What are some use cases for using an object ACL in Amazon S3?
Last updated: 2021-12-21
I want to delegate access to my Amazon Simple Storage Service (Amazon S3) objects using an access control list (ACL). What are some use cases for using an object or bucket ACL?
Amazon S3 access control lists (ACLs) enable you to manage access to S3 buckets and objects. Every S3 bucket and object has an ACL attached to it as a subresource. The ACLs define which AWS accounts or groups are granted access along with the type of access. When you submit a request against a resource, Amazon S3 checks the corresponding ACL to confirm that you have the required access permissions.
Most use cases where access is granted to objects or buckets no longer require ACLs. However, in some cases, using an ACL might be more appropriate. For example, here are some use cases for when you might need to use an ACL to manage bucket or object access:
- An object ACL is the only way to grant access to objects that are not owned by the bucket owner. By default, when another AWS account uploads an object to your S3 bucket, that account (the object writer) owns the object. Additionally, the object writer has access to the object, and can grant other users access to it using ACLs.
- Object ACLs can be used when you need to manage permissions at the object level. For example, if you need to delegate access to an entire folder you can use a bucket policy. However, if the access permissions vary by object, granting permissions to individual objects using a bucket policy might not be practical. Therefore, an object ACL might be more appropriate for managing object access.
- If you want to own new objects written to your bucket by other AWS accounts (and your ACL isn't disabled), apply the bucket owner preferred setting. With this setting, new objects that are written with the bucket-owner-full-control ACL are automatically owned by the bucket owner (and not the object writer). All other ACL behaviors remain in place.
Note: To disable an ACL, use the bucket owner enforced setting for S3 Object Ownership. When ACLs are disabled, you can easily maintain a bucket with objects uploaded (cross-account) by different AWS accounts using bucket policies. If your bucket uses the bucket owner enforced setting for S3 Object Ownership, requests to set or update ACLs fail, returning the AccessControlListNotSupported error code. However, requests to read ACLs will still be supported.
- Bucket ACLs can be used to grant permissions to AWS services like Amazon CloudFront to perform certain actions to your bucket. For example, when you create or update a CloudFront distribution and enable CloudFront logging, CloudFront updates the bucket ACL. This update gives the awslogsdelivery account FULL_CONTROL permissions to write logs to your bucket. For more information, see Permissions required to configure standard logging and to access your log files.
Applying ACLs to objects
If you're uploading an object to a bucket in a different AWS account, use the bucket-owner-full-control canned ACL:
aws s3api put-object --bucket destination_bucket --key dir-1/myfile --body dir-1/myfile --acl bucket-owner-full-control
The bucket-owner-full-control canned ACL provides access to the bucket owner's account.
Note: Amazon S3 supports a set of predefined ACLs known as canned ACLs (such as the bucket-owner-full-control ACL used in this example).
The object uploader can also add an ACL to grant read permissions to other AWS accounts:
aws s3api put-object --bucket destination_mybucket --key dir/myfile --body dir/myfile --grant-read email@example.com,id=canonical-id-of-account
Note: You can only specify a grantee using email addresses in the following AWS Regions: N. Virginia, N. California, Oregon, Singapore, Sydney, Tokyo, Ireland, and São Paulo.
You can also update the ACL of an existing object:
aws s3api put-object-acl --bucket destination_bucket --key dir/myfile --acl bucket-owner-full-control
Amazon S3 has a set of predefined groups. You can use object ACLs to grant permissions to the users who are part of these predefined groups.
For example, you can grant object access to any authenticated AWS user by granting access to the Authenticated Users group:
aws s3api put-object --bucket destination_mybucket --key dir/myfile --body dir/myfile --grant-read uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
Note: Before granting access to the Authenticated Users group, disable the Block Public Access settings for ACLs at both the account and bucket level. Otherwise, you'll get an Access Denied error. To troubleshoot ACL-related Access Denied errors, see A user with permission to add objects to my Amazon S3 bucket is getting Access Denied errors. Why?