S3 Access Control: Bucket Policies and ACLs
Write bucket policies, compare them with ACLs, and configure public access block settings for secure hosting.
S3 Access Control Overview
S3 offers multiple overlapping access control mechanisms: IAM policies (identity-based, control what principals can do), bucket policies (resource-based JSON policies on the bucket), Access Control Lists (ACLs) (legacy per-object/bucket grants), and S3 Block Public Access (account or bucket-level override that blocks any public access regardless of other policies). For most use cases today, bucket policies plus Block Public Access is the recommended approach—ACLs are considered legacy.
Bucket Policies: Resource-Based JSON
A bucket policy is a JSON document attached directly to the S3 bucket. It specifies which principals (IAM users, roles, AWS accounts, services, or the public) can perform which actions on which resources (the bucket and/or specific key prefixes). Bucket policies support cross-account access without needing IAM roles: you can grant a different AWS account's IAM role read access to specific objects directly in the bucket policy. Each bucket can have one policy, and the maximum size is 20 KB.
# Allow a specific IAM role from another account to read objects
{
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::999999999999:role/PartnerReadRole'
},
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::my-bucket/partner-data/*'
}]
}All lessons in this course
- Buckets, Objects, and Regions
- S3 Access Control: Bucket Policies and ACLs
- Versioning, MFA Delete, and Replication
- Storage Classes and Lifecycle Policies