S3 ACLs enable you to manage access to buckets and objects. Each bucket and object has an ACL attached to it as a subresource. It defines which user or user groups are granted access, as well as the type of access granted. For instance, when a request is received against a resource, the S3 API checks the corresponding ACL to verify that the requester has the necessary access permissions. Each time you create a bucket or object, the S3 API creates a default ACL Policy that grants the resource owner full access control over the newly created resource as shown in the following example.
Example: Default ACL Policy for new bucket or object.
<?xml version="1.0" encoding="UTF-8"?> <AccessControlPolicy xmlns="https://s3.amazonaws.com/doc/2018-05-23/"> <Owner> <ID>***Owner-Canonical-User-ID***</ID> <DisplayName>Bucket Owner Display Name</DisplayName> </Owner> <AccessControlList> <Grant> <Grantee xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:type="Canonical User"> <ID>***Canonical-User ID or Group URI ***</ID> <DisplayName>Appliance Grantee's username</DisplayName> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> </AccessControlList> </AccessControlPolicy>
<Owner> reflects the appliance canonical user ID for the owner that created the bucket.
<Grant> reflects the name of the grantee, and the permission granted.
Note that the default ACL Policy includes only one <Grant> element for the bucket owner. To grant bucket permission to others, you need to add a <Grant> element for each additional user or predefined group. Each <Grant> element must always identify the name of the grantee, as well as the permissions granted.
<Grantee> reflects the name of an individual or predefined group receiving access permission.
The grantee can either be an authorized appliance user or an S3 predefined group. When granting access to individual appliance users, you need to specify the canonical user ID associated with the appliance user account. When granting permission to an S3 predefined group, you need to specify the predefined group URI. For a list of supported predefined groups, see Supported Amazon S3 Predefined User Groups.
<Permission> reflects the type of access permission that is being granted to the grantee. For a list of supported ACL permissions, see Supported S3 ACL Permissions.
Use one of the following request methods when using S3 APIs (such as PUT/GET/DELETE) to set access policy permissions:
When creating resources – Set the ACL permissions in the request's HTTP header.
When editing ACLs associated with existing resources – Set the ACL permissions either in the request's HTTP header or in the request's body.
The following table describes the supported Amazon S3 predefined user groups.