Amazon S3

access control lists (acl)

By Abhinay Durishetty
6 mins read
Amazon S3 uses a combination of Access Control Lists (ACLs) and bucket policies to grant permissions to your Amazon S3 resources. ACLs are one of the mechanisms S3 provides to control access to your buckets and objects.

Types of S3 ACLs

Bucket ACL: Controls which AWS accounts or groups are granted access and the type of access.
Object ACL: Controls which AWS accounts or groups can access an object, and the type of access.

Grantee Types
  • AWS Account: Can specify the canonical user ID of an AWS account.
  • Email address: Can specify the email address associated with an AWS account.
  • Group: Can specify predefined Amazon S3 groups.

Access Permissions
ACLs allow you to grant specific permissions:
Grants permission to list the objects in the bucket.
Grants permission to create, overwrite, or delete any object in the bucket.
Grants permission to read the bucket ACL.
Grants permission to modify the bucket ACL
Grants all the above permissions.
Predefined Groups in S3 ACL
Amazon S3 has predefined groups for easier ACL management:

  • AllUsers: Grants permission to everyone. Use with caution.
  • AuthenticatedUsers: Grants permission to all AWS accounts.
  • LogDelivery: Used to grant permissions to the Amazon S3 Log Delivery group to write access logs to your bucket.

Best Practices

Least Privilege Principle: Always grant the least privileges necessary for an operation.
Combine with IAM Policies: For more complex and granular permissions, consider using IAM policies.
Migrate to Bucket Policies: While ACLs provide fine-grained control, it's a best practice to use bucket policies where possible, as they offer a centralized way to manage permissions and are easier to understand for complex configurations.

ACLs are a foundational tool for managing access to S3 buckets and objects, but they're only one part of the overall security ecosystem in S3. When using ACLs, be sure to follow best practices and combine them effectively with other AWS security mechanisms to ensure robust and precise access control to your data.