Amazon Simple Storage Service
Console User Guide (API Version 2006-03-01)

Editing Object Permissions


This is the User Guide for the old Amazon S3 console. If you are looking for the User Guide for the new Amazon S3 console, see Welcome to the New Amazon S3 Console User Guide.  

This section explains how to use the console to edit AWS account permissions for an object. In this topic, each permission you grant adds an entry in the Access Control List (ACL) associated with the object. You can grant permission to other AWS accounts or built-in groups. By default, the owner has full permissions.

Bucket and object permissions are completely independent; an object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to another user, you will not be able to access that user’s objects unless the user explicitly grants you access. This also applies if you grant anonymous write access to a bucket. Only the user anonymous can access objects the user created unless permission is explicitly granted to the bucket owner.

To change the permissions for an object

  1. Sign in to the AWS Management Console and open the Amazon S3 console at

  2. Click the object whose permissions you want to change, and then click Permissions.

  3. Do one of the following:

    To... Do this...
    To add permissions for a person or group
    1. Click Add more permissions.

    2. In the Grantee box of the new line that appears, add the name of the person or group for which you want to set permissions. The name can be the email address associated with an AWS account, a canonical ID, or one of the predefined Amazon S3 groups. For a list of predefined Amazon S3 Groups, go to Who is a Grantee in the Amazon Simple Storage Service Developer Guide. You can add as many as 100 grantees.

    3. Select or clear the check boxes, as appropriate, next to the permissions you want to grant or deny.

    To remove a person or group from the permission list Click the "x" on the line of the grantee that you want to remove.

    There are built-in groups that you can choose from the Grantee box:

    • Everyone—Use this group to grant anonymous access.

    • Authenticated Users—This group consists of any user that has an Amazon AWS Account. When you grant the Authenticated User group permission, any valid signed request can perform the appropriate action. The request can be signed by either an AWS Account or IAM User.

    • Log Delivery—This group grants write access to your bucket when the bucket is used to store server access logs. For more information, see Managing Bucket Logging.

    • Me—This group refers to your AWS root account, and not an IAM user.

    You can grant permission to an AWS account by entering the accounts canonical user ID or email address in the Grantee field. The email address must be the same one they used when signing up for an AWS account. You can grant a grantee any of the following permissions:

    • Open/Download—Enables the account to access the object when they are logged in

    • View Permissions—Can view the permissions associated with the object

    • Edit Permissions—Can edit the permissions associated with the object

  4. Click Save.

The console provides a shortcut for making objects accessible to everyone, meaning that everyone can both view and download the object.

To make an object accessible by everyone

  1. Right-click the object that you want to make accessible, and then click Make Public.

  2. The console prompts you to confirm this change. Click OK. When the change is complete, click the Close button in the Transfers panel.

  3. Click Permissions. The newly added grantee appears in the display.

  4. Get the link for the object to share in the object properties pane as shown in the example below.