download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

Amazon S3 - How to use ACLs and Bucket Policies Together?

ACL is a mechanism who decides who can access what. With ACL, you can control the way Buckets are accessed by other Amazon users and normal users.

Bucket Policy, on the other hand, gives customer the ability to create conditional rules for managing access to their Buckets and Objects.

With ACL, you can grant access to a different account or to groups of Amazon S3. With Bucket policies, you can author policies that can grant or deny access.

Using ACLs and Bucket Policies Together

When your Buckets have ACLs and Bucket policies assigned to them, Amazon S3 checks the Amazon S3 ACLs and Bucket policies that exist on the Bucket to determine and identify an account’s access permissions to an Amazon S3 resource. If the account that tries to access a certain Amazon S3 resource has access to resources that an ACL or policy specified, then they can access the requested resource.

For existing Amazon S3 ACLs, a grant allows access to buckets or objects but a deny always overrides a grant when you are using bucket policies.

Note: When prioritizing grants or denies to certain Buckets or Objects, Bucket policies have their own set of rules. With regards to Amazon S3 ACLs, you can migrate them to Bucket policies.

Steps to migrate ACLs to Bucket policies:

  1. To migrate ACLs to Bucket policies, you can associate a policy with a user, a group, or a Bucket.
  2. For each Amazon S3 resource which the user or group has been granted access to, you can add a grant to the policy in the ACL.

Relationship Between Actions and Permissions

As we have mentioned, ACLs can grant certain permissions while Bucket policies can allow or deny certain actions. To know more about ACL, go to Access Control List (ACL) and to know more about Bucket policies, go to Bucket Policy .

Below are the relationship between actions and permissions.

Object ACL Permissions

  • READ — You can perform s3:GetObject, s3:GetObjectVersion and s3:GetObjectTorrent actions on Object when you grant READ permission in an object ACL.
  • READ_ACP — You can perform s3:GetObjectAcl and s3:GetObjectVersionAcl actions on an Object when you grant READ_ACP permission in an object ACL.
  • WRITE_ACP — You can perform s3:PutObjectAcl and s3:PutObjectVersionAcl actions on an Object when you grant WRITE_ACP permission in an object ACL.
  • FULL_CONTROL — Granting FULL_CONTROL permission in an object ACL is the same as granting READ, READ_ACP, and WRITE_ACP permissions.


Bucket ACL Permissions

You can also perform s3:DeleteObjectVersion action on any version object in that bucket when granting WRITE permission in a bucket ACL if the grantee is the bucket owner.

  • READ — You can perform s3:ListBucket, s3:ListBucketVersions, and s3:ListBucketMultipartUploads actions on a Bucket when you grant READ permission in a bucket ACL.
  • WRITE — You can perform s3:PutObject and s3:DeleteObject actions on any object in a Bucket when you grant WRITE permission in a bucket ACL.
  • READ_ACP — You can perform s3:GetBucketAcl action on a bucket when you grant READ_ACP permission in a bucket ACL.
  • WRITE_ACP — You can perform s3:PutBucketAcl action on a bucket when you grant WRITE_ACP permission in a bucket ACL.
  • FULL_CONTROL — Granting FULL_CONTROL permission in a bucket ACL is the same as granting READ, READ_ACP, and WRITE_ACP permissions.