download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

Amazon S3 - Access Control List (ACL) Overview

Amazon S3 allows users to store their S3 objects in Buckets . All Buckets and Objects are associated with Access Control policies. ACL (Access Control List)  is a mechanism to manage access to your Amazon s3 Buckets and Objects. You can specify who can access what, by specifying ACL for each S3 Object and Bucket.
You can access and update ACLs for Objects in your AWS account. ACLs are an excellent way to control the way Buckets are accessed by other Amazon users and normal users.

ACL is the set of permissions of read, write, and update an Object as well as Bucket. On the basis of these ACLs, a user can perform operations such as uploading new files or delete existing objects.

Types of ACL provided by Amazon S3

With reference to Bucket:
  1. Read: Authorized user can list the file names, their size and last modified date from a Bucket.
  2. Write: Authorized user can upload new files in your Bucket. They can also delete files on which they don't have permission. Someone with write permission on a Bucket can delete files even if they don't have read permission to those files.
  3. Read ACP: Authorized user can check ACL of a Bucket.
  4. Write ACP: Authorized user can update ACL of a Bucket.
With reference to Object:
  1. Read: Authorized user can download the file.
  2. Write: Authorized user can replace the file or delete it.
  3. Read ACP: Authorized user can list ACL of that file.
  4. Write ACP: Authorized user can modify the ACL of the file.

Bucket ACLs are completely independent from Object ACLs. It means that ACLs set on a Bucket can be different from ACLs set on any Object contained in a Bucket.

Also, Amazon S3 grants permission to four types of users, namely:
  1. Owner (account holder)

    Person who holds an Amazon S3 account is also known as the owner of the service. By default, the owner has full permission. The owner can create, access, and delete objects. He/She can also view and modify ACLs of each and every Bucket and its object(s).

  2. Amazon S3 Users (by adding email address or Canonical Id)

    If the owner wants to share or allow another Amazon S3 user to access his/her Bucket, then the owner should know the email address of the invitee. Email address only works if the invitee has registered his/her Amazon S3 account with that email address. You can also do this with Canonical ID instead of email address.

  3. Authenticated User (Sharing globally with all Amazon S3 Users)

    Anyone with a valid S3 account is a member of the "Authenticated Users" group. If Owner wants to share his/her Bucket globally with all Amazon S3 users, then he/she can give read permission to authenticated users to see the objects and can give write permission to update existing objects and upload new objects.

  4. Non Authenticated Users (All Users)

    If Owner wants to make his/her Bucket and objects public with all internet users, he/she needs to give the appropriate permissions to ALL USERS. Now any user will be able to access the object provided by the name of the Bucket.

NOTE: We strongly recommend that in most cases, you avoid setting Bucket ACL as "read all" permission. It will be true when you are using Bucket for web hosting or when using Public Distribution, S3 Website features.

Did you know?
Permission set for a Bucket does NOT automatically propagate to files stored in that Bucket.

"Read" permission at Bucket level does NOT mean that the authorized user can read all the files in that Bucket. If you have Read permission on a Bucket that you do not own, that means that you are authorized for "list Bucket" request on that Bucket, which essentially means that if you give "read" permission on a Bucket to everyone, then everyone can list the file names, their size and last modified date from that Bucket. In most cases, this is not a recommended option to give " read " permission to everyone.

Bucket Explorer and Access Control List

Bucket Explorer provides different options and settings which makes it very easy to work with ACL like:
  • Preserve the OLD ACL when file is re-uploaded after updating some contents. That saves your time to redo the setting after uploading each updated file.
  • Allows you to set default setting for every newly uploaded file (does not exist on S3 destination) by Bucket Default.
  • Supports some preset settings for Make Public, Make Private. Click on Private Access Bucket , Public Access Bucket , Private Access Object , and Public Access Object for more details.
  • Allows you to share your data by AWS Authenticated user's email ID as well as Canonical ID.
  • Support single file as well as Batch Operations.
  • Check the link to get more details about Access Control List (ACL) .

How to perform operations with Access Control List (ACL) on Bucket as well as on Object

  • Using REST S3 API

    You can perform Bucket and Object related operations by using Amazon S3 supported REST API in your application code.

  • Using Bucket Explorer

    You can perform the same Bucket and Object related operations using Bucket Explorer by a single click without writing a single line of code.

You can perform the following operations on the Bucket as well as on Object

  • Bucket ACL: You can get ACL of the Bucket using GET Bucket ACL request and update the ACL using PUT Bucket ACL. Check the link to get more details about Bucket ACL - GET Bucket ACL and PUT Bucket ACL using Amazon REST API as well as using Bucket Explorer.
  • Object ACL: You can get ACL of the Object using GET Object ACL request and update the ACL using PUT Object ACL. Check the link to get more details about Object ACL - GET Object ACL and PUT Object ACL using Amazon REST API as well as using Bucket Explorer.
  • Batch ACL Operation: You can put ACL on Buckets and Objects request using multiple parallel threads. Check the link to get more details about batch operation. Batch Operation - PUT ACL

What is Log Delivery in Bucket Explorer ACL?

Amazon S3 writes all activity logs in a user specified Bucket when Bucket Logging is enabled. The Bucket that holds the log requires write access by Log Delivery group. Bucket Explorer automatically sets its appropriate WRITE and READ ACP permissions when you enable logging on a Bucket.

What's New in Bucket Explorer ACL?

Now, in Bucket Explorer Upload, progress has also been set to preserve the old ACL when uploading existing file. It also eliminates the need of setting ACL every time while uploading . It's now also possible to set Bucket Default ACL for a Bucket which will be set for all objects of that Bucket whenever you're uploading new one.

In Set Bucket Default Panel, there are "Set Public", "Set Private", "Add access by Email Id/Canonical Id", and "Remove User" options to set permission. You can set "Make Public" ACLs to give full control to the owner and make it available to be viewed by everyone; and "Make Private" to set full control to the owner only so that no other user can list your files. You can share the Bucket by giving permission to access the Bucket to your friend's account by Email Id/Canonical Id.

Add access by Email Id/Canonical Id:

  • Add access by Email Id/Canonical Id
  • Click on the button Add access by Email Id/Canonical Id
  • You will get a window. From here, you can enter your friend's Email Id/Canonical Id with whom you want to share your Bucket.

This window also has a link for getting Canonical Id by clicking on Get Canonical Id link; it will redirect to "GET AWS Canonical User ID" page. From here, by providing access key and secret key, you will get the name and canonical Id of the S3 account.

You can remove a user by selecting the row to delete type of user.
Now you can give the permission to the Bucket/file(s) by selecting the checkboxes.

Get AWS Canonical User ID

You can grant access permissions to Buckets and objects within your Amazon S3 account to anyone with Canonical User Id. The canonical user Id is specific to S3 and is a 64 character long hex string. In Bucket Explorer, you can use it as an alternative to Email Id when you share your Bucket with any other user with his/her AWS registered Email Id.

Who is a Grantee?

A grantee can be an AWS account or one of the predefined Amazon S3 groups. A grantee represents the Owner/User/Group that can be given permissions on a Bucket or Object.

What is Canned ACL?

Amazon S3 supports a set of predefined grants known as canned ACL. Each of these canned ACL has a predefined set of grantees and permissions. In your request, you can only specify one of these canned ACLs.