S3 bucket policy vs access control list

40
votes

On AWS website, it suggests using the following bucket policy to make the S3 bucket public:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket/*"
            ]
        }
    ]
}

What's the difference between that and just setting it through the Access Control List?

enter image description here

3
amazon-web-servicesamazon-s3

3 Answers

54
votes

Bottom line: 1) Access Control Lists (ACLs) are legacy (but not deprecated), 2) bucket/IAM policies are recommended by AWS, and 3) ACLs give control over buckets AND objects, policies are only at the bucket level.

Decide which to use by considering the following: (As noted below by John Hanley, more than one type could apply and the most restrictive/least privilege permission will apply.)

Use S3 bucket policies if you want to:

  • Control access in S3 environment
  • Know who can access a bucket
  • Stay under 20kb policy size max

Use IAM policies if you want to:

  • Control access in IAM environment, for potentially more than just buckets
  • Manage very large numbers of buckets
  • Know what a user can do in AWS
  • Stay under 2-10kb policy size max, depending if user/group/role

Use ACLs if you want to:

  • Control access to buckets and objects
  • Exceed 20kb policy size max
  • Continue using ACLs and you're happy with them

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

22
votes

If you want to implement fine grained control over individual objects in your bucket use ACLs. If you want to implement global control, such as making an entire bucket public, use policies.

ACLs were the first authorization mechanism in S3. Bucket policies are the newer method, and the method used for almost all AWS services. Policies can implement very complex rules and permissions, ACLs are simplistic (they have ALLOW but no DENY). To manage S3 you need a solid understanding of both.

The real complication happens when you implement both ACLs and policies. The end permission set will be the least privilege union of both.

10
votes

AWS has outlined the specific use cases for the different access policy options here

They lay out...

When to Use an Object ACL

  • when objects are not owned by bucket owner
  • permissions vary by object

When to Use a Bucket ACL

  • to grant write permission to the Amazon S3 Log Delivery group to write access log objects to your bucket

When to Use a Bucket Policy

  • to manage cross-account permissions for all Amazon S3 permissions (ACLs can only do read, write, read ACL, write ACL, and "full control" - all of the previous permissions)

When to Use a User Policy

  • if you want to manage permissions individually by attaching policies to users (or user groups) rather than at the bucket level using a Bucket Policy