S3
Scope
Applied to an S3 bucket to control bucket access, and to also control specific object permissions ie: who can access or modify this bucket, and who can access or modify objects in this bucket?
Applied to buckets or to an individual object. Older access control method that’s no longer recommended to use if it can be avoided Only legacy buckets should use ACLs.
Applied to IAM users, groups, and roles across the AWS account. Determines which users/roles are allowed to access S3 buckets and objects. ie: IAM role S3ReadOnly is allowed to read objects within XYZ bucket (but only if the bucket policy also permits it)
Syntax
JSON-based policies
XML-based policies written in a specific format
JSON-based policies
Flexibility
Provide granular control with powerful conditions and fine-grained permissions
Provide basic access control but have fewer options for advanced permissions
Provide centralized access management for various AWS services, not just S3
Permissions
Can define access controls for both bucket-level and object-level operations
Can define access controls for individual objects and bucket-level operations, such as READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROL
Can define access controls for various AWS services, including S3, at a fine-grained level
Principal-Based
Identify the principal (role, user, group, or AWS account) and define their access permissions
Identify the user or group and define their access permissions
Define permissions for IAM users, groups, and roles by attaching policies to them
IAM Integration
Can reference IAM users, groups, and roles in policies to grant additional permissions or restrict access
Can use canonical user IDs to grant permissions to an AWS account (or even email addresses but they get converted to canonical user IDs), or can use a URI to grant permissions to a predefined group
Create and manage IAM policies separately from S3 bucket policies. IAM policies can be attached to IAM entities for S3 access control
Examples
Grant read access to all objects in a bucket to a specific IAM role
Grant write access to a specific object to an external AWS account user
Grant full access to an S3 bucket to an IAM group, while restricting delete permissions for specific IAM users
Last updated