Amazon S3 Access Control List (ACL) lets you define permissions on S3 Buckets and S3 Objects independent of each other. This means that if you give a READ permission to the Bucket, the Object(s) contained in the Bucket will not be publicly readable.
There are four types of permissions namely:
READ, WRITE, READ_ACP, WRITE_ACP and FULL_CONTROL. These apply different permissions when set in context of Objects v/s Buckets.
- Allows grantee to read the Object data and its metadata
- Not applicable for Objects, only available for Buckets
- Allows grantee to read the Object ACL
- Allows grantee to write the ACL for the Object
- Allows grantee the READ, READ_ACP and WRITE_ACP permissions on the Object
To get or set permissions on Amazon S3 Objects, you can send HTTP GET or PUT Request to AWS Server. You can send HTTP GET or PUT Requests by using Amazon S3 API (GET Object ACL or PUT Object ACL) in your application code. If you are not a software developer and do not want to write your own code, you can simply use Bucket Explorer UI to access or set Object ACL with point and click.
How to set public readable ACL on an Object?
You may need to make your S3 file publicly readable very often, example, when you want to host your website or you want to share your file with non S3 users without creating a signed URL. In such cases, you will need to set public ACL permission on the file.
Set Object ACL using Amazon S3 API PUT Object ACL
You can set the Access Control List (ACL) permissions for an S3 Object that already exists in the Bucket, by sending HTTP PUT Request with ACL Subresource. You will need to pass Bucket Name, Object Name, ACL Policy, and Owner ID as request parameters. To authenticate the request, you must have WRITE_ACP permission to be able to set ACL of an S3 Object.
<Grantee xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:type=”CanonicalUser”>
Access Object ACL using Amazon S3 API GET Object ACL
You can get the Access Control List (ACL) of an Object using GET Object ACL Request. To authenticate the request, you must have READ_ACP access to the object. For that, you only need to use Common Request headers.
Set Object ACL using Bucket Explorer
While the "PUT Object" API of AWS allows you to set ACL on the object(s) or file(s) by writing code, Bucket Explorer lets you do that easily without writing any code at all. You can do it using Bucket Explorer's user interface.
Bucket Explorer allows you to set ACL on an Object by selecting Read permission or by clicking on the Make Public button.
To set Object ACL, follow the steps below:
Run Bucket Explorer.
Select any Bucket from Bucket listing.
It will list the Object(s) in Object table.
Select the object which you want to set ACL.
Click on ACL button that exists in Object toolbar.
Right click on the selected object and choose “Update File’s Access Control List” option.
You will get a form that shows the current ACLs of the file.
These ACLs show in table which contains a minimum of 3 rows for the Owner, Authenticated Users, and All Users.
You can make S3 file publicly readable by clicking on
button. This will automatically check the All User Read Permission.
You can also make S3 files private (private ACL settings is set by default) by clicking on
You can manually check the Read Permission checkbox of All User row.
Click on “Update ACL” button.
Finally, you will get a message for successfully updating your file (S3 Object) and is now publicly readable.
You don’t need to pay any cost for updating ACL if permission is found Identical.