Manage S3 permissions for directory users and groups
Amazon S3 Access Grants map identities in directories such as Microsoft Entra ID, or Amazon Identity and Access Management (IAM) principals, to datasets in S3. This helps you manage data permissions at scale by automatically granting S3 access to end-users based on their corporate identity. Additionally, S3 Access Grants log end-user identity and the application used to access S3 data in Amazon CloudTrail. This helps to provide a detailed audit history down to the end-user identity for all access to the data in your S3 buckets.
Benefits
Manage S3 permissions for directory users and groups
S3 Access Grants build on top of Amazon IAM Identity Center’s Trusted identity propagation capability and allow S3 to authenticate and authorize directly against directory users and groups. By integrating with IAM Identity Center, S3 Access Grants support a wide range of corporate identity providers such as Entra ID, Okta, or any other external identity provider.
End-user auditability
With enhanced integrations with CloudTrail, end-user access to S3 via S3 Access Grants is auditable in CloudTrail down to the directory user identity.
Scale Amazon S3 permissions
You can use S3 Access Grants to scale your S3 permissions to enforce granular S3 permissions. With S3 Access Grants, you can define S3 access in an intuitive grant style up to 100,000 grants per Region per account, only giving users and applications the S3 data they need.
