download free 30 days trial version buy bucket explorer
Documentation   Download   Purchase   Support   FAQs    Forum    Demo   
Bucket Explorer : Access Control List

1. What is ACL? How it works?

Amazon S3 allow users to store their objects in Buckets. All Buckets and Objects are associated with Access control policies. ACL is a mechanism which decides the Bucket and object accessibilities. If user requests for the object, Amazon S3 authenticates the request, and checks for all ACL permission available against the request. Access grant or Access denied is returned based on permissions set.

Bucket ACLs are completely independent of Object ACLs. It means that ACLs set on a bucket can be different of ACLs set on any object, contained in bucket.

Tip:-
Bucket Explorer enables you to apply same bucket ACLs to all its objects. For this, it prompts the user
Do you want to update same ACL for all objects in bucket: bucket_name”.
When you click on “OK” button, the set ACL gets applied automatically to all objects of that particular Bucket.

ACL contains list of grants and each grant is associated with grantee and permissions details. Read, Write, Read ACP and Write ACP are four permissions that decide the bucket and its objects accessibilities. For example Owner can be considered as a grantee that enjoys full permission by default.

Types of ACL provided by Amazon s3:

With reference to Bucket:

Read: Give the read permission if you wish to grant Read Only privilege to Users. User can only access and download the files.
Write: Give writes permissions if you wish to allow users to upload their objects in your buckets.
Read ACP: If you wish to let user know about ACL's set to bucket. Set this option. User can only view all ACL status of your bucket.
Write ACP: If you wish to allow your bucket user to be able to read and set ACL's, this option is useful.
Full permission: As it's clear by the title, set this permission to authenticate user to enjoy all rights to the bucket. Now user can enjoy privileges like that of owner.

With reference to Object:

Read: Give the read permission if you wish to grant Read Only privilege to Users. User can only download or read files.
Write: Give this permission if you wish to allow your users to be able to upload new objects and/or modify existing objects.
Read ACP: Set this option, if you wish to let user know about ACL's status on an object.
Write ACP: Set this option if you wish to allow your bucket users to be able to update ACLs to the object(s).
Full permission: As clear by the title, set this permission to authenticate user to enjoy all rights on the bucket. Here user can also set permissions, access and delete objects. Its like giving away power of attorney of your assets, so be wary.

2. Who can Access and How?

Amazon grants permission to four types of users:

1. Owner (Account Holder): Person who holds Amazon s3 account is also known as owner of the service. By default owner has full permission. Owner can create access and delete objects. He/she can also view and modify ACLs of each and every Bucket and its object(s).

2. Amazon S3 Users (by Adding AWS email address)
If owner wants to share or allow another S3 (Canonical user) user to access his/ her bucket, then owner should know the email address of the invitee, email address only works if invitee has registered his/her Amazon s3 account with that email address.

3. Authenticated User (Sharing globally with all Amazon s3 Users)
If any account owner wants to share his/her bucket with all Amazon S3 web service user then it is necessary to give the appropriate permission to all Authenticated Users( Canonical Users) who own AWS access key and secret key. All intended Amazon s3 users are now authenticated and eligible to access those type of bucket in his/her account. They just need to add the bucket name. Generally these types of buckets are known as third party bucket or friends bucket.

Note:
In Bucket Explorer, User can access the third party bucket by following steps given below:
Tool --- > Bucket Sharing --- > Access Bucket from friend’s account


Tip:
This type of sharing is useful where we are inviting more then 100 of Amazon s3 users because an ACL can contain up to 100 grants only.

4. Non Amazon Users (Outsiders or general internet surfers)
If owner wants to make public his/her bucket and object with all internet users, then he need to give the appropriate permissions to ALL USERS. Now any user will be able to access the object provided name of the bucket. This type of sharing is also known as public sharing.

3. What is Log Delivery in Bucket Explorer ACL?

Amazon s3 is providing bucket logging facilities to all users by which user can log all activities within a specific bucket. Amazon writes all activity logs in a user specified bucket. And the bucket that holds the log, Amazon S3 automatically sets its appropriate WRITE and READ ACP permissions.  

By : Chandresh Kesri | Posted : December 2007