Understanding AWS S3 ACLs and Bucket Policies

AWS S3 ACLs and Bucket Policies are two important security features that help control access to your S3 buckets and objects.

ACLs, or Access Control Lists, allow you to specify permissions for individual users or groups.

You can grant read, write, or delete permissions to users or groups, and even specify permissions for specific objects within a bucket.

Bucket policies, on the other hand, allow you to define a set of permissions for all objects within a bucket.

By combining ACLs and bucket policies, you can create a robust security system that meets your specific needs.

For example, you can use an ACL to grant read access to a specific user, while also using a bucket policy to restrict access to a certain directory within the bucket.

Access Control List (ACL) is a way to control who can access or modify items in S3. ACLs can be edited in File → Info (macOS ⌘I Windows Alt+Return) → Permissions.

ACLs are not deprecated, and they offer flexibility over policies. They can be assigned to buckets as well as objects in it, giving you more control over your S3 resources.

There are several types of ACLs, including Canned ACLs and Custom ACLs. Canned ACLs are predefined sets of permissions that make it easy to grant common types of access.

Here are some common Canned ACLs:

ACLs can be used to grant public access to specific objects, revoke access to specific objects, and grant temporary access to objects.

You can grant access to your S3 bucket and objects using Access Control Lists (ACLs). ACLs allow you to specify granular permissions for different AWS accounts or groups, granting or revoking access at the object level.

To grant public access to a specific object, you can set the ACL of the object to "public-read". This makes the object publicly accessible, even if the bucket policy restricts public access.

You can also grant read access to an AWS account by specifying its account ID in the ACL, with the Permission element set to READ. Similarly, you can grant full control to an IAM group by specifying its group name, with the Permission element set to FULL_CONTROL.

The following permissions can be given to grantees:

To make your objects accessible using a regular web browser for everyone, you must give the group grantee http://acs.amazonaws.com/groups/global/AllUsers read permissions.

S3 ACLs are the old way of managing access to buckets, but they still offer flexibility and control over your S3 resources.

You can control the access level of not only buckets but also of an object using S3 ACLs, whereas IAM or Bucket Policies can only be attached to buckets but not to objects in the bucket.

There are several canned ACLs available, including private, public-read, public-read-write, authenticated-read, bucket-owner-read, bucket-owner-full-control, and log-delivery-write.

Here are the details of each canned ACL:

You must give the All Users group grantee http://acs.amazonaws.com/groups/global/AllUsers read permissions for your objects to make them accessible using a regular web browser for everyone.

Disabling ACLs on your bucket will make it accept only PUT requests that do not specify an ACL or PUT requests with bucket owner full control ACLs, such as the bucket-owner-full-control canned ACL.

S3 Policies allow you to specify which actions are allowed or denied on an S3 bucket for some users, with the user being called the principal.

A key component of an S3 Policy is the Principal statement, which specifies the AWS account or IAM user/group to which the statement applies.

You can use Bucket Policies to grant access to other AWS accounts, allowing them to perform actions on your bucket or its objects.

Bucket Policies are commonly used for cross-account access, IP-based restrictions, and access control for AWS services like CloudFront.

Here are some key components of a Bucket Policy statement:Principal: Specifies the AWS account or IAM user/group to which the statement applies.Effect: Determines whether the statement allows or denies access.Action: Defines the specific S3 actions that are allowed or denied.Resource: Specifies the Amazon Resource Name (ARN) of the targeted S3 bucket or object.Condition: Optional element that allows you to further refine access based on factors such as IP ranges or request headers.

S3 Policies can be attached to only S3 buckets and can be used with any other AWS user or service.

Here is a sample S3 bucket policy that grants root user of AWS account with ID 112233445566 and the user named Tom full access to the S3 bucket:

Note the "Principal" statement in the S3 bucket policy, which specifies the list of users who have access to this bucket.

AWS has provided a policy generator that you can use to try and play around to create S3 bucket policies for different scenarios.

S3 Policies are best suited for scenarios that require fine-grained access control at the bucket level.

Here are some common use cases for Bucket Policies:

S3 Policies can be used to grant access to other AWS accounts, allowing them to perform actions on your bucket or its objects.

S3 Policies are commonly used for cross-account access, IP-based restrictions, and access control for AWS services like CloudFront.

Here is a table that summarizes the differences between IAM Policies, S3 Policies, and S3 ACLs: