Walkthroughs that use policies to manage access to your Amazon S3 resources - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Walkthroughs that use policies to manage access to your Amazon S3 resources

This topic provides the following introductory walkthrough examples for granting access to Amazon S3 resources. These examples use the Amazon Web Services Management Console to create resources (buckets, objects, users) and grant them permissions. The examples then show you how to verify permissions using the command line tools, so you don't have to write any code. We provide commands using both the Amazon Command Line Interface (Amazon CLI) and the Amazon Tools for Windows PowerShell.

  • Example 1: Bucket owner granting its users bucket permissions

    The IAM users you create in your account have no permissions by default. In this exercise, you grant a user permission to perform bucket and object operations.

  • Example 2: Bucket owner granting cross-account bucket permissions

    In this exercise, a bucket owner, Account A, grants cross-account permissions to another Amazon Web Services account, Account B. Account B then delegates those permissions to users in its account.

  • Managing object permissions when the object and bucket owners are not the same

    The example scenarios in this case are about a bucket owner granting object permissions to others, but not all objects in the bucket are owned by the bucket owner. What permissions does the bucket owner need, and how can it delegate those permissions?

    The Amazon Web Services account that creates a bucket is called the bucket owner. The owner can grant other Amazon Web Services accounts permission to upload objects, and the Amazon Web Services accounts that create objects own them. The bucket owner has no permissions on those objects created by other Amazon Web Services accounts. If the bucket owner writes a bucket policy granting access to objects, the policy doesn't apply to objects that are owned by other accounts.

    In this case, the object owner must first grant permissions to the bucket owner using an object ACL. The bucket owner can then delegate those object permissions to others, to users in its own account, or to another Amazon Web Services account, as illustrated by the following examples.

Before you try the example walkthroughs

These examples use the Amazon Web Services Management Console to create resources and grant permissions. To test permissions, the examples use the command line tools, Amazon CLI, and Amazon Tools for Windows PowerShell, so you don't need to write any code. To test permissions, you must set up one of these tools. For more information, see Setting up the tools for the walkthroughs.

In addition, when creating resources, these examples don't use root user credentials of an Amazon Web Services account. Instead, you create an administrator user in these accounts to perform these tasks.

About using an administrator user to create resources and grant permissions

Amazon Identity and Access Management (IAM) recommends not using the root user credentials of your Amazon Web Services account to make requests. Instead, create an IAM user or role, grant them full access, and then use their credentials to make requests. We refer to this as an administrative user or role. For more information, go to Amazon Web Services account root user credentials and IAM identities in the Amazon Web Services General Reference and IAM Best Practices in the IAM User Guide.

All example walkthroughs in this section use the administrator user credentials. If you have not created an administrator user for your Amazon Web Services account, the topics show you how.

To sign in to the Amazon Web Services Management Console using the user credentials, you must use the IAM user sign-In URL. The IAM Console provides this URL for your Amazon Web Services account. The topics show you how to get the URL.