Parse an S3 Access Point ARN
Understand the ARN format for S3 Access Points, which includes the account ID and region unlike standard S3 bucket ARNs.
ARN Format
Detailed Explanation
S3 Access Point ARNs
S3 Access Points provide named network endpoints that are attached to buckets. They enable fine-grained access control at scale. Unlike standard S3 bucket ARNs, Access Point ARNs include the account ID and region.
ARN Structure
arn:aws:s3:REGION:ACCOUNT-ID:accesspoint/ACCESS-POINT-NAME
Example
arn:aws:s3:us-east-1:123456789012:accesspoint/analytics-team-ap
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | s3 |
| Region | us-east-1 |
| Account ID | 123456789012 |
| Access Point | analytics-team-ap |
Object ARN via Access Point
To reference a specific object through an access point:
arn:aws:s3:us-east-1:123456789012:accesspoint/analytics-team-ap/object/data/report.csv
| Component | Value |
|---|---|
| Access Point | analytics-team-ap |
| Object Key | data/report.csv |
Access Point URL
Each Access Point also has an HTTPS endpoint:
https://analytics-team-ap-123456789012.s3-accesspoint.us-east-1.amazonaws.com/data/report.csv
Comparison with Bucket ARN
| Feature | Bucket ARN | Access Point ARN |
|---|---|---|
| Region | Empty | Required |
| Account ID | Empty | Required |
| Resource type | Bucket name | accesspoint/name |
| Use case | Direct bucket access | Scoped access policies |
When to Use Access Points
- Multi-team environments — Each team gets its own access point with specific permissions.
- VPC-restricted access — Access points can be locked to a specific VPC.
- Cross-account access — Simplifies bucket policies when multiple accounts need access.
- Data lake governance — Lake Formation integrates with access points for column-level security.
Use Case
Setting up cross-account S3 access for a data analytics team that needs to query objects in a shared data lake bucket through a VPC-restricted access point.