S3 ACLs and S3 Bucket Policies

ACLs were the first authorization mechanism in S3. Bucket policies are the newer method, and the method used for almost all AWS services.

Policies can implement very complex rules and permissions, ACLs are simplistic (they have ALLOW but no DENY)

ACL Granularity – Bucket level vs. Object Level ACLs

Bucket ACL – entire bucket needs to be accessed – e.g. by a log writer (log delivery group in AWS).

Object ACLs can be used when permissions vary by object

User Policies versus Bucket Policies

Use Bucket policies when an entire group of resources – e.g. an entire account or set of accounts (cross account access) is to be granted permissions on the bucket.

User Policies are better if you want to manage individual / group permissions by attaching policies to users (or user groups).  This is different from attaching a policy at the bucket level, since this policy is attached to the User (IAM) resource.

Summary – S3 ACLs and S3 Bucket Policies

The use cases for when to use which are highlighted in this post. For an advanced AWS IAM or overall security consultation, please Contact AWS Security Architect