S3 Access Control Lists (ACLs)

  • As a general rule, AWS recommends using S3 bucket policies or IAM policies for access control.

  • S3 ACLs is a legacy access control mechanism that predates IAM.

  • Each bucket and object has an ACL attached to it as a sub-resource.

  • It defines which AWS accounts or groups are granted access and the type of access.

  • When a request is received against a resource, S3 checks the corresponding ACL to verify that the requester has the necessary access permissions.

  • When you create a bucket or an object, S3 creates a default ACL that grants the resource owner full control over the resource.

Canned ACL

  • S3 supports a set of predefined grants, known as canned ACLs.

  • Each canned ACL has a predefined set of grantees and permissions.

  • You can specify only one of these canned ACLs in your request.

  • You specify a canned ACL in your request using the x-amz-acl request header.

  • public-read - Bucket and object Owner gets FULL_CONTROL. The AllUsers group gets READ access.

  • bucket-owner-read - Object owner gets FULL_CONTROL. Bucket owner gets READ access.

  • bucket-owner-full-control - Both the object owner and the bucket owner get FULL_CONTROL over the object.

PreviousCross-account access to S3 buckets using Resource-based policies and IAM policiesNextPresigned URLs

Last updated

Was this helpful?