only access points with a VPC origin.
```
"Condition" : {
"StringEquals": {
"s3express:AccessPointNetworkOrigin": "VPC"
}
}
```
**`s3express:Permissions`**
You can use `s3express:Permissions` to restrict access to specific API operations in access point scope. The following API operations are supported:
+ `PutObject`
+ `GetObject`
+ `DeleteObject`
+ `ListBucket` (required for `ListObjectsV2`)
+ `GetObjectAttributes`
+ `AbortMultipartUpload`
+ `ListBucketMultipartUploads`
+ `ListMultipartUploadParts`
When using multi-value condition keys, we recommend you use `ForAllValues` with `Allow` statements and `ForAnyValue` with `Deny` statements. For more information, see [Multivalued context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys) in the IAM User Guide.
For more information about using condition keys with Amazon S3, see [ Actions, resources, and condition keys for Amazon S3](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) in the *Service Authorization Reference*.
For more information about the required permissions to S3 API operations by S3 resource types, see [Required permissions for Amazon S3 API operations](using-with-s3-policy-actions.md).
## Delegating access control to access points
You can delegate access control from the bucket policy to the access point policy. The following example bucket policy allows full access to all access points that are owned by the bucket owner's account. After applying the policy, all access to this bucket is controlled by access point policies. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket.
**Example bucket policy that delegates access control to access points**
```
{
"Version": "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "*",
"Resource" : [ "Bucket ARN",
"Condition": {
"StringEquals" : { "s3express:DataAccessPointAccount" : "Bucket owner's account ID" }
}
}]
}
```
## Granting permissions for cross-account access points
To create an access point to a bucket that's owned by another account, you must first create the access point by specifying the bucket name and account owner ID. Then, the bucket owner must update the bucket policy to authorize requests from the access point. Creating an access point is similar to creating a DNS CNAME in that the access point doesn't provide access to the bucket contents. All bucket access is controlled by the bucket policy. The following example bucket policy allows `GET` and `LIST` requests on the bucket from an access point that's owned by a trusted AWS account.
Replace *Bucket ARN* with the ARN of the bucket.
**Example of bucket policy delegating permissions to another AWS account**
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Sid": "AllowCreateSessionForDirectoryBucket",
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "s3express:CreateSession",
"Resource" : [ "arn:aws:s3express:us-west-2:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3" ],
"Condition": {
"ForAllValues:StringEquals": {
"s3express:Permissions": [
"GetObject",
"ListBucket"
]
}
}
}]
}
```
# Monitoring and logging access points for directory buckets
You can log requests made through access points and requests made to the APIs that manage access points, such as `CreateAccessPoint` and `GetAccessPointPolicy,` by using AWS CloudTrail. CloudTrail log entries for requests made through access points include the access point ARN (which includes the access point name) in the `resources` section of the log.
For example, suppose you have the following configuration:
+ A bucket named `amzn-s3-demo-bucket--zone-id--x-s3` in Region `region` that contains an object named `my-image.jpg`.
+ An access point named `my-bucket-ap--zoneID--xa-s3` that is associated with `amzn-s3-demo-bucket--zone-id--x-s3`
+ An AWS account ID of `123456789012`
The following example shows the `resources` section of a CloudTrail log entry for the preceding configuration:
```
"resources": [
{"type": "AWS::S3Express::Object",
"ARN": "arn:aws:s3express-region:123456789012:bucket/amzn-s3-demo-bucket--zone-id--x-s3/my-image.jpg"
},
{"accountId": "c",
"type": "AWS::S3Express::DirectoryBucket",
"ARN": "arn:aws::s3express:region:123456789012:bucket/amzn-s3-demo-bucket--zone-id--x-s3"
},
{"accountId": "123456789012",
"type": "AWS::S3::AccessPoint",
"ARN": "arn:aws:s3express:region:123456789012:accesspoint/my-bucket-ap--zoneID--xa-s3"
}
]
```
For more information about AWS CloudTrail, see [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *AWS CloudTrail User Guide*.
# Creating access points for directory buckets
Like Directory buckets, access points can be created in Availability Zones or in Dedicated Local Zones. The access point must be created in the same zone as the directory bucket associated with it.
An access point is associated with exactly one Amazon S3 directory bucket. If you want to use a directory bucket in your AWS account, you must first create a directory bucket. For more information about creating directory buckets, see [Creating directory buckets in an Availability Zone](directory-bucket-create.md) or [Creating a directory bucket in a Local Zone](create-directory-bucket-LZ.md).
You can also create a cross-account access point that's associated with a bucket in another AWS account, as long as you know the bucket name and the bucket owner's account ID. However, creating cross-account access points doesn't grant you access to data in the bucket until you are granted permissions from the bucket owner. The bucket owner must grant the access point owner's account (your account) access to the bucket through the bucket policy. For more information, see [Granting permissions for cross-account access points](access-points-policies.md#access-points-cross-account).
You can create an access point for any directory bucket with the AWS Management Console, AWS CLI, REST API, or AWS SDKs. Each access point is associated with a single directory bucket, and you can create hundreds of access points per bucket. When creating an access point, you choose the name of the access point and the directory bucket to associate it with. The access point name consists of a base name that you provide and suffix that includes the Zone ID of your bucket location, followed by `--xa-s3`. For example, `myaccesspoint-zoneID--xa-s3`. you can also restrict access to the access point through a Virtual Private Cloud (VPC). Then, you can immediately begin reading and writing data through your access point by using its name, just like you use a directory bucket name.
You can use the access point scope to restrict access to the directory bucket through the access point to specific prefixes or API operations. If you don't add a scope to the access point, all prefixes in the directory bucket and all API operations can be performed on objects in the bucket when accessed through the access point. After you create the access point, you can add, modify, or delete scope using the AWS CLI, AWS SDKs, or REST API. For more information, see [Manage the scope of your access points for directory buckets](access-points-directory-buckets-manage-scope.md).
After you create the access point, you can configure your access point IAM resource policy. For more information, see [Viewing, editing or deleting access point policies](access-points-directory-buckets-policy.md).
## Using the S3 console
**Note**
You can also create an access point for a directory bucket from the directory bucket screen. When you do this, the directory bucket name is provided and you don't need to choose a bucket when creating the access point. For more information, see [Listing directory buckets](directory-buckets-objects-ListExamples.md).
**To create an access point for directory buckets**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region in which you want to create an access point. The access point must be created in the same Region as the associated bucket.
1. In the left navigation pane, choose **Access points for directory buckets**.
1. On the **Access Points** page, choose **Create access point**.
1. You can create an access point for a directory bucket in your account or in another account. To create an access point for a directory bucket in another account:
**Note**
If you're using a bucket in a different AWS account, the bucket owner must update the bucket policy to authorize requests from the access point. For an example bucket policy, see [Granting permissions for cross-account access points](access-points-directory-buckets-policies.md#access-points-directory-buckets-cross-account).
1. In the **Directory bucket** field, choose **Specify a bucket in another account**.
1. In the **Bucket owner account ID** field, enter the AWS account ID that owns the bucket.
1. In the **Bucket name** field, enter the name of the bucket, including the base name and the zone ID. For example, ***bucket-base-name*--*zone-id*--x-s3**.
1. To create an access point for a directory bucket in your account:
1. In the **Directory bucket** field, choose **Choose a bucket in this account**.
1. In the **Bucket name** field, enter the name of the bucket, including the base name and the zone ID. For example, ***bucket-base-name*--*zone-id*--x-s3**. To choose the bucket from a list, choose **Browse S3** and choose the directory bucket.
1. In **Access point name**, in the **Base name** field, enter the base name for the access point. The zone ID and full access point name appear. For more information about naming access points, see [Naming rules for access points for directory buckets](access-points-directory-buckets-restrictions-limitations-naming-rules.md#access-points-directory-buckets-names).
1. In **Network origin**, choose either **virtual private cloud (VPC)** or **Internet**. If you choose **virtual private cloud (VPC)**, in the **VPC ID** field, enter the ID of the VPC that you want to use with the access point.
1. (Optional) In **Access point scope**, to apply a scope to this access point, choose **Limit the scope of this access point using prefixes or permissions**.
1. To limit access to prefixes in the directory bucket, in **Prefixes**, enter one or more prefixes. To add another prefix, choose **Add prefix**. To remove a prefix, choose **Remove**.
**Note**
An access point scope has a character limit of 512 total characters for all prefixes. You can see the quantity of characters remaining below **Add prefix**.
1. In **Permissions**, choose one or more API operations that the access point will allow. To remove a data operation, choose the **X** next to the data operation name.
1. To not apply a scope to the access point and allow access to all prefixes in the directory bucket and all API operations through the access point, in **Access point scope**, choose **Apply access to the entire bucket**.
1. Choose **Create access point for directory bucket**. The access point name and other information about it appear in the **Access points for directory buckets** list.
## Using the AWS CLI
The following example command creates an access point named *example-ap* for the bucket **amzn-s3-demo-bucket*--*zone-id*--x-s3* in the account *111122223333*.
```
aws s3control create-access-point --name example-ap--zoneID--xa-s3 --account-id 111122223333 --bucket amzn-s3-demo-bucket--zone-id--x-s3
```
To restrict access to the access point through a VPC, include the `--vpc` parameter and the VPC ID.
```
aws s3control create-access-point --name example-ap--zoneID--xa-s3 --account-id 111122223333 --bucket amzn-s3-demo-bucket--zone-id--x-s3 --vpc vpc-id
```
When you create an access point for a cross-account bucket, include the `--bucket-account-id` parameter. The following example command creates an access point in the AWS account *111122223333*, for the bucket **amzn-s3-demo-bucket*--*zone-id*--x-s3*, owned by the AWS account *444455556666*.
```
aws s3control create-access-point --name example-ap--zoneID--xa-s3 --account-id 111122223333 --bucket amzn-s3-demo-bucket--zone-id--x-s3 --bucket-account-id 444455556666
```
For more information and examples, see [create-access-point](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/create-access-point.html) in the AWS CLI Command Reference.
## Using the REST API
The following example command creates an access point named *example-ap* for the bucket **amzn-s3-demo-bucket*--*zone-id*--x-s3* in the account *111122223333* and access restricted through the VPC *vpc-id* (optional).
```
PUT /v20180820/accesspoint/example-ap--zoneID--xa-s3 HTTP/1.1
Host: s3express-control.region.amazonaws.com
x-amz-account-id: 111122223333
amzn-s3-demo-bucket--zone-id--x-s3s
111122223333
vpc-id
```
Response:
```
HTTP/1.1 200
"arn:aws:s3express:region:111122223333:accesspoint/example-ap--zoneID--xa-s3"
example-ap--zoneID--xa-s3
```
## Using the AWS SDKs
You can use the AWS SDKs to create an access point. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_CreateAccessPoint.html#API_control_CreateAccessPoint_SeeAlso) in the Amazon Simple Storage Service API Reference.
# Managing your access points for directory buckets
This section explains how to manage your access points for directory buckets using the AWS Command Line Interface, Amazon S3 REST API, or AWS SDK.
**Topics**
+ [List your access points for directory buckets](access-points-directory-buckets-list.md)
+ [View details for your access points for directory buckets](access-points-directory-buckets-details.md)
+ [Viewing, editing or deleting access point policies](access-points-directory-buckets-policy.md)
+ [Manage the scope of your access points for directory buckets](access-points-directory-buckets-manage-scope.md)
+ [Delete your access point for directory buckets](access-points-directory-buckets-delete.md)
# List your access points for directory buckets
This section explains how to list access points for a directory bucket using the AWS Management Console, AWS Command Line Interface (AWS CLI), REST API, or AWS SDKs.
## Using the S3 console
**To list access points in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage.
## Using the AWS CLI
The following `list-access-points-for-directory-buckets` example command shows how you can use the AWS CLI to list the access points owned by an AWS account and associated with a directory bucket.
The following command lists access points for AWS account *111122223333* that are attached to bucket **amzn-s3-demo-bucket*--*zone-id*--x-s3*.
```
aws s3control list-access-points-for-directory-buckets --account-id 111122223333 --directory-bucket amzn-s3-demo-bucket--zone-id--x-s3
```
For more information and examples, see [list-access-points-for-directory-buckets](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/list-access-points-for-directory-buckets.html) in the AWS CLI Command Reference.
## Using the REST API
The following example shows how you can use the REST API to list your access points.
```
GET /v20180820/directoryaccesspoint?directoryBucket=amzn-s3-demo-bucket--zone-id--x-s3
&maxResults=maxResults HTTP/1.1
Host: s3express-control.region.amazonaws.com
x-amz-account-id: 111122223333
```
**Example of `ListAccessPointsForDirectoryBuckets` response**
```
HTTP/1.1 200
arn:aws:s3express:region:111122223333:accesspoint/example-access-point--zoneID--xa-s3
example-access-point--zoneID--xa-s3
amzn-s3-demo-bucket--zone-id--x-s3
111122223333
example-access-point--zoneID--xa-s3
VPC
VPC-1
```
## Using the AWS SDKs
You can use the AWS SDKs to list your access points. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListAccessPointsForDirectoryBuckets.html#API_control_ListAccessPointsForDirectoryBuckets_SeeAlso) in the Amazon Simple Storage Service API Reference.
# View details for your access points for directory buckets
This section explains how to view details for your access point for directory buckets using the AWS Management Console, AWS CLI, AWS SDKs, or REST API.
## Using the S3 console
View details of an access point for directory buckets to see the following information about the access point and the associated directory bucket:
+ Properties:
+ Directory bucket name
+ Directory bucket owner account ID
+ AWS Region
+ Directory bucket location type
+ Directory bucket location name
+ Creation date of access point
+ Network origin
+ VPC ID
+ S3 URI
+ Access point ARN
+ Access point alias
+ Permissions:
+ IAM external access analyzer findings
+ Access point scope
+ Access point policy
**To view details for your access point in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage.
1. Choose the **Properties** tab or the **Permissions** tab.
## Using the AWS CLI
The following `get-access-point` example command shows how you can use the AWS CLI to view details for your access point.
The following command lists details for the access point **my-access-point*--*zoneID*--xa-s3* for AWS account *111122223333*.
```
aws s3control get-access-point --name my-access-point--zoneID--xa-s3 --account-id 111122223333
```
**Example of output of `get-access-point` command**
```
{
"Name": "example-access-point--zoneID--xa-s3",
"Bucket": "amzn-s3-demo-bucket--zone-id--x-s3",
"NetworkOrigin": "Internet",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"CreationDate": "2025-04-23T18:26:22.146000+00:00",
"Alias": "example-access-point--zoneID--xa-s3",
"AccessPointArn": "arn:aws:s3express:region:111122223333:accesspoint/example-access-point--zoneID--xa-s3",
"BucketAccountId": "296805379465"
}
```
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to view details for your access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPoint.html) in the *Amazon Simple Storage Service API Reference*.
## Using the AWS SDKs
You can use the AWS SDKs to view details of your access points. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPoint.html#API_control_GetAccessPoint_SeeAlso) in the Amazon Simple Storage Service API Reference.
# Viewing, editing or deleting access point policies
You can use an AWS Identity and Access Management (IAM) access point policy to control the principal and resource that can access the access point. The access point scope manages the prefixes and API permissions for the access point. You can create, edit, and delete an access point policy using the AWS Command Line Interface, REST API, or AWS SDKs. For more information about access point scope, see [Manage the scope of your access points for directory buckets](access-points-directory-buckets-manage-scope.md).
**Note**
Since directory buckets use session-based authorization, your policy must always include the `s3express:CreateSession` action.
## Using the S3 console
**To view, edit, or delete an access point policy**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage.
1. Choose the **Permissions** tab.
1. To create or edit the access point policy, in **Access point policy**, choose **Edit**. Edit the policy. Choose **Save**.
1. To delete the access point policy, in **Access point policy**, choose **Delete**. In the **Delete access point policy** window, type **confirm** and choose **Delete**.
## Using the AWS CLI
You can use the `get-acccess-point-policy`, `put-access-point-policy`, and `delete-access-point-policy` commands to view, edit, or delete an access point policy. For more information, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point-policy.html#get-access-point-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point-policy.html#get-access-point-policy), [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-access-point-policy.html#put-access-point-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-access-point-policy.html#put-access-point-policy), or [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point-policy.html#delete-access-point-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point-policy.html#delete-access-point-policy) in the AWS CLI Command Reference.
## Using the REST API
You can use the REST API `GetAccessPointPolicy`, `DeleteAccessPointPolicy`, and `PutAccessPointPolicy` operations to view, delete, or edit an access point policy. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutAccessPointPolicy.html), [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPointPolicy.html), or [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPointPolicy.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPointPolicy.html) in the Amazon Simple Storage Service API Reference.
## Using the AWS SDKs
You can use the AWS SDKs to view, delete, or edit an access point policy. For more information, see the list of supported SDKs for [GetAccessControlPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPointPolicy.html#API_control_PutAccessPointPolicy_SeeAlso), [DeleteAccessControlPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPointPolicy.html#API_control_PutAccessPointPolicy_SeeAlso), and [PutAccessControlPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutAccessPointPolicy.html#API_control_PutAccessPointPolicy_SeeAlso) in the Amazon Simple Storage Service API Reference.
# Manage the scope of your access points for directory buckets
This section explains how to view and modify the scope of your access points for directory buckets using the AWS Command Line Interface, REST API, or AWS SDKs. You can use the access point scope to restrict access to specific prefixes or API operations.
**Topics**
+ [View the scope of your access points for directory buckets](#access-points-directory-buckets-view-scope)
+ [Modify the scope of your access point for directory buckets](#access-points-directory-buckets-modify-scope)
+ [Delete the scope of your access points for directory buckets](#access-points-directory-buckets-delete-scope)
## View the scope of your access points for directory buckets
You can use the AWS Management Console, AWS Command Line Interface, REST API, or AWS SDKs to view the scope of your access point for directory buckets.
### Using the S3 console
**To view the scope of your access point for directory buckets**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage.
1. Choose the **Permissions** tab.
1. In the **Access point scope**, you can see the prefixes and permissions applied to the access point.
### Using the AWS CLI
The following `get-access-point-scope` example command shows how you can use the AWS CLI to view the scope of your access point.
The following command shows the scope of the access point **my-access-point**--*zoneID*--xa-s3 for AWS account *111122223333*.
```
aws s3control get-access-point-scope --name my-access-point--zoneID--xa-s3 --account-id 111122223333
```
For more information and examples, see [get-access-point-scope](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/get-access-point-scope.html) in the AWS CLI Command Reference.
**Example result of `get-access-point-scope`**
```
{
"Scope": {
"Permissions": [
"ListBucket",
"PutObject"
]
"Prefixes": [
"Prefix": "MyPrefix1*",
"Prefix": "MyObjectName.csv"
]
}
}
```
### Using the REST API
The following `GetAccessPointScope` example request shows how you can use the REST API to view the scope of your access point.
The following request shows the scope of the access point **my-access-point**--*region*-*zoneID*--xa-s3 for AWS account *111122223333*.
```
GET /v20180820/accesspoint/my-access-point--zoneID--xa-s3/scope HTTP/1.1
Host: s3express-control.region.amazonaws.com
x-amz-account-id: 111122223333
```
**Example result of `GetAccessPointScope`**
```
HTTP/1.1 200
MyPrefix1*
MyObjectName.csv
ListBucket
PutObject
```
### Using the AWS SDKs
You can use the AWS SDKs to view the scope of your access point. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessPointScope.html#API_control_GetAccessPointScope_SeeAlso) in the Amazon Simple Storage Service API Reference.
## Modify the scope of your access point for directory buckets
You can use the AWS Management Console, AWS Command Line Interface, REST API, or AWS SDKs to modify the scope of your access points for directory buckets. Access point scope is used to restrict access to specific prefixes, API operations, or a combination of both.
You can include one or more of the following API operations as permissions:
+ `PutObject`
+ `GetObject`
+ `DeleteObject`
+ `ListBucket` (required for `ListObjectsV2`)
+ `GetObjectAttributes`
+ `AbortMultipartUploads`
+ `ListBucketMultipartUploads`
+ `ListMultipartUploadParts`
**Note**
You can specify any amount of prefixes, but the total length of characters of all prefixes must be less than 256 bytes in size.
### Using the S3 console
**To modify access point scope**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage.
1. Choose the **Permissions** tab.
1. In the **Access point scope** section, choose **Edit**.
1. To add or remove prefixes:
1. To add a prefix, choose **Add prefix**. In the **Prefix** field, enter a prefix of the directory bucket. Repeat to add more prefixes.
1. To remove a prefix, choose **Remove**.
1. To add or remove permissions:
1. To add a permission, in the **Choose data operations** field, choose the permission.
1. To remove a permission, choose the **X** next to the permission.
1. Choose **Save changes**.
### Using the AWS CLI
The following `put-access-point-scope` example command shows how you can use the AWS CLI to modify the scope of your access point.
The following command modifies the access point scope of **my-access-point**--*zoneID*--xa-s3 for AWS account *111122223333*.
**Note**
You can use wildcards in prefixes by using the asterisk (\$1) character. If you want to use the asterisk character as a literal, add a backslash character (\$1) before it to escape it.
All prefixes have an implicit '\$1' ending, meaning all paths withing the prefix will be included.
When you modify the scope of an access point with the AWS CLI, you replace the existing scope.
```
aws s3control put-access-point-scope --name my-access-point--zoneID--xa-s3 --account-id 111122223333 --scope Prefixes=string,Permissions=string
```
For more information and examples, see [put-access-point-scope](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-access-point-scope.html) in the AWS CLI Command Reference.
### Using the REST API
The following `PutAccessPointScope` example request shows how you can use the REST API to modify the scope of your access point.
The following request modifies the access point scope of **my-access-point**--*zoneID*--xa-s3 for AWS account *111122223333*.
**Note**
You can use wildcards in prefixes by using the asterisk (\$1) character. If you want to use the asterisk character as a literal, add a backslash character (\$1) before it to escape it.
All prefixes have an implicit '\$1' ending, meaning all paths withing the prefix will be included.
When you modify the scope of an access point with the API, you replace the existing scope.
```
PUT /v20180820/accesspoint/my-access-point--zoneID--xa-s3/scope HTTP/1.1
Host: s3express-control.region.amazonaws.com
x-amz-account-id: 111122223333
Jane/*
PutObject
GetObject
```
### Using the AWS SDKs
You can use the AWS CLI, AWS SDKs, or REST API to modify the scope of your access point. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutAccessPointScope.html#API_control_PutAccessPointScope_SeeAlso) in the Amazon Simple Storage Service API Reference.
## Delete the scope of your access points for directory buckets
You can use the AWS Management Console, AWS Command Line Interface, REST API, or AWS SDKs to delete the scope of your access points for directory buckets.
**Note**
When you delete the scope of an access point, all prefixes and permissions are deleted.
### Using the S3 console
**To delete access point scope**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to manage.
1. Choose the **Permissions** tab.
1. In **Access point scope**, choose **Delete**.
1. In the **to confirm this deletion, type "confirm".** field, enter **confirm**.
1. Choose **Delete**.
### Using the AWS CLI
The following `delete-access-point-scope` example command shows how you can use the AWS CLI to delete the scope of your access point.
The following command deletes the scope of the access point **my-access-point**--*zoneID*--xa-s3 for AWS account *111122223333*.
```
aws s3control delete-access-point-scope --name my-access-point--region-zoneID--xa-s3 --account-id 111122223333
```
For more information and examples, see [delete-access-point-scope](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point-scope.html) in the AWS CLI Command Reference.
### Using the REST API
The following request deletes the scope of the access point **my-access-point**--*zoneID*--xa-s3 for AWS account *111122223333*.
```
DELETE /v20180820/accesspoint/my-access-point--zoneID--xa-s3/scope HTTP/1.1
Host: s3express-control.region.amazonaws.com
x-amz-account-id: 111122223333
```
### Using the AWS SDKs
You can use the AWS SDKs to delete the scope of your access point. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPointScope.html#API_control_DeleteAccessPointScope_SeeAlso) in the Amazon Simple Storage Service API Reference.
# Delete your access point for directory buckets
This section explains how to delete your access point using the AWS Management Console, AWS Command Line Interface, REST API, or AWS SDKs.
**Note**
Before you can delete a directory bucket attached to an access point, you must delete the access point.
## Using the S3 console
**To delete access points for directory buckets in your AWS account**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to list access points for.
1. In the navigation pane on the left side of the console, choose **Access points for directory buckets**.
1. (Optional) Search for access points by name. Only access points in your selected AWS Region will appear here.
1. Choose the name of the access point you want to delete.
1. Choose **Delete**.
1. To confirm deletion, type **confirm** and choose **Delete**.
## Using the AWS CLI
The following `delete-access-point` example command shows how you can use the AWS CLI to delete your access point.
The following command deletes the access point **my-access-point**--*zoneID*--xa-s3 for AWS account *111122223333*.
```
aws s3control delete-access-point --name my-access-point--zoneID--xa-s3 --account-id 111122223333
```
For more information and examples, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/delete-access-point.html) in the *AWS CLI Command Reference*.
## Using the REST API
You can use the REST API to delete your access point. For more information, see [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPoint.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPoint.html) in the *Amazon Simple Storage Service API Reference*.
## Using the AWS SDKs
You can use the AWS SDKs to delete your access points. For more information, see [list of supported SDKs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_DeleteAccessPoint.html#API_control_DeleteAccessPoint_SeeAlso) in the Amazon Simple Storage Service API Reference.
# Using tags with S3 Access Points for directory buckets
An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 Access Points for directory buckets. You can tag access points when you create them or manage tags on existing access points. For general information about tags, see [Tagging for cost allocation or attribute-based access control (ABAC)](tagging.md).
**Note**
There is no additional charge for using tags on access points for directory buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
## Common ways to use tags with access points for directory buckets
Attribute-based access control (ABAC) allows you to scale access permissions and grant access to access points for directory buckets based on their tags. For more information about ABAC in Amazon S3, see [Using tags for ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac).
### ABAC for S3 Access Points
Amazon S3 Access Points support attribute-based access control (ABAC) using tags. Use tag-based condition keys in your AWS organizations, IAM, and Access Points policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple AWS accounts.
In your IAM policies, you can control access to access points for directory buckets based on the bucket's tags by using the following [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys):
+ `aws:ResourceTag/key-name`
+ Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `Dept` with the value `Marketing`. For more information, see [Controlling access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources).
+ `aws:RequestTag/key-name`
+ Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key `Dept` and that it has the value `Accounting`. For more information, see [Controlling access during AWS requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests). You can use this condition key to restrict which tag key-value pairs can be passed during the `TagResource` and `CreateAccessPoint` API operations.
+ `aws:TagKeys`
+ Use this key to compare the tag keys in a request with the keys that you specify in the policy. We recommend that when you use policies to control access using tags, use the `aws:TagKeys` condition key to define what tag keys are allowed. For example policies and more information, see [Controlling access based on tag keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys). You can create an access point for directory buckets with tags. To allow tagging during the `CreateAccessPoint` API operation, you must create a policy that includes both the `s3express:TagResource` and `s3express:CreateAccessPoint` actions. You can then use the `aws:TagKeys` condition key to enforce using specific tags in the `CreateAccessPoint` request.
+ `s3express:AccessPointTag/tag-key`
+ Use this condition key to grant permissions to specific data via access points using tags. When using `aws:ResourceTag/tag-key` in an IAM policy, both the access point as well as the bucket to which the access point points to are required to have the same tag as they are both considered during authorization. If you want to control access to your data specifically via the access-point tag only, you can use `s3express:AccessPointTag/tag-key` condition key.
### Example ABAC policies for access points for directory buckets
See the following example ABAC policies for access points for directory buckets.
#### 1.1 - IAM policy to create or modify access points with specific tags
In this IAM policy, users or roles with this policy can only create access points if they tag the access points with the tag key `project` and tag value `Trinity` in the access point creation request. They can also add or modify tags on existing access points for directory buckets as long as the `TagResource` request includes the tag key-value pair `project:Trinity`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccessPointWithTags",
"Effect": "Allow",
"Action": [
"s3express:CreateAccessPoint",
"s3express:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/project": [
"Trinity"
]
}
}
}
]
}
```
#### 1.2 - Access Point policy to restrict operations on the bucket using tags
In this Access Point policy, IAM principals (users and roles) can perform operations using the `CreateSession` action on the access point only if the value of the access point's `project` tag matches the value of the principal's `project` tag.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectOperations",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "s3express:CreateSession",
"Resource": "arn:aws::s3express:region:111122223333:access-point/my-access-point",
"Condition": {
"StringEquals": {
"aws:ResourceTag/project": "${aws:PrincipalTag/project}"
}
}
}
]
}
```
#### 1.3 - IAM policy to modify tags on existing resources maintaining tagging governence
In this IAM policy, IAM principals (users or roles) can modify tags on an access point only if the value of the access point's `project` tag matches the value of the principal's `project` tag. Only the four tags `project`, `environment`, `owner`, and `cost-center` specified in the `aws:TagKeys` condition keys are permitted for these access points. This helps enforce tag governance, prevents unauthorized tag modifications, and keeps the tagging schema consistent across your access points.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceTaggingRulesOnModification",
"Effect": "Allow",
"Action": [
"s3express:TagResource"
],
"Resource": "arn:aws::s3express:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"aws:ResourceTag/project": "${aws:PrincipalTag/project}"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
"environment",
"owner",
"cost-center"
]
}
}
}
]
}
```
#### 1.4 - Using the s3express:AccessPointTag condition key
In this IAM policy, the condition statement allows access to the bucket's data only if the access point used to access the bucket has the tag key `Environment` and tag value `Production`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSpecificAccessPoint",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws::s3express:region:111122223333:accesspoint/my-access-point",
"Condition": {
"StringEquals": {
"s3express:AccessPointTag/Environment": "Production"
}
}
}
]
}
```
## Working with tags for access points for directory buckets
You can add or manage tags for access points for directory buckets using the Amazon S3 Console, the AWS Command Line Interface (CLI), the AWS SDKs, or using the S3 APIs: [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html), [UntagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html), and [ListTagsForResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html). For more information, see:
**Topics**
+ [Common ways to use tags with access points for directory buckets](#common-ways-to-use-tags-access-points-db)
+ [Working with tags for access points for directory buckets](#working-with-tags-access-points-db)
+ [Creating access points for directory buckets with tags](access-points-db-create-tag.md)
+ [Adding a tag to an access point for directory buckets](access-points-db-tag-add.md)
+ [Viewing the tags of an access point for directory buckets](access-points-db-tag-view.md)
+ [Deleting a tag from an access point for directory buckets](access-points-db-tag-delete.md)
# Creating access points for directory buckets with tags
You can tag Amazon S3 Access Points for directory buckets when you create them. For additional information, see [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md).
## Permissions
To create an access point for directory buckets with tags, you must have the following permissions:
+ `s3express:CreateAccessPoint`
+ `s3express:TagResource`
## Troubleshooting errors
If you encounter an error when attempting to create an access point for directory buckets with tags, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-create-tag-permissions) to create the access point for directory buckets and add a tag to it.
+ Check your IAM user policy for any attribute-based access control (ABAC) conditions. You may be required to label your access points for directory buckets only with specific tag keys and values. For more information, see [Using tags for attribute-based access control (ABAC)](tagging.md#using-tags-for-abac).
## Steps
You can create an access point for directory buckets with tags applied by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To create an access point for directory buckets with tags using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose **create access point** to create a new access point.
1. Enter a name for the access point. For more information, see [Access points for directory buckets naming rules, restrictions, and limitations](access-points-directory-buckets-restrictions-limitations-naming-rules.md).
1. On the **Create access point** page, **Tags** is an option when creating a new access point.
1. Choose **Add new Tag** to open the Tags editor and enter a tag key-value pair. The tag key is required, but the value is optional.
1. To add another tag, select **Add new Tag** again. You can enter up to 50 tag key-value pairs.
1. After you complete specifying the options for your new access point, choose **Create access point**.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to create an access point with tags by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
CreateAccessPointRequest createAccessPointRequest = CreateAccessPointRequest.builder()
.accountId(111122223333)
.name(my-access-point)
.bucket(amzn-s3-demo-bucket--zone-id--x-s3)
.tags(Collections.singletonList(Tag.builder().key("key1").value("value1").build()))
.build();
awss3Control.createAccessPoint(createAccessPointRequest);
```
------
## Using the REST API
For information about the Amazon S3 REST API support for creating a directory bucket with tags, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to create an access point for directory buckets with tags by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
When you create an access point for directory buckets you must provide configuration details and use the following naming convention: `my-access-point`
**Request:**
```
aws s3control create-access-point \
--account-id 111122223333 \
--name my-access-point \
--bucket amzn-s3-demo-bucket--zone-id--x-s3 \
--profile personal \
--tags Key=key1,Value=value1 Key=MyKey2,Value=value2 \
--region region
```
# Adding a tag to an access point for directory buckets
You can add tags to Amazon S3 Access Points for directory buckets and modify these tags. For additional information, see [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md).
## Permissions
To add a tag to an access point for directory buckets, you must have the following permission:
+ `s3express:TagResource`
## Troubleshooting errors
If you encounter an error when attempting to add a tag to an access point for directory buckets, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-tag-add-permissions) to add a tag to an access point for directory buckets.
+ If you attempted to add a tag key that starts with the AWS reserved prefix `aws:`, change the tag key and try again.
## Steps
You can add tags to access points for directory buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To add tags to an access point for directory buckets using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section and choose **Add new Tag**.
1. This opens the **Add Tags** page. You can enter up to 50 tag key value pairs.
1. If you add a new tag with the same key name as an existing tag, the value of the new tag overrides the value of the existing tag.
1. You can also edit the values of existing tags on this page.
1. After you have added the tag(s), choose **Save changes**.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to add tags to an access point for directory buckets by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3control.S3ControlClient;
import software.amazon.awssdk.services.s3control.model.Tag;
import software.amazon.awssdk.services.s3control.model.TagResourceRequest;
import software.amazon.awssdk.services.s3control.model.TagResourceResponse;
public class TagResourceExample {
public static void tagResourceExample() {
S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build();
TagResourceRequest tagResourceRequest = TagResourceRequest.builder()
.resourceArn("arn:aws::s3:region:111122223333:accesspoint/my-access-point/*")
.accountId("111122223333")
.tags(Tag.builder().key("key1").value("value1").build())
.build();
TagResourceResponse response = s3Control.tagResource(tagResourceRequest);
System.out.println("Status code (should be 204):");
System.out.println(response.sdkHttpResponse().statusCode());
}
}
```
------
## Using the REST API
For information about the Amazon S3 REST API support for adding tags to an access point for directory buckets, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to add tags to a directory bucket by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control tag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3express:region:444455556666:bucket/prefix--use1-az4--x-s3 \
--tags "Key=key1,Value=value1"
```
**Response:**
```
{
"ResponseMetadata": {
"RequestId": "EXAMPLE123456789",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"date": "Wed, 19 Jun 2025 10:30:00 GMT",
"content-length": "0"
},
"RetryAttempts": 0
}
}
```
# Viewing the tags of an access point for directory buckets
You can view or list tags applied to Amazon S3 Access Points for directory buckets. For additional information, see [Using tags with S3 directory buckets](directory-buckets-tagging.md).
## Permissions
To view tags applied to an access point, you must have the following permission:
+ `s3express:ListTagsForResource`
## Troubleshooting errors
If you encounter an error when attempting to list or view the tags of an access point for directory buckets, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-tag-view-permissions) to view or list the tags of the access point for directory buckets.
## Steps
You can view tags applied to access points for directory buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To view tags applied to an access point for directory buckets using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section to view all of the tags applied to the access point for directory buckets.
1. The **Tags** section shows the **User-defined tags** by default. You can select the **AWS-generated tags** tab to view tags applied to your access point by AWS services.
## Using the AWS SDKs
This section provides an example of how to view tags applied to an access point for directory buckets by using the AWS SDKs.
------
#### [ SDK for Java 2.x ]
This example shows you how to view tags applied to an access point for directory buckets by using the AWS SDK for Java 2.x.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3control.S3ControlClient;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceRequest;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceResponse;
public class ListTagsForResourceExample {
public static void listTagsForResourceExample() {
S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build();
ListTagsForResourceRequest listTagsForResourceRequest = ListTagsForResourceRequest.builder()
.resourceArn("arn:aws::s3:us-west-2:111122223333:accesspoint/my-access-point/*")
.accountId("111122223333")
.build();
ListTagsForResourceResponse response = s3Control.listTagsForResource(listTagsForResourceRequest);
System.out.println("Tags on my resource:");
System.out.println(response.toString());
}
}
```
------
## Using the REST API
For information about the Amazon S3 REST API support for viewing the tags applied to a directory bucket, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [ListTagsforResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to view tags applied to an access point for directory buckets. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control list-tags-for-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3express:region:444455556666:bucket/prefix--use1-az4--x-s3 \
```
**Response - tags present:**
```
{
"Tags": [
{
"Key": "MyKey1",
"Value": "MyValue1"
},
{
"Key": "MyKey2",
"Value": "MyValue2"
},
{
"Key": "MyKey3",
"Value": "MyValue3"
}
]
}
```
**Response - no tags present:**
```
{
"Tags": []
}
```
# Deleting a tag from an access point for directory buckets
You can remove tags from Access Points for directory buckets. For additional information, see [Using tags with S3 Access Points for directory buckets](access-points-db-tagging.md).
**Note**
If you delete a tag and later learn that it was being used to track costs or for access control, you can add the tag back to the access point for directory buckets.
## Permissions
To delete a tag from an access point for directory buckets, you must have the following permission:
+ `s3express:UntagResource`
## Troubleshooting errors
If you encounter an error when attempting to delete a tag from an access point for directory buckets, you can do the following:
+ Verify that you have the required [Permissions](#access-points-db-tag-delete-permissions) to delete a tag from an access point for directory buckets.
## Steps
You can delete tags from access points for directory buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.
## Using the S3 console
To delete tags from an access point for directory buckets using the Amazon S3 console:
1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the left navigation pane, choose **Access Points (Directory Buckets)**.
1. Choose the access point name.
1. Choose the **Properties** tab.
1. Scroll to the **Tags** section and select the checkbox next to the tag or tags that you would like to delete.
1. Choose **Delete**.
1. The **Delete user-defined tags** pop-up appears and asks you to confirm the deletion of the tag or tags you selected.
1. Choose **Delete** to confirm.
## Using the AWS SDKs
------
#### [ SDK for Java 2.x ]
This example shows you how to delete tags from a directory bucket by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3control.S3ControlClient;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceRequest;
import software.amazon.awssdk.services.s3control.model.ListTagsForResourceResponse;
public class ListTagsForResourceExample {
public static void listTagsForResourceExample() {
S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build();
UntagResourceRequest untagResourceRequest = UntagResourceRequest.builder()
.resourceArn("arn:aws::s3:region:111122223333:accesspoint/my-access-point/*")
.accountId("111122223333")
.tagKeys("key1")
.build();
UntagResourceResponse response = s3Control.untagResource(untagResourceRequest);
System.out.println("Status code (should be 204):");
System.out.println(response.sdkHttpResponse().statusCode());
}
}
```
------
## Using the REST API
For information about the Amazon S3 REST API support for deleting tags from an access point, see the following section in the *Amazon Simple Storage Service API Reference*:
+ [UnTagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html)
## Using the AWS CLI
To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
The following CLI example shows you how to delete tags from an access point by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.
**Request:**
```
aws s3control untag-resource \
--account-id 111122223333 \
--resource-arn arn:aws::s3:region:111122223333:accesspoint/my-access-point/* \
--tag-keys "key1" "key2"
```
**Response:**
```
{
"ResponseMetadata": {
"RequestId": "EXAMPLE123456789",
"HTTPStatusCode": 204,
"HTTPHeaders": {
"date": "Wed, 19 Jun 2025 10:30:00 GMT",
"content-length": "0"
},
"RetryAttempts": 0
}
}
```