You are currently viewing ACL In S3


  • Post author:
  • Post category:AWS / S3

ACL in S3

Hello Everyone

Welcome to CloudAffaire and this is Debjeet

In the last blog post, we have discussed Bucket Policy in S3.

In this blog post, we are going to discuss ACL or Access Control List in S3

ACL in S3:

You can use ACL or Access Control List for resource-based access policy to manage access to your bucket and objects in it. ACL can only be used for granting access to AWS account or groups but cannot be used with users. ACL does not support conditional grant or explicit deny like bucket policy. When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resource owner full control over the resource. ACL uses canonical ID or email id to grant access to an AWS account. An ACL can have up to 100 grants.

Apart from the AWS account, you can use ACL to grant access to S3 predefined groups. When granting account access to a group, you specify one of the URIs instead of a canonical user ID. Grating access to the group can be done through API only. There are three types of S3 groups available

Authenticated Users group:

This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).

All Users group:

Access permission to this group allows anyone in the world access to the resource. If you grant access to this group, your resource becomes public.

Log Delivery group:

This group is used for server access logging. WRITE permission on a bucket enables this group to write server access logs to the bucket.

There are four types of access that you can grant using ACL


You can grant read access to bucket and objects.


You can grant write access to a bucket to create, delete objects in your bucket.


You can grant READ_ACP access to read ACL for bucket and objects.


You can grant WRITE_ACP access to write ACL for bucket and objects.

Warning: Be careful while providing access to the public. For instance, if you provide WRITE access to the public, anyone in the world can create, delete objects in your bucket.

Next, we are going to grant access to a bucket to another AWS account (not the bucket owner).

Prerequisite for this demo:

  • An S3 bucket.
  • Two AWS accounts.

We have two AWS account for this demo

Account A:


Account B:


Step 1: Login to AWS console using the bucket owner (Account A) credential and click ‘S3’ located under Storage.


Step 2: Click on the bucket.


Step 3: Click on ‘Access Control List’ located under ‘Permissions’. Click ‘Add account’.


Note: Account A is the bucket owner and in this demo, we will provide Account B full access to this bucket.

Step 4: Provide the canonical ID of account B and click ‘Save’.


Account B has been granted full access to this bucket.


Note: You can access bucket and objects using IAM user credential under Account B through AWS CLI or Powershell. We will cover AWS CLI and PowerShell for AWS in a separate blog series and limiting our discussion here.

For more details on ACL, please follow AWS S3 documentation

To stop acquiring any cost, delete the buckets once the demo is completed.


Hope you have enjoyed this article, we are almost done with our introductory series on S3. If I have missed anything do let me know. Will try to cover in future blog posts.

In the next blog post, we will start with a new AWS service.