Multi-Region Access Point restrictions and limitations - Amazon Simple Storage Service
Names and aliasesAccessing a Multi-Region Access PointSigning Amazon API requestsAmazon S3 API operationsAmazon SDKsService quotasCreating, deleting, or modifying a Multi-Region Access PointRegion support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Multi-Region Access Point restrictions and limitations

Multi-Region Access Points in Amazon S3 have the following restrictions and limitations.

Names and aliases

Multi-Region Access Point names must meet the following requirements:

  • Must be unique within a single Amazon account.

  • Must begin with a number or lowercase letter.

  • Must be between 3 and 50 characters long.

  • Can't begin or end with a hyphen (-).

  • Can't contain underscores (_), uppercase letters, or periods (.).

  • Can't be edited after they are created.

Multi-Region Access Point aliases (which are different from a Multi-Region Access Point name), are automatically generated by Amazon S3 and can't be edited or reused. For more information about the difference between Multi-Region Access Point aliases and Multi-Region Access Point names and their respective naming rules, see Rules for naming Amazon S3 Multi-Region Access Points.

Accessing a Multi-Region Access Point

You can't access data through a Multi-Region Access Point by using gateway endpoints. However, you can access data through a Multi-Region Access Point by using interface endpoints. To use Amazon PrivateLink, you must create VPC endpoints. For more information, see Configuring a Multi-Region Access Point for use with Amazon PrivateLink. However, be aware that IPv6 isn't supported.

To use Multi-Region Access Points with Amazon CloudFront, you must configure the Multi-Region Access Point as a Custom Origin distribution type. For more information about various origin types, see Using various origins with CloudFront distributions. For more information about using Multi-Region Access Points with Amazon CloudFront, see Building an active-active, proximity-based application across multiple Regions on the Amazon Storage Blog.

Note

S3 on Outposts buckets aren't supported.

Signing Amazon API requests

To sign an Amazon API request, your Multi-Region Access Point must meet the following minimum requirements:

Note

Multi-Region Access Points don't support anonymous requests.

  • Support for Transport Layer Security (TLS) version 1.2.

  • Support for Signature Version 4 (SigV4A)–This version of SigV4 allows requests to be signed for multiple Amazon Web Services Regions. This feature is useful in API operations that might result in data access from one of several Regions. When using an Amazon SDK, you supply your credentials, and the requests to Multi-Region Access Points will use Signature Version 4A without additional configuration. Make sure to check your Amazon SDK compatibility with the SigV4A algorithm. For more information about SigV4A, see Signing Amazon API requests in the Amazon Web Services General Reference.

    Note

    To use SigV4A with temporary security credentials—for example, when using Amazon Identity and Access Management (IAM) roles—you can request the temporary credentials from a Regional Amazon Security Token Service (Amazon STS) endpoint. If you request temporary credentials from the global Amazon STS endpoint (sts.amazonaws.com.cn), then you must first set the Region compatibility of session tokens for the global endpoint to be valid in all Amazon Web Services Regions. For more information, see Managing Amazon STS in an Amazon Web Services Region in the IAM User Guide.

Amazon S3 API operations

  • CopyObject is supported as a destination only when using the Multi-Region Access Point ARN.

  • The S3 Batch Operations feature isn't supported.

Amazon SDKs

Certain Amazon SDKs aren't supported. To confirm which Amazon SDKs are supported for Multi-Region Access Points, see Compatibility with Amazon SDKs.

Service quotas

Be aware of the following service quota limitations:

  • There is a maximum of 100 Multi-Region Access Points per account.

  • There is a limit of 17 Regions for a single Multi-Region Access Point.

Creating, deleting, or modifying a Multi-Region Access Point

When you create, delete, or modify an Multi-Region Access Point, be aware of the following rules and restrictions:

  • After you create a Multi-Region Access Point, you can’t add, modify, or remove buckets from the Multi-Region Access Point configuration. To change the buckets, you must delete the entire Multi-Region Access Point and create a new one. If a cross-account bucket in your Multi-Region Access Point is deleted, the only way to reconnect this bucket is to recreate the bucket, using the same name and Region in that account.

  • Underlying buckets (in the same account) that are used in a Multi-Region Access Point can be deleted only after a Multi-Region Access Point is deleted.

Region support

Control plane requests

All control plane requests to create or maintain Multi-Region Access Points must be routed to the US West (Oregon) Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified.

For the Multi-Region Access Point failover control plane, requests must be routed to one of these five supported Regions:

  • US East (N. Virginia)

  • US West (Oregon)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Europe (Ireland)

Regions enabled by default

Your Multi-Region Access Point supports buckets in the following default Amazon Web Services Regions (which are enabled by default in your Amazon Web Services account):

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (N. California)

  • US West (Oregon)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Osaka)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Canada (Central)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Paris)

  • Europe (Stockholm)

  • South America (São Paulo)

Amazon opt-in Regions

Your Multi-Region Access Point also supports buckets in the following opt-in Amazon Web Services Regions (which are disabled by default in your Amazon Web Services account):

  • Africa (Cape Town)

  • Asia Pacific (Hong Kong)

  • Asia Pacific (Jakarta)

  • Asia Pacific (Melbourne)

  • Asia Pacific (Hyderabad)

  • Canada West (Calgary)

  • Europe (Zurich)

  • Europe (Milan)

  • Europe (Spain)

  • Israel (Tel Aviv)

  • Middle East (Bahrain)

  • Middle East (UAE)

Note

There are no additional costs for enabling an opt-in Region. However, creating or using a resource in a Multi-Region Access Point results in billing charges.

An opt-in Region must be manually enabled when configuring or creating your Multi-Region Access Point. For more information about opt-in Region behaviors for Multi-Region Access Points, see Configuring Multi-Region Access Point opt-in Regions. For information about how to enable an opt-in Region in your Amazon Web Services account, see Enable or disable a Region for standalone accounts in the Amazon Account Management Reference Guide.