Skip to content
Gallery
6. AWS Simple Storage Service (S3)
AWS S3
Storage Classes
Access and Access Policies in Amazon S3
Multipart Upload
Transfer Acceleration
Pre-signed URLs
S3 Versioning
Object Lifecycle Management
S3 Encryption
Event Notifications
S3 Replication
S3 Access Points
Misc
More
Share
Explore

icon picker
Access and Access Policies in Amazon S3

Overview
Amazon S3 provides several mechanisms to control access to resources:
IAM Policies
Bucket Policies
Access Control Lists (ACLs)
Query String Authentication (temporary access via URLs)
By default, all S3 resources (buckets, objects, sub-resources) are private and accessible only to the resource owner, which is the AWS account that created the resource.
IAM Policies
Purpose: Manage access for users and roles within the same AWS account.
Access Types: Programmatic access, AWS Management Console access.
Resource Specification: Use Amazon Resource Names (ARNs) to specify resources in policies.
Format: arn:partition:service:region:namespace:relative-id
For S3:
arn:aws:s3:::bucket_name
arn:aws:s3:::bucket_name/key_name
image.png
Bucket Policies
Purpose: Control access to the bucket and its objects.
Features:
Can grant cross-account permissions.
Resource-based policy attached directly to the bucket.
Use AWS Policy Generator to create policies.
image.png
Access Control Lists (ACLs)
Purpose: Grant basic read/write permissions at the bucket and object level.
Features:
Each bucket and object has an associated ACL.
Define permissions for AWS accounts or predefined S3 groups.
ACL permissions include READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROL.
image.png
Query String Authentication (Pre-signed URLs)
Purpose: Provide temporary access to objects.
Mechanism: Generates a time-limited URL to access an S3 object.
image.png
Access Auditing
Logging: Configure S3 to create access logs for requests.
CloudTrail: Use AWS CloudTrail Data Events to capture IAM/user identity information in logs.
Key Points on Access Control
Resource Owner: The AWS account that creates a resource owns it.
Permissions:
Individual users, AWS accounts, public/anonymous, and all authenticated users.
Permissions defined in policies or ACLs are evaluated together to determine access.
Permissions delegation allows account owners to delegate permissions received from other accounts to their users.
Predefined Groups
Authenticated Users Group: Represents all AWS accounts. Requests must be authenticated.
All Users Group: Allows public access. Requests can be authenticated or anonymous.
Log Delivery Group: Used for S3 server access logs.
Permissions in ACLs
READ: List objects in the bucket or read object data and metadata.
WRITE: Create, overwrite, and delete objects in the bucket (N/A for objects).
READ_ACP: Read the ACL.
WRITE_ACP: Write the ACL.
FULL_CONTROL: Grants all the above permissions.
Bucket Policies vs. ACLs
Bucket Policies:
More flexible and can include conditional permissions.
Can manage cross-account permissions more effectively.
Can handle larger policies up to 20 KB.
ACLs:
Simpler and used for basic permissions.
Limited to 100 grants per ACL.
Recommended primarily for granting log delivery permissions.
Cross-Account Permissions
Bucket Policies and ACLs: Used to grant permissions to other AWS accounts.
Delegation: Permissions received from another account can be delegated to users within the account.

Best Practices

Use bucket policies for complex permissions and cross-account access.
Use IAM policies to manage permissions within your AWS account.
Use ACLs for simple permissions and log delivery settings.
Avoid granting write permissions to the All Users group to prevent security risks.
Enable logging and CloudTrail for auditing and monitoring access.
By leveraging these mechanisms, you can effectively manage and secure access to your Amazon S3 resources.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.