Example walkthroughs: Managing access to your Amazon S3 resources - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Example walkthroughs: Managing access to your Amazon S3 resources

This topic provides the following introductory walkthrough examples for granting access to Amazon S3 resources. These examples use the Amazon Web Services Management Console to create resources (buckets, objects, users) and grant them permissions. The examples then show you how to verify permissions using the command line tools, so you don't have to write any code. We provide commands using both the Amazon Command Line Interface (CLI) and the Amazon Tools for Windows PowerShell.

  • Example 1: Bucket owner granting its users bucket permissions

    The IAM users you create in your account have no permissions by default. In this exercise, you grant a user permission to perform bucket and object operations.

  • Example 2: Bucket owner granting cross-account bucket permissions

    In this exercise, a bucket owner, Account A, grants cross-account permissions to another Amazon Web Services account, Account B. Account B then delegates those permissions to users in its account.

  • Managing object permissions when the object and bucket owners are not the same

    The example scenarios in this case are about a bucket owner granting object permissions to others, but not all objects in the bucket are owned by the bucket owner. What permissions does the bucket owner need, and how can it delegate those permissions?

    The Amazon Web Services account that creates a bucket is called the bucket owner. The owner can grant other Amazon Web Services accounts permission to upload objects, and the Amazon Web Services accounts that create objects own them. The bucket owner has no permissions on those objects created by other Amazon Web Services accounts. If the bucket owner writes a bucket policy granting access to objects, the policy does not apply to objects that are owned by other accounts.

    In this case, the object owner must first grant permissions to the bucket owner using an object ACL. The bucket owner can then delegate those object permissions to others, to users in its own account, or to another Amazon Web Services account, as illustrated by the following examples.

Before you try the example walkthroughs

These examples use the Amazon Web Services Management Console to create resources and grant permissions. And to test permissions, the examples use the command line tools, Amazon Command Line Interface (CLI) and Amazon Tools for Windows PowerShell, so you don't need to write any code. To test permissions you will need to set up one of these tools. For more information, see Setting up the tools for the example walkthroughs.

In addition, when creating resources these examples don't use root credentials of an Amazon Web Services account. Instead, you create an administrator user in these accounts to perform these tasks.

About using an administrator user to create resources and grant permissions

Amazon Identity and Access Management (IAM) recommends not using the root credentials of your Amazon Web Services account to make requests. Instead, create an IAM user, grant that user full access, and then use that user's credentials to make requests. We refer to this user as an administrator user. For more information, go to Root Account Credentials vs. IAM User Credentials in the Amazon General Reference and IAM Best Practices in the IAM User Guide.

All example walkthroughs in this section use the administrator user credentials. If you have not created an administrator user for your Amazon Web Services account, the topics show you how.

Note that to sign in to the Amazon Web Services Management Console using the user credentials, you will need to use the IAM User Sign-In URL. The IAM console provides this URL for your Amazon Web Services account. The topics show you how to get the URL.