How to Secure Your Data With Serverless Access Points

As our application scales and many services are accessing a multitude of data points for each workload needed, it is difficult to ensure each part of the system has the right set of data access permissions.

In today’s world, one of the worse nightmares of a software business is data leaking and data privacy issues. Not only it affects the brand reputation, but could also expose the company to heavy fines and other regulatory sanctions.

Thankfully, AWS has just announced at re:Invent a new feature to help in solving this problem: S3 Access Points.

An Access Point is a network hostname tied to a particular S3 Bucket. This hostname carries permissions indicating which operations requesters are allowed to perform and to which objects within the bucket.

Access Points allows to customize permissions based on object tags and prefixes, making it flexible enough to cover our use cases. Through an Access Point, requesters can only perform object-related operations, not any other S3-related operation.

This feature makes it much easier to control application data access permissions in comparison to a single bucket policy, especially for systems that have complex permission rules and policies. All requests to Access Points are logged and traced in CloudWatch and CloudTrail, which provides auditing capacity.

Each Access Point has a unique ARN, which can be used to request operations on objects.

In the AWS CLI, for example, this is how we get a report.pdf document object using an Access Point:

aws s3api get-object --key report.pdf --bucket arn:aws:s3:us-east-1:123456789:accesspoint/documents downloaded-report.png

When using an AWS SDK, we should provide the Access Point ARN in the place of the bucket name.

To create an Access Point, use the AWS CLI like this:

aws s3control create-access-point --name my-access-point --account-id 1234567890 --bucket documents

It is possible to attach IAM policies to Access Points for fine-grained permission control.

To grant access for a particular user to get and put objects in a bucket:

    "Statement": [
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789:user/UserName"
        "Action": ["s3:GetObject", "s3:PutObject"],
        "Resource": "arn:aws:s3:us-east-1:123456789:accesspoint/my-access-point/object/UserName/*"

As we mentioned above, it is also possible to set permissions based on tags:

    "Statement": [
        "Principal" : {
            "AWS": "arn:aws:iam::123456789:user/JohnDoe"
        "Resource" : "arn:aws:s3:us-east-1:123456789:accesspoint/my-access-point/object/*",
        "Condition" : {
            "StringEquals": {
                "s3:ExistingObjectTag/data": "emergency-room"

Consider an application that serves medical information. There are several departments: Emergency Room, Intense Care Unit, Medical Imaging, etc.

In the example above, we granted John Doe with access only to objects tagged with “emergency-room”. This way we can protect patient’s data whose John Doe shouldn’t be interested in.

Access Points are a powerful way to control and distribute data access patterns through custom hostnames across your applications. Go ahead and read the full AWS documentation for more info about it.

Read our blog

Introducing easy custom event monitoring for serverless applications.

Today we are excited to announce scheduled searches – a new feature on Dashbird that allows you to track any log event across your stack, turn it into time-series metric and also configure alert notifications based on it.

Why and How to Monitor Amazon OpenSearch Service

One of the most vital aspects to monitor is the metrics. You should know how your cluster performs and if it can keep up with the traffic. Learn more about monitoring Amazon OpenSearch Service.

Why and How to Monitor AWS Elastic Load Balancing

Dashbird recently added support for ELB, so now you can keep track of your load balancers in one central place. It comes with all the information you expect from AWS monitoring services and more!

Made by developers for developers

Dashbird was born out of our own need for an enhanced serverless debugging and monitoring tool, and we take pride in being developers.

What our customers say

Dashbird gives us a simple and easy to use tool to have peace of mind and know that all of our Serverless functions are running correctly. We are instantly aware now if there’s a problem. We love the fact that we have enough information in the Slack notification itself to take appropriate action immediately and know exactly where the issue occurred.

Thanks to Dashbird the time to discover the occurrence of an issue reduced from 2-4 hours to a matter of seconds or minutes. It also means that hundreds of dollars are saved every month.

Great onboarding: it takes just a couple of minutes to connect an AWS account to an organization in Dashbird. The UI is clean and gives a good overview of what is happening with the Lambdas and API Gateways in the account.

I mean, it is just extremely time-saving. It’s so efficient! I don’t think it’s an exaggeration or dramatic to say that Dashbird has been a lifesaver for us.

Dashbird provides an easier interface to monitor and debug problems with our Lambdas. Relevant logs are simple to find and view. Dashbird’s support has been good, and they take product suggestions with grace.

Great UI. Easy to navigate through CloudWatch logs. Simple setup.

Dashbird helped us refine the size of our Lambdas, resulting in significantly reduced costs. We have Dashbird alert us in seconds via email when any of our functions behaves abnormally. Their app immediately makes the cause and severity of errors obvious.