Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Access Control » Using ACLs and Bucket Policies Together
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using ACLs and Bucket Policies Together

When you have ACLs and bucket policies assigned to buckets, Amazon S3 evaluates the existing Amazon S3 ACLs as well as the bucket policy when determining an account’s access permissions to an Amazon S3 resource. If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

With existing Amazon S3 ACLs, a grant always provides access to a bucket or object. When using policies, a deny always overrides a grant.

Note

Bucket policies have their own set of rules when prioritizing grants and denies. For more information, see Evaluation Logic.

You can migrate existing Amazon S3 ACLs to policies.

To migrate ACLs to bucket policies

1Associate a policy with a specific user, group, or bucket.
2Add a grant to the policy for each Amazon S3 resource that the user or group has been granted access to in the ACL

Once completed, you can begin to manage your account permissions with policies instead of ACLs.

Relationship Between Actions and Permissions

Policies can allow or deny certain actions. ACLs can grant certain permissions. The actions allowed or denied by policies are a superset of the permissions that you can grant by ACLs. The relationship between actions and permissions is summarized in the following sections.

Object ACL Permissions

  • READ—Granting READ permission in an object ACL allows the s3:GetObject, s3:GetObjectVersion, and s3:GetObjectTorrent actions to be performed on that object.

  • READ_ACP—Granting READ_ACP permission in an object ACL allows the s3:GetObjectAcl and s3:GetObjectVersionAcl actions to be performed on that object.

  • WRITE_ACP—Granting WRITE_ACP permission in an object ACL allows the s3:PutObjectAcl and s3:PutObjectVersionAcl actions to be performed on that object.

  • FULL_CONTROL—Granting FULL_CONTROL permission in an object ACL is equivalent to granting READ, READ_ACP, and WRITE_ACP permission.

Bucket ACL Permissions

  • READ—Granting READ permission in a bucket ACL allows the s3:ListBucket, s3:ListBucketVersions, and s3:ListBucketMultipartUploads actions to be performed on that bucket.

  • WRITE—Granting WRITE permission in a bucket ACL allows the s3:PutObject and s3:DeleteObject actions to be performed on any object in that bucket. In addition, when the grantee is the bucket owner, granting WRITE permission in a bucket ACL allows the s3:DeleteObjectVersion action to be performed on any version in that bucket.

  • READ_ACP—Granting READ_ACP permission in a bucket ACL allows the s3:GetBucketAcl action to be performed on that bucket.

  • WRITE_ACP—Granting WRITE_ACP permission in a bucket ACL allows the s3:PutBucketAcl action to be performed on that bucket.

  • FULL_CONTROL—Granting FULL_CONTROL permission in a bucket ACL is equivalent to granting READ, WRITE, READ_ACP, and WRITE_ACP permission.

For more information on the actions that can be allowed or denied by policies, see Writing Bucket Policies.

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...