download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

Amazon S3 - Get and Set Bucket Permissions with ACL (GET Bucket ACL, PUT Bucket ACL)

Amazon S3 Access Control List (ACL) lets you define permissions on S3 Buckets and S3 Objects independent of each other. This means that if you give a READ permission to the Bucket, the Object(s) contained in the Bucket will not be publicly readable. Hence, ACLs set on a Bucket can be different from ACLs set any object contained in a Bucket. There are four types of permissions namely: READ, WRITE, READ_ACP, WRITE_ACP and FULL_CONTROL. These apply different permissions when set in context of Objects v/s Buckets.

To set permissions on a Bucket, you can send an HTTP PUT Request with acl subresource to AWS Server. You have two options to send PUT Request to set permissions on S3 Bucket:

1) Set Permissions on an Amazon S3 Bucket using S3 API PUT Bucket ACL - You can write your own software program to use Amazon S3 REST API PUT Bucket ACL to set permissions on a Bucket. Please read more on AWS Documentation site for SOAP API.

2) Set Permissions on an Amazon S3 Bucket using Bucket Explorer-   If you are not a programmer and do not want to write code, you can use Bucket Explorer's easy to use interface to set Bucket ACL with point and click.

Set Bucket ACL using Amazon S3 REST API PUT Bucket ACL

You can set permissions on an existing Bucket using Access Control Lists (ACL) by sending a PUT Request with ACL Subresource. To authenticate the request, you must have WRITE_ACP permission. You don't need to have any request parameter. You can either "Specify the ACL in the request body" or "Specify permissions using request headers". You cannot use both the body and the request header to specify access permission on the Bucket.

Syntax for sending ACL in Request Body:

PUT /?acl HTTP/1.1
Host: BucketName
Date: date
Authorization: signatureValue

<ID> ID </ID>
<DisplayName> EmailAddress </DisplayName>
<Grantee xmlns:xsi= xsi:type="CanonicalUser">
<ID> ID </ID>
<DisplayName> EmailAddress </DisplayName>
<Permission> Permission </Permission>

GET Bucket ACL using Amazon S3 API GET Bucket ACL

You can get the Access Control List (ACL) of a Bucket by sending an HTTP GET Request to AWS server along with acl subresource. To authenticate the request, you must have READ_ACP access to the Bucket. For that you don't need to use request Parameters. You only need to use common Request headers.


GET /?acl HTTP/1.1
Host: BucketName
Date: date
Authorization: signatureValue

Set Bucket ACL using Bucket Explorer

While the "PUT Bucket ACL" API of AWS allows you to set permissions on an existing bucket using Access Control Lists (ACL) by using code, Bucket Explorer lets you do that without having to write any codel.

Before you set Access Control for an Amazon S3 Bucket using Bucket Explorer, we strongly recommend that you read this page and understand the implications. In most cases, you will never need to set Bucket ACL as "read all". That statement is true even when you are using a Bucket for web hosting .

  1. Permissions set for a Bucket do NOT automatically propagate to files stored in that Bucket.
  2. "Read" permission at Bucket level does NOT mean that the authorized user can read all the files in that Bucket. Read permission at Bucket level means that "list Bucket" command is authorized on a Bucket which essentially means that if you give "read" permission on a Bucket to everyone, then everyone can list the file names, their size, and last modified date from that Bucket.

Update Amazon S3 ACL Access Control for Bucket

  1. Select a particular Bucket.
  2. Right click on the selected Bucket and choose Update Bucket's Access Control List / Update File's Access Control List option .
  3. You will get a form showing the current ACLs of that Bucket.
  4. These ACLs are shown in the Table and that table contains at least 4 rows for Bucket (owner, Authenticated Users, All Users, and Log Delivery). Row could be more than the specified number.
  5. You can make S3 files publicly readable by clicking on Make Public button.
    You can also make S3 files private (private ACL setting is set by default) by clicking on Make Private button.
    You can change ACLs according to your requirement by simply checking or un-checking the checkbox.
  1. Add access by Email Id/Canonical Id: Click on the button Add access by Email Id/Canonical Id. You will get a window. Here, you can browse for your friend's Email Id/Canonical Id from saved address book or you can enter your friend's Email Id or Canonical Id with whom you want to share your Bucket. Entered/chosen Email Id/Canonical Id will be added in Bucket Explorer address book if it does not exist.
  2. Get Canonical Id: This window also has a link for getting Canonical Id. By clicking on that link, you will be redirected to "Get AWS Canonical User Id" page. From here, you will get the name and Canonical Id of that S3 account by providing AWS Access Key and Secret Key.
    Now you can give permissions on the Bucket/File(s) by selecting the checkboxes.
  3. When there are no changes done in ACL and you click on Save, permissions will remain identical and it won’t do any changes but will show the message:
    1. Message for identical/changed ACLs case of Bucket: "Permission has been saved for Bucket."
    2. Message for identical ACLs case of File: "Permission is identical for: <file name>".
    3. Message for changed ACLs case of Files: "Permission is updated for: <file name>".

    You don't need to pay any cost for updating ACL if the permissions are identical.

    Note: Bucket Explorer also allows you to update ACL (Access Control Listing) in bulk/batch of files. You can update ACL of all objects in selected Bucket or update ACL for all selected objects at once.

    See step by step tutorial: How to update Amazon S3 ACL in batch/bulk?

    See Video demo: How to update ACL on batch/bulk of files on Amazon S3.