Editing Bucket Permissions
Bucket permissions specify who is allowed access to the objects in a bucket and what permissions you have granted them. For example, one person might have only read permission while another might have read and write permissions.
To edit bucket permissions
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the Buckets list, click the bucket whose properties you want to view.
Click Permissions, and then do any of the following:
To... Do this... Add permissions for a person or group
Click Add more permissions.
In the Grantee box of the new line that appears, add the name of the person or group for which you want to set permissions. The name can be the email address associated with an AWS account, a canonical ID, or one of the predefined Amazon S3 groups. For a list of predefined Amazon S3 Groups, go to Who is a Grantee in the Amazon Simple Storage Service Developer Guide. You can add as many as 100 grantees.
Select the check boxes next to the permissions you want to grant.
Remove a person or group from the permission list
Click the "x" on the line of the grantee you want to remove.
Add a bucket policy
Click Add bucket policy.
In the Bucket Policy Editor, paste your bucket policy into the box provided.
Add a Cross-Origin Resource Sharing (CORS) configuration
Click Add CORS Configuration. In the CORS Configuration Editor, paste your CORS configuration into the field provided, and then click Save. For information about CORS configuration, see Enabling Cross-Origin Resource Sharing in the Amazon Simple Storage Service Developer Guide.
There are built-in groups that you can choose from the Grantee box:
Everyone—Use this group to grant anonymous access.
Authenticated Users—This group consists of any user that has an Amazon AWS Account. When you grant the Authenticated User group permission, any valid signed request can perform the appropriate action. The request can be signed by either an AWS Account or IAM User.
Log Delivery—This group grants write access to your bucket when the bucket is used to store server access logs. For more information, see Managing Bucket Logging.
Me—This group refers to your AWS root account, and not an IAM user.
You can grant permission to an AWS account by entering the accounts canonical user ID or email address in the Grantee field. The email address must be the same one they used when signing up for an AWS account. You can grant a grantee any of the following permissions:
Open/Download—Enables the account to access the object when they are logged in
View Permissions—Can view the permissions associated with the object
Edit Permissions—Can edit the permissions associated with the object
For more information about predefined Amazon S3 Groups, go to Who is a Grantee in the Amazon Simple Storage Service Developer Guide.
You can grant access to an account by using the email address that the user entered when signing up for an AWS account. You can grant an account any of the following permissions:
List – Allows the grantee to view a list of the objects in the bucket.
Upload/Delete – Allows the grantee to access the object when they logged in.
View Permissions – Allows the grantee to view the permissions associated with the object.
Edit Permissions – Allows the grantee to edit the permissions associated with the object.
We highly recommend against granting the Everyone group Upload/Delete permission. Doing so will allow anyone to store objects in your bucket, for which you will be billed, and allows others to delete objects that you may want to keep.