Reputation: 5316
S3 bucket policy vs access control list
On AWS website, it suggests using the following bucket policy to make the S3 bucket public:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example-bucket/*"
]
}
]
}
What's the difference between that and just setting it through the Access Control List?
Upvotes: 57
Views: 62037
Answers (3)
Reputation: 864
AWS has outlined the specific use cases for the different access policy options here
They lay out...
When to Use an Object ACL
- when objects are not owned by bucket owner
- permissions vary by object
When to Use a Bucket ACL
- to grant write permission to the Amazon S3 Log Delivery group to write access log objects to your bucket
When to Use a Bucket Policy
- to manage cross-account permissions for all Amazon S3 permissions (ACLs can only do read, write, read ACL, write ACL, and "full control" - all of the previous permissions)
When to Use a User Policy
- if you want to manage permissions individually by attaching policies to users (or user groups) rather than at the bucket level using a Bucket Policy
Upvotes: 17
Reputation: 1587
Bottom line: 1) Access Control Lists (ACLs) are legacy (but not deprecated), 2) bucket/IAM policies are recommended by AWS, and 3) ACLs give control over buckets AND objects, policies are only at the bucket level.
Decide which to use by considering the following: (As noted below by John Hanley, more than one type could apply and the most restrictive/least privilege permission will apply.)
Use S3 bucket policies if you want to:
- Control access in S3 environment
- Know who can access a bucket
- Stay under 20kb policy size max
Use IAM policies if you want to:
- Control access in IAM environment, for potentially more than just buckets
- Manage very large numbers of buckets
- Know what a user can do in AWS
- Stay under 2-10kb policy size max, depending if user/group/role
Use ACLs if you want to:
- Control access to buckets and objects
- Exceed 20kb policy size max
- Continue using ACLs and you're happy with them
Upvotes: 79
Reputation: 81386
If you want to implement fine grained control over individual objects in your bucket use ACLs. If you want to implement global control, such as making an entire bucket public, use policies.
ACLs were the first authorization mechanism in S3. Bucket policies are the newer method, and the method used for almost all AWS services. Policies can implement very complex rules and permissions, ACLs are simplistic (they have ALLOW but no DENY). To manage S3 you need a solid understanding of both.
The real complication happens when you implement both ACLs and policies. The end permission set will be the least privilege union of both.
Upvotes: 32
Related Questions
- aws s3 bucket policy
- AWS: What is the relationship between S3 bucket policies and user policies?
- AWS S3 - ACL vs. CORS configuration vs. bucket/object permissions
- AWS S3 bucket access control
- Why can S3 permissions be managed by both IAM Policies and Bucket Policies, instead of just one or the other?
- S3 Bucket Policy - use "Any Authenticated User" or bucket policy?
- AWS S3 bucket policy
- AWS S3: user policy for specifc bucket
- AWS S3 Policy for authenticated users
- AWS S3 AccessDenied. Bucket permissions are granted, so do I need Bucket Policy when I am the user?