# S3 | | S3 Bucket Policies | S3 ACLs | IAM Policies | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Scope |

Applied to an S3 bucket to control bucket access, and to also control specific object permissions

ie: who can access or modify this bucket, and who can access or modify objects in this bucket?

|

Applied to buckets or to an individual object. Older access control method that’s no longer recommended to use if it can be avoided

Only legacy buckets should use ACLs.

|

Applied to IAM users, groups, and roles across the AWS account.

Determines which users/roles are allowed to access S3 buckets and objects.

ie: IAM role S3ReadOnly is allowed to read objects within XYZ bucket (but only if the bucket policy also permits it)

| | Syntax | JSON-based policies | XML-based policies written in a specific format | JSON-based policies | | Flexibility | Provide granular control with powerful conditions and fine-grained permissions | Provide basic access control but have fewer options for advanced permissions | Provide centralized access management for various AWS services, not just S3 | | Permissions | Can define access controls for both bucket-level and object-level operations | Can define access controls for individual objects and bucket-level operations, such as READ, WRITE, READ\_ACP, WRITE\_ACP, and FULL\_CONTROL | Can define access controls for various AWS services, including S3, at a fine-grained level | | Principal-Based | Identify the principal (role, user, group, or AWS account) and define their access permissions | Identify the user or group and define their access permissions | Define permissions for IAM users, groups, and roles by attaching policies to them | | IAM Integration | Can reference IAM users, groups, and roles in policies to grant additional permissions or restrict access | Can use canonical user IDs to grant permissions to an AWS account (or even email addresses but they get converted to canonical user IDs), or can use a URI to grant permissions to a predefined group | Create and manage IAM policies separately from S3 bucket policies. IAM policies can be attached to IAM entities for S3 access control | | Examples | Grant read access to all objects in a bucket to a specific IAM role | Grant write access to a specific object to an external AWS account user | Grant full access to an S3 bucket to an IAM group, while restricting delete permissions for specific IAM users |