Configuring Multi-Region Access Point opt-in Regions - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring Multi-Region Access Point opt-in Regions

An Amazon opt-in Region is a Region that isn’t enabled by default in your Amazon account. In contrast, Regions that are enabled by default are known as Amazon Web Services Regions or commercial Regions.

To start using Multi-Region Access Points in Amazon opt-in Regions, you must manually enable the opt-in Region for your Amazon account before creating your Multi-Region Access Point. After you enable the opt-in Region, you can create Multi-Region Access Points with buckets in the selected opt-in Region. For instructions on how to enable or disable an opt-in Region for your Amazon account or Amazon Organization, see Enable or disable a Region for standalone accounts or Enable or disable a Region in your organization.

Note

Multi-Region Access Point opt-in Regions are currently only supported through Amazon SDKs and Amazon CLI.

S3 Multi-Region Access Points supports the following Amazon opt-in Regions:

  • Africa (Cape Town)

  • Asia Pacific (Hong Kong)

  • Asia Pacific (Jakarta)

  • Asia Pacific (Melbourne)

  • Asia Pacific (Hyderabad)

  • Canada West (Calgary)

  • Europe (Zurich)

  • Europe (Milan)

  • Europe (Spain)

  • Israel (Tel Aviv)

  • Middle East (Bahrain)

  • Middle East (UAE)

Note

There are no additional costs for enabling an opt-in Region. However, creating or using a resource in a Multi-Region Access Point results in billing charges.

Using a Multi-Region Access Point in an Amazon opt-in Region

To perform a data plane operation on your Multi-Region Access Point, all associated Amazon accounts must enable the opt-in Regions that are part of the Multi-Region Access Point. This requirement applies to the requester account, the Multi-Region Access Point owner, S3 bucket owners, and the VPC endpoint owner. If any of these accounts don’t enable Amazon opt-in Regions, the Multi-Region Access Point requests fail. For more information about the InvalidToken or AllAccessDisabled errors, see List of error codes.

Note

Control plane operations such as updating your Multi-Region Access Point policy or updating your failover configuration aren’t impacted by the opt-in Region status of any Region that is part of your Multi-Region Access Point. You also don’t need to disable any active opt-in Regions before deleting a Multi-Region Access Point.

Disabling an active Amazon opt-in Region

If you disable opt-in Region that is part of your Multi-Region Access Point, requests routed to this Region result in a 403 AllAccessDisabled error. To safely disable an opt-in Region, we recommend that you first identify an alternate Region in your Multi-Region Access Point configuration to route the traffic to. You can then use Multi-Region Access Point failover controls to mark the alternate Region as active, and mark the Region to be disabled as passive. After changing the failover controls, you can disable the Region you want to opt out of.

Enabling a previously disabled Amazon opt-in Region

To enable an opt-in Amazon Region that was previously disabled for your Multi-Region Access Point, make sure to update your Amazon account settings. After you re-enable the opt-in Region, run the PutMultiRegionAccessPointPolicy API operation to apply the Multi-Region Access Points policy to the opt-in Region.

If your Multi-Region Access Point is accessed through a VPC endpoint, we recommend that you update your VPCE policy and use the ModifyVpcEndpoint API operation to apply the updated VPC endpoint policy to the re-enabled opt-in Region.

Multi-Region Access Points policy and multiple Amazon accounts

If your Multi-Region Access Points policy grants access to multiple Amazon accounts, all requester accounts must also enable the same opt-in Regions in their account settings. If the requester account submits a Multi-Region Access Point request without enabling the opt-in Regions that are part of the Multi-Region Access Point, it’ll result in a 400 InvalidToken error.

Amazon opt-in Region considerations

When you access a Multi-Region Access Point from an opt-in Region, be aware of the following:

  • When you enable an opt-in Region, it allows you to create a Multi-Region Access Point using the buckets from the opt-in Region. When you disable an opt-in Region, the Multi-Region Access Point is no longer supported in the opt-in Region. If you no longer want an opt-in Region enabled for your Multi-Region Access Point, make sure to disable the Region for your account first. Then, create a new Multi-Region Access Point with your preferred list of opt-in Regions.

  • If you attempt to create your Multi-Region Access Point with a disabled opt-in Region, you’ll receive a 403 InvalidRegion error. After you enable the opt-in Region, try creating the Multi-Region Access Point again.

  • The maximum number of supported Regions for a Multi-Region Access Point is 17 Regions. This includes both opt-in Regions and commercial Regions. For more information, see Multi-Region Access Points restrictions and limitations.

  • Control plane requests for Multi-Region Access Points will work, even if you haven't opted in to any Regions.

  • When you're trying to create a Multi-Region Access Point for the first time, you must opt into all Regions that are part of the Multi-Region Access Point.

  • Any Amazon accounts that are granted access to an S3 Multi-Region Access Point through the Multi-Region Access Point policy must also enable the same opt-in Regions that are part of the Multi-Region Access Point.