Manage S3 permissions for directory users and groups
Amazon S3 Access Grants map identities in directories such as Active Directory, or AWS Identity and Access Management (IAM) Principals, to datasets in S3. This helps you manage data permissions at scale by automatically granting S3 access to end-users based on their corporate identity. Additionally, S3 Access Grants log end-user identity and the application used to access S3 data in AWS CloudTrail. This helps to provide a detailed audit history down to the end-user identity for all access to the data in your S3 buckets.
Benefits
Manage S3 permissions for directory users and groups
S3 Access Grants build on top of AWS Identity Center’s Trusted Identity Propagation capability and allow S3 to authenticate and authorize directly against directory users and groups. By integrating with AWS Identity Center, S3 Access Grants support a wide range of popular identity providers such as Entra ID, Okta, Ping, OneLogin, and more.
End-user auditability
With enhanced integrations with CloudTrail, end-user access to S3 via S3 Access Grants is auditable in CloudTrail down to the directory user identity.
Scale Amazon S3 permissions
You can use S3 Access Grants to scale your S3 permissions to enforce granular S3 permissions. With S3 Access Grants, you can define S3 access in an intuitive grant style up to 100,000 grants per Region per account, only giving users and applications the S3 data they need.
Centrally manage your data lake with third-party integrations
You might have a data lake stack that includes S3 along with other popular analytics products like Amazon Redshift, Databricks, and Snowflake. S3 Access Grants integrate with Immuta and Informatica so you can centrally manage your S3 permissions.
Customers and Partners
Immuta
Immuta helps organizations unlock value from their data by providing an integrated platform for sensitive data discovery, access control enforcement, and access behavior analysis and remediations.
“The Immuta Data Security Platform allows our customers to simplify, centralize, and enforce access control policies across cloud data platforms. With the new S3 Access Grants capability built in, Immuta customers can now define S3 permissions and leverage Immuta’s ‘write once, apply everywhere’ approach with attribute-based access control (ABAC), drastically reducing the number of policies required. With this approach, you can democratize and increase data usage while meeting global compliance standards.”
Mo Plassnig, Chief Product Officer - Immuta
Informatica
Informatica Intelligent Data Management Cloud, built on AWS is an AI powered end-to-end data management platform that connects, manages, and unifies data across any multi-cloud hybrid system, democratizing data and enabling AWS customers to modernize and redefine their data and AI strategies and experiences.
“The integration between Informatica's Data Access Management and Cloud Data Marketplace capabilities, together with Amazon S3 Access Grants, will further simplify self-service access to data in data lakes built on Amazon S3. It will enable different personas within an enterprise data community to easily share and deliver data products with Informatica’s marketplace into Amazon S3, with centrally managed security and privacy controls in place, and in accordance with modern data governance principles.”
Brett Roscoe, SVP, Product Development - Informatica
Booking.com
Booking.com is one of the world’s leading online travel platforms, connecting travelers with the widest selection of places to stay, experiences and attractions as well as a range of transportation options from flights, car rentals and taxis.
“We are on a journey to migrate Booking.com’s multi-petabyte on-prem analytics and machine learning ecosystem to a set of cloud native products and services built on top of AWS. With Amazon S3 Access Grants, we aim to enforce strong governance over the entirety of our data lake for both structured and unstructured data, irrespective of the technology the data consumers of the platform choose to access and modify the data on S3. The APIs and data model of S3 Access Grants make it easy to build automation to manage S3 access at scale, while hiding a lot of the complexity for end-users, who simply receive a standard STS token to access and modify only the data they need.”
Luca Falsina, Principal Software Engineer I, and Abhro Bhaduri, Senior Product Manager, Data and Machine Learning Platform - Booking.com
Resources
Get started with Amazon S3 Access Grants
Get in-depth information on configuring Amazon S3 Access Grants in the S3 User Guide.
Get started with S3 Access Grants in the AWS Management Console.