1
00:00:00,570 --> 00:00:02,730
So, now let's talk about S3 Access Points

2
00:00:02,730 --> 00:00:05,910
and then the S3 Object Lambdas.

3
00:00:05,910 --> 00:00:07,680
So, we have an S3 bucket,

4
00:00:07,680 --> 00:00:09,300
and that S3 bucket has two folders.

5
00:00:09,300 --> 00:00:11,370
One contains the Finance Data,

6
00:00:11,370 --> 00:00:13,110
and it's named "/finance/",

7
00:00:13,110 --> 00:00:14,730
and one contains the Sales Data

8
00:00:14,730 --> 00:00:17,700
of company, and it's named "/sales/".

9
00:00:17,700 --> 00:00:20,970
And say we had three groups of Users

10
00:00:20,970 --> 00:00:24,210
that want to access the data in this S3 buckets.

11
00:00:24,210 --> 00:00:26,490
We have the Finance Users/Group,

12
00:00:26,490 --> 00:00:27,870
we have the Sales Users/Group,

13
00:00:27,870 --> 00:00:30,810
and the Analytics Users/Group, okay?

14
00:00:30,810 --> 00:00:34,080
Now we could create a bucket policy

15
00:00:34,080 --> 00:00:37,620
and define what every User has access to,

16
00:00:37,620 --> 00:00:40,050
but if we have more Users and more groups,

17
00:00:40,050 --> 00:00:43,080
the bucket policy can become quite complicated.

18
00:00:43,080 --> 00:00:44,580
So instead, what we're going to do is that

19
00:00:44,580 --> 00:00:48,360
we're going to use this feature called the S3 Access Points.

20
00:00:48,360 --> 00:00:50,179
So we're going to create an Access Points

21
00:00:50,179 --> 00:00:51,870
for the finance team.

22
00:00:51,870 --> 00:00:54,660
So, it's called the Finance AP for Access Points.

23
00:00:54,660 --> 00:00:57,480
So, it's connected to the Finance Data,

24
00:00:57,480 --> 00:00:59,730
and we can have a sales, finance A-access Points

25
00:00:59,730 --> 00:01:01,560
connected to the Sales Data,

26
00:01:01,560 --> 00:01:03,390
and an Analytics Access Point

27
00:01:03,390 --> 00:01:06,330
connected to the Finance and the Sales Data.

28
00:01:06,330 --> 00:01:09,570
So, we've created a layer on top of our three buckets.

29
00:01:09,570 --> 00:01:12,210
Now, we're going to attach a policy

30
00:01:12,210 --> 00:01:14,490
on the Finance Access Points,

31
00:01:14,490 --> 00:01:17,040
and it's going to grant access,

32
00:01:17,040 --> 00:01:19,770
rewrite access to the Finance Users in Group

33
00:01:19,770 --> 00:01:22,680
to the specific /finance prefix.

34
00:01:22,680 --> 00:01:26,820
And therefore, our Users accessing our S3 bucket

35
00:01:26,820 --> 00:01:29,070
through the Finance Access Point

36
00:01:29,070 --> 00:01:33,000
can only read and write the Finance Data.

37
00:01:33,000 --> 00:01:35,670
There, similarly, if we do the same

38
00:01:35,670 --> 00:01:38,211
and attach a policy to the access point

39
00:01:38,211 --> 00:01:39,044
(gurgling)

40
00:01:39,044 --> 00:01:40,530
of the sales team to only do

41
00:01:40,530 --> 00:01:43,680
read and write access to the /sales prefix,

42
00:01:43,680 --> 00:01:47,970
then the sales team can only modify and read the sales data

43
00:01:47,970 --> 00:01:51,750
if they access the bucket through the Access Points.

44
00:01:51,750 --> 00:01:54,000
And then finally, the analytics group, well,

45
00:01:54,000 --> 00:01:57,360
they only need read access, but to all the data.

46
00:01:57,360 --> 00:01:58,980
And therefore we can attach a policy

47
00:01:58,980 --> 00:02:01,080
to the Analytics Access Point

48
00:02:01,080 --> 00:02:03,960
to grant read access to the entire buckets.

49
00:02:03,960 --> 00:02:07,170
And so we've seen how using different Access Points,

50
00:02:07,170 --> 00:02:11,009
we're able to use a specific policy per Access Points

51
00:02:11,009 --> 00:02:15,060
to define how one group may access the Access Points

52
00:02:15,060 --> 00:02:18,840
and therefore may access your S3 buckets.

53
00:02:18,840 --> 00:02:22,170
So each Access Points actually has its own DNS,

54
00:02:22,170 --> 00:02:25,140
and own policy, and this allows to limit

55
00:02:25,140 --> 00:02:27,990
who can access it in terms of users or group.

56
00:02:27,990 --> 00:02:29,400
And so, therefore, because we have

57
00:02:29,400 --> 00:02:32,730
only one policy per access point, it's easier to manage

58
00:02:32,730 --> 00:02:36,600
than very complex and unique bucket policies.

59
00:02:36,600 --> 00:02:39,360
So, once we've defined what Access Points are,

60
00:02:39,360 --> 00:02:40,830
there is another use case for them,

61
00:02:40,830 --> 00:02:43,770
and it's called the S3 object Lambda.

62
00:02:43,770 --> 00:02:46,350
So the idea is that you have an S3 bucket,

63
00:02:46,350 --> 00:02:49,740
but you want to modify the object

64
00:02:49,740 --> 00:02:54,390
just before it is being retrieved by a caller application.

65
00:02:54,390 --> 00:02:57,840
And instead of, for example, duplicating our buckets

66
00:02:57,840 --> 00:03:00,150
to have different versions of each object,

67
00:03:00,150 --> 00:03:03,150
we can use S3 Object Lambda instead.

68
00:03:03,150 --> 00:03:06,600
And for this, we need the S3 Access Points that we just saw.

69
00:03:06,600 --> 00:03:07,800
So, how does that work?

70
00:03:07,800 --> 00:03:11,400
Say we have the Cloud and we have an S3 bucket in it.

71
00:03:11,400 --> 00:03:13,320
So, an eCommerce Application maybe

72
00:03:13,320 --> 00:03:15,600
owns the data in this S3 bucket,

73
00:03:15,600 --> 00:03:18,690
and so they're able to access directly the S3 bucket,

74
00:03:18,690 --> 00:03:22,590
and put and get the original object out of it.

75
00:03:22,590 --> 00:03:25,200
But, then an Analytics Application

76
00:03:25,200 --> 00:03:28,800
may want to only have access to the redacted object.

77
00:03:28,800 --> 00:03:33,240
That means that some data has been deleted from the object.

78
00:03:33,240 --> 00:03:35,880
And so instead of creating a new S3 bucket for this,

79
00:03:35,880 --> 00:03:38,970
what we can do is that we create an S3 Access Point

80
00:03:38,970 --> 00:03:40,590
on top of our S3 bucket,

81
00:03:40,590 --> 00:03:42,930
and it's connected to a Lambda function.

82
00:03:42,930 --> 00:03:44,670
Now we haven't seen Lambda in depth,

83
00:03:44,670 --> 00:03:46,140
but a Lambda function allows you

84
00:03:46,140 --> 00:03:49,350
to run a bit of code in the Cloud very easily.

85
00:03:49,350 --> 00:03:52,320
And so this Lambda function is going to

86
00:03:52,320 --> 00:03:55,440
redact the object as it is being retrieved.

87
00:03:55,440 --> 00:03:57,150
And, on top of this Lambda function,

88
00:03:57,150 --> 00:04:01,020
we're going to create an S3 object, Lambda Access Points.

89
00:04:01,020 --> 00:04:03,900
And this is how the Analytics Application

90
00:04:03,900 --> 00:04:05,850
is going to access our S3 buckets.

91
00:04:05,850 --> 00:04:08,190
So to summarize, the Analytics Application

92
00:04:08,190 --> 00:04:11,520
accesses our S3 object, Lambda Access Points,

93
00:04:11,520 --> 00:04:13,590
which invokes our Lambda function.

94
00:04:13,590 --> 00:04:15,810
Our Lambda function is going to retrieve the data

95
00:04:15,810 --> 00:04:19,320
from the S3 buckets and run some code to redact the data.

96
00:04:19,320 --> 00:04:21,899
And therefore, the Analytics Application

97
00:04:21,899 --> 00:04:23,790
is obtaining a redacted object

98
00:04:23,790 --> 00:04:25,620
from the very same S3 bucket

99
00:04:25,620 --> 00:04:27,513
as the e-Commerce Application.

100
00:04:28,620 --> 00:04:30,510
Now, a marketing application

101
00:04:30,510 --> 00:04:32,880
may want to have access to an enriched objects,

102
00:04:32,880 --> 00:04:35,940
and they have a customer loyalty database

103
00:04:35,940 --> 00:04:37,650
to enhance the data.

104
00:04:37,650 --> 00:04:40,920
So instead of, again, creating a new S3 bucket,

105
00:04:40,920 --> 00:04:43,980
and creating all the objects with all the enriched data,

106
00:04:43,980 --> 00:04:47,400
what we can do is, again, using a Lambda function.

107
00:04:47,400 --> 00:04:48,930
So, another piece of code,

108
00:04:48,930 --> 00:04:51,120
and this one will enrich the data

109
00:04:51,120 --> 00:04:54,810
by looking it up from the customer loyalty database.

110
00:04:54,810 --> 00:04:56,280
And therefore, we can also create

111
00:04:56,280 --> 00:04:58,860
an Object Lambda Access Point on top of it.

112
00:04:58,860 --> 00:05:00,630
And therefore, our Marketing Application

113
00:05:00,630 --> 00:05:03,270
can access this Access Point,

114
00:05:03,270 --> 00:05:05,580
this S3 Object Lambda Access Points,,

115
00:05:05,580 --> 00:05:07,530
to get, again, the enriched objects.

116
00:05:07,530 --> 00:05:10,230
As you can see, we only need one S3 bucket,

117
00:05:10,230 --> 00:05:13,020
but we can create Access points and Object Lambdas

118
00:05:13,020 --> 00:05:15,600
to modify the data as we will.

119
00:05:15,600 --> 00:05:18,060
So, as we wish, so the use cases

120
00:05:18,060 --> 00:05:20,940
for it is to redact, for example, PII data,

121
00:05:20,940 --> 00:05:23,730
so personally identifiable information,

122
00:05:23,730 --> 00:05:26,040
for analytics or non-production environments,

123
00:05:26,040 --> 00:05:29,220
or for example to convert data from XML to JSON,

124
00:05:29,220 --> 00:05:31,800
or to perform any kind of transformation you want,

125
00:05:31,800 --> 00:05:35,670
for example resizing and watermarking images on the fly.

126
00:05:35,670 --> 00:05:38,250
But, the watermark is specific

127
00:05:38,250 --> 00:05:40,200
to the user who request the object.

128
00:05:40,200 --> 00:05:42,060
So that's ki-kind of a cool,

129
00:05:42,060 --> 00:05:45,120
cool usage for S3 Object Lambda.

130
00:05:45,120 --> 00:05:46,740
So, I hope you liked it,

131
00:05:46,740 --> 00:05:48,690
and I will see you in the next lecture.