Configuring ACLs
This section explains how to manage access permissions for S3 buckets and objects using access control lists (ACLs). You can add grants to your resource ACL using the Amazon Web Services Management Console, Amazon Command Line Interface (CLI), REST API, or Amazon SDKs.
Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can't access that user’s objects unless the user explicitly grants you access.
You can grant permissions to other Amazon Web Services account users or to predefined groups. The user or group that you are granting permissions to is called the grantee. By default, the owner, which is the Amazon Web Services account that created the bucket, has full permissions.
Each permission you grant for a user or group adds an entry in the ACL that is associated with the bucket. The ACL lists grants, which identify the grantee and the permission granted.
S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to both control ownership of the objects that are uploaded to your bucket and to disable or enable ACLs. By default, Object Ownership is set to the Bucket owner enforced setting, and all ACLs are disabled. When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access to them exclusively by using access-management policies.
A majority of modern use cases in Amazon S3 no longer require the use of ACLs. We recommend that you keep ACLs disabled, except in unusual circumstances where you need to control access for each object individually. With ACLs disabled, you can use policies to control access to all objects in your bucket, regardless of who uploaded the objects to your bucket. For more information, see Controlling ownership of objects and disabling ACLs for your bucket.
Important
If your bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to
grant access to your bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set
access control lists (ACLs) or update ACLs fail and return the AccessControlListNotSupported
error code.
Requests to read ACLs are still supported.
Warning
We highly recommend that you avoid granting write access to the Everyone (public access) or Authenticated Users group (all Amazon authenticated users) groups. For more information about the effects of granting write access to these groups, see Amazon S3 predefined groups.
The console displays combined access grants for duplicate grantees. To see the full list of ACLs, use the Amazon S3 REST API, Amazon CLI, or Amazon SDKs.
The following table shows the ACL permissions that you can configure for buckets in the Amazon S3 console.
Console permission | ACL permission | Access |
---|---|---|
Objects - List | READ |
Allows grantee to list the objects in the bucket. |
Objects - Write | WRITE |
Allows grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects. |
Bucket ACL - Read | READ_ACP |
Allows grantee to read the bucket ACL. |
Bucket ACL - Write | WRITE_ACP |
Allows grantee to write the ACL for the applicable bucket. |
Everyone (public access): Objects - List | READ |
Grants public read access for the objects in the bucket. When you grant list access to Everyone (public access), anyone in the world can access the objects in the bucket. |
Everyone (public access): Bucket ACL - Read | READ_ACP |
Grants public read access for the bucket ACL. When you grant read access to Everyone (public access), anyone in the world can access the bucket ACL. |
For more information about ACL permissions, see Access control list (ACL) overview.
Important
If your bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to
grant access to your bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set
access control lists (ACLs) or update ACLs fail and return the AccessControlListNotSupported
error code.
Requests to read ACLs are still supported.
To set ACL permissions for a bucket
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the Buckets list, choose the name of the bucket that you want to set permissions for.
-
Choose Permissions.
-
Under Access control list, choose Edit.
You can edit the following ACL permissions for the bucket:
Objects
-
List – Allows a grantee to list the objects in the bucket.
-
Write – Allows grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects.
In the S3 console, you can only grant write access to the S3 log delivery group and the bucket owner (your Amazon Web Services account). We highly recommend that you do not grant write access for other grantees. However, if you need to grant write access, you can use the Amazon CLI, Amazon SDKs, or the REST API.
Bucket ACL
-
Read – Allows grantee to read the bucket ACL.
-
Write – Allows grantee to write the ACL for the applicable bucket.
-
-
To change the bucket owner's permissions, beside Bucket owner (your Amazon Web Services account), clear or select from the following ACL permissions:
-
Objects – List or Write
-
Bucket ACL – Read or Write
The owner refers to the Amazon Web Services account root user, not an Amazon Identity and Access Management IAM user. For more information about the root user, see The Amazon Web Services account root user in the IAM User Guide.
-
-
To grant or undo permissions for the general public (everyone on the internet), beside Everyone (public access), clear or select from the following ACL permissions:
-
Objects – List
-
Bucket ACL – Read
Warning
Use caution when granting the Everyone group public access to your S3 bucket. When you grant access to this group, anyone in the world can access your bucket. We highly recommend that you never grant any kind of public write access to your S3 bucket.
-
-
To grant or undo permissions for anyone with an Amazon Web Services account, beside Authenticated Users group (anyone with an Amazon Web Services account), clear or select from the following ACL permissions:
-
Objects – List
-
Bucket ACL – Read
-
-
To grant or undo permissions for Amazon S3 to write server access logs to the bucket, under S3 log delivery group, clear or select from the following ACL permissions:
-
Objects – List or Write
-
Bucket ACL – Read or Write
If a bucket is set up as the target bucket to receive access logs, the bucket permissions must allow the Log Delivery group write access to the bucket. When you enable server access logging on a bucket, the Amazon S3 console grants write access to the Log Delivery group for the target bucket that you choose to receive the logs. For more information about server access logging, see Enabling Amazon S3 server access logging.
-
-
To grant access to another Amazon Web Services account, do the following:
-
Choose Add grantee.
-
In the Grantee box, enter the canonical ID of the other Amazon Web Services account.
-
Select from the following ACL permissions:
-
Objects – List or Write
-
Bucket ACL – Read or Write
-
Warning
When you grant other Amazon Web Services accounts access to your resources, be aware that the Amazon Web Services accounts can delegate their permissions to users under their accounts. This is known as cross-account access. For information about using cross-account access, see Creating a Role to Delegate Permissions to an IAM User in the IAM User Guide.
-
-
To remove access to another Amazon Web Services account, under Access for other Amazon Web Services accounts, choose Remove.
-
To save your changes, choose Save changes.
The console displays combined access grants for duplicate grantees. To see the full list of ACLs, use the Amazon S3 REST API, Amazon CLI, or Amazon SDKs. The following table shows the ACL permissions that you can configure for objects in the Amazon S3 console.
Console permission | ACL permission | Access |
---|---|---|
Object - Read | READ |
Allows grantee to read the object data and its metadata. |
Object ACL - Read | READ_ACP |
Allows grantee to read the object ACL. |
Object ACL - Write | WRITE_ACP |
Allows grantee to write the ACL for the applicable object |
For more information about ACL permissions, see Access control list (ACL) overview.
Important
If your bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to
grant access to your bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set
access control lists (ACLs) or update ACLs fail and return the AccessControlListNotSupported
error code.
Requests to read ACLs are still supported.
To set ACL permissions for an object
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the Buckets list, choose the name of the bucket that contains the object.
-
In the objects list, choose the name of the object for which you want to set permissions.
-
Choose Permissions.
-
Under Access control list (ACL), choose Edit.
You can edit the following ACL permissions for the object:
Object
-
Read – Allows grantee to read the object data and its metadata.
Object ACL
-
Read – Allows grantee to read the object ACL.
-
Write – Allows grantee to write the ACL for the applicable object. In the S3 console, you can only grant write access to the bucket owner (your Amazon Web Services account). We highly recommend that you do not grant write access for other grantees. However, if you need to grant write access, you can use the Amazon CLI, Amazon SDKs, or the REST API.
-
-
You can manage object access permissions for the following:
-
Access for object owner
The owner refers to the Amazon Web Services account root user, and not an Amazon Identity and Access Management IAM user. For more information about the root user, see The Amazon Web Services account root user in the IAM User Guide.
To change the owner's object access permissions, under Access for object owner, choose Your Amazon Account (owner).
Select the check boxes for the permissions that you want to change, and then choose Save.
-
Access for other Amazon Web Services accounts
To grant permissions to an Amazon user from a different Amazon Web Services account, under Access for other Amazon Web Services accounts, choose Add account. In the Enter an ID field, enter the canonical ID of the Amazon user that you want to grant object permissions to. For information about finding a canonical ID, see Your Amazon Web Services account identifiers in the Amazon Web Services General Reference. You can add as many as 99 users.
Select the check boxes for the permissions that you want to grant to the user, and then choose Save. To display information about the permissions, choose the Help icons.
-
Public access
To grant access to your object to the general public (everyone in the world), under Public access, choose Everyone. Granting public access permissions means that anyone in the world can access the object.
Select the check boxes for the permissions that you want to grant, and then choose Save.
Warning
-
Use caution when granting the Everyone group anonymous access to your Amazon S3 objects. When you grant access to this group, anyone in the world can access your object. If you need to grant access to everyone, we highly recommend that you only grant permissions to Read objects.
-
We highly recommend that you do not grant the Everyone group write object permissions. Doing so allows anyone to overwrite the ACL permissions for the object.
-
-
This section provides examples of how to configure access control list (ACL) grants on buckets and objects.
Important
If your bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to
grant access to your bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set
access control lists (ACLs) or update ACLs fail and return the AccessControlListNotSupported
error code.
Requests to read ACLs are still supported.
Amazon S3 APIs enable you to set an ACL when you create a bucket or an object. Amazon S3 also provides API to set an ACL on an existing bucket or an object. These APIs provide the following methods to set an ACL:
-
Set ACL using request headers— When you send a request to create a resource (bucket or object), you set an ACL using the request headers. Using these headers, you can either specify a canned ACL or specify grants explicitly (identifying grantee and permissions explicitly).
-
Set ACL using request body— When you send a request to set an ACL on an existing resource, you can set the ACL either in the request header or in the body.
For information on the REST API support for managing ACLs, see the following sections in the Amazon Simple Storage Service API Reference:
Important
If your bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to
grant access to your bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set
access control lists (ACLs) or update ACLs fail and return the AccessControlListNotSupported
error code.
Requests to read ACLs are still supported.
Access Control List (ACL)-Specific Request Headers
You can use headers to grant access control list (ACL)-based permissions. By default, all objects are private. Only the owner has full access control. When adding a new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the Access Control List (ACL) on the object. For more information, see Access control list (ACL) overview.
With this operation, you can grant access permissions using one these two methods:
-
Canned ACL (
x-amz-acl
) — Amazon S3 supports a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees and permissions. For more information, see Canned ACL. -
Access Permissions — To explicitly grant access permissions to specific Amazon Web Services accounts or groups, use the following headers. Each header maps to specific permissions that Amazon S3 supports in an ACL. For more information, see Access control list (ACL) overview. In the header, you specify a list of grantees who get the specific permission.
-
x-amz-grant-read
-
x-amz-grant-write
-
x-amz-grant-read-acp
-
x-amz-grant-write-acp
-
x-amz-grant-full-control
-
For more information about managing ACLs using the Amazon CLI, see put-bucket-acl
Important
If your bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to
grant access to your bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set
access control lists (ACLs) or update ACLs fail and return the AccessControlListNotSupported
error code.
Requests to read ACLs are still supported.