Replace access control list - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Replace access control list

The Replace access control list (ACL) operation replaces the Amazon S3 access control lists (ACLs) for every object that is listed in the manifest. Using ACLs, you can define who can access an object and what actions they can perform.

S3 Batch Operations support custom ACLs that you define and canned ACLs that Amazon S3 provides with a predefined set of access permissions.

If the objects in your manifest are in a versioned bucket, you can apply the ACLs to specific versions of every object. You do this by specifying a version ID for every object in the manifest. If you don't include a version ID for any object, then S3 Batch Operations applies the ACL to the latest version of the object.

For more information about ACLs in Amazon S3, Access control list (ACL) overview.

S3 Block Public Access

If you want to limit public access to all objects in a bucket, you should use Amazon S3 Block Public Access instead of S3 Batch Operations. Block Public Access can limit public access on a per-bucket or account-wide basis with a single, simple operation that takes effect quickly. This makes it a better choice when your goal is to control public access to all objects in a bucket or account. Use S3 Batch Operations when you need to apply a customized ACL to every object in the manifest. For more information about S3 Block Public Access, see Blocking public access to your Amazon S3 storage.

S3 Object Ownership

If the objects in the manifest are in a bucket that uses the bucket owner enforced setting for Object Ownership, the Replace access control list (ACL) operation can only specify object ACLs that grant full control to the bucket owner. The operation can't grant object ACL permissions to other Amazon Web Services accounts or groups. For more information, see Controlling ownership of objects and disabling ACLs for your bucket.

Restrictions and limitations

  • The role that you specify to run the Replace access control list job must have permissions to perform the underlying Amazon S3 PutObjectAcl operation. For more information about the permissions required, see PutObjectAcl in the Amazon Simple Storage Service API Reference.

  • S3 Batch Operations uses the Amazon S3 PutObjectAcl operation to apply the specified ACL to every object in the manifest. Therefore, all restrictions and limitations that apply to the underlying PutObjectAcl operation also apply to S3 Batch Operations Replace access control list jobs.