AWS Command Line Interface
User Guide

Using API-Level (s3api) Commands with the AWS Command Line Interface

The API-level commands (contained in the s3api command set) provide direct access to the Amazon S3 APIs and enable some operations not exposed in the high-level commands. This section describes the API-level commands and provides a few examples. For more Amazon S3 examples, see the s3api command-line reference and choose an available command from the list.

Custom ACLs

With high-level commands, you can use the --acl option to apply pre-defined access control lists (ACLs) on Amazon S3 objects, but you cannot set bucket-wide ACLs. You can do this with the API-level command, put-bucket-acl. The following example grants full control to two AWS users ( and and read permission to everyone.

$ aws s3api put-bucket-acl --bucket MyBucket --grant-full-control 'emailaddress="",emailaddress=""' --grant-read 'uri=""'

For details about custom ACLs, see PUT Bucket acl. The s3api ACL commands, such as put-bucket-acl, use the same shorthand argument notation.

Logging Policy

The API command put-bucket-logging configures bucket logging policy. The following example sets the logging policy for MyBucket. The AWS user will have full control over the log files, and all users will have access to them. Note that the put-bucket-acl command is required to grant Amazon S3's log delivery system the necessary permissions (write and read-acp).

$ aws s3api put-bucket-acl --bucket MyBucket --grant-write 'URI=""' --grant-read-acp 'URI=""' $ aws s3api put-bucket-logging --bucket MyBucket --bucket-logging-status file://logging.json


{ "LoggingEnabled": { "TargetBucket": "MyBucket", "TargetPrefix": "MyBucketLogs/", "TargetGrants": [ { "Grantee": { "Type": "AmazonCustomerByEmail", "EmailAddress": "" }, "Permission": "FULL_CONTROL" }, { "Grantee": { "Type": "Group", "URI": "" }, "Permission": "READ" } ] } }

On this page: