How to Set Amazon S3 ACL for Management and Access

Access Control Lists (ACLs) define which AWS accounts or groups are granted access and the type of access granted. Understanding ACLs is crucial for maintaining a secure and well-organized storage environment in S3.

Crystal

By Crystal / Updated on September 4, 2024

Share this: instagram reddit

What Is Amazon S3 ACL

Amazon S3 ACLs (Access Control Lists) are composed of grants, where each grant consists of a grantee and a permission. A grantee can be an AWS account, an AWS predefined group, or an email address. Permissions include read, write, and full control, allowing for granular access control.

Amazon S3 supports different types of ACLs, including:

  • Bucket ACLs: Control access to the entire bucket.
  • Object ACLs: Control access to individual objects within a bucket.

Permissions for objects and buckets are separate from one another. The permissions from a bucket are not passed down to an item. For instance, unless the user expressly gives you access, you are unable to access the items in that bucket if you build it and offer write access to a user.

amazon s3 acl

How to Set ACLs in Amazon S3 [3 Methods]

Setting ACLs in Amazon S3 involves specifying permissions for different grantees. This can be done via the AWS Management Console, AWS CLI, or AWS SDKs. Each method provides a way to define and apply ACLs efficiently.

Using the AWS Console to Set S3 Bucket ACL Permissions

1. Go to the AWS Management Console and sign in to your AWS account credentials.

2. In the Buckets list, click on the name of the bucket for which you want to set ACL permissions.

3. Choose Permissions located in the navigation pane.

4. Under Access control list, choose Edit.

You can edit the following ACL permissions for the bucket:

✍Objects

  • List– Allows a grantee to list the objects in the bucket.
  • Write– Allows grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects.

In the S3 console, you can only grant write access to the S3 log delivery group and the bucket owner (your AWS account). We highly recommend that you do not grant write access for other grantees. However, if you need to grant write access, you can use the AWS CLI, AWS SDKs, or the REST API.

✍Bucket ACL

  • Read– Allows grantee to read the bucket ACL.
  • Write– Allows grantee to write the ACL for the applicable bucket.

5. To change the bucket owner's permissions, beside Bucket owner (your AWS account), clear or select from the following ACL permissions:

  • ObjectsList or Write
  • Bucket ACLRead or Write

Typically, the owner will have both List and Write permissions for the bucket and Read and Write permissions for the objects.

6. To grant or undo permissions for anyone with an AWS account, beside Authenticated Users group (anyone with an AWS account), clear or select from the following ACL permissions:

  • Objects–List
  • Bucket ACL–Read

7. To grant or undo permissions for Amazon S3 to write server access logs to the bucket, under S3 log delivery group, clear or select from the following ACL permissions:

  • Objects–List or Write
  • Bucket ACL–Read or Write

8. To add permissions for other AWS accounts, click on the Add grantee button.

In the dropdown, you can select predefined AWS groups (e.g., Everyone, Authenticated users), or specify an AWS account by entering the account ID or email address.

9. After configuring the desired S3 bucket ACL permissions, click the Save changes button at the bottom of the ACL section.

Using the AWS SDKs to Set S3 ACL Permits on Buckets and Objects

This example creates a bucket. In the request, the example specifies a canned ACL that grants the Log Delivery group permission to write logs to the bucket.

import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.*;

import java.io.IOException;
import java.util.ArrayList;

public class CreateBucketWithACL {

public static void main(String[] args) throws IOException {
Regions clientRegion = Regions.DEFAULT_REGION;
String bucketName = "*** Bucket name ***";
String userEmailForReadPermission = "*** [email protected] ***";

try {
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withRegion(clientRegion)
.build();

// Create a bucket with a canned ACL. This ACL will be replaced by the
// setBucketAcl()
// calls below. It is included here for demonstration purposes.
CreateBucketRequest createBucketRequest = new CreateBucketRequest(bucketName, clientRegion.getName())
.withCannedAcl(CannedAccessControlList.LogDeliveryWrite);
s3Client.createBucket(createBucketRequest);

// Create a collection of grants to add to the bucket.
ArrayList grantCollection = new ArrayList();

// Grant the account owner full control.
Grant grant1 = new Grant(new CanonicalGrantee(s3Client.getS3AccountOwner().getId()),
Permission.FullControl);
grantCollection.add(grant1);

// Grant the LogDelivery group permission to write to the bucket.
Grant grant2 = new Grant(GroupGrantee.LogDelivery, Permission.Write);
grantCollection.add(grant2);

// Save grants by replacing all current ACL grants with the two we just created.
AccessControlList bucketAcl = new AccessControlList();
bucketAcl.grantAllPermissions(grantCollection.toArray(new Grant[0]));
s3Client.setBucketAcl(bucketName, bucketAcl);

// Retrieve the bucket's ACL, add another grant, and then save the new ACL.
AccessControlList newBucketAcl = s3Client.getBucketAcl(bucketName);
Grant grant3 = new Grant(new EmailAddressGrantee(userEmailForReadPermission), Permission.Read);
newBucketAcl.grantAllPermissions(grant3);
s3Client.setBucketAcl(bucketName, newBucketAcl);
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it and returned an error response.
e.printStackTrace();
aa} catch (SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
}
}
}

Using the REST API to Configure Amazon S3 ACL

When you create a bucket or an object, you may use the Amazon S3 APIs to specify an ACL. An ACL can also be established on an existing bucket or object using the API that Amazon S3 offers. The following ACL-setting ways are offered by these APIs:

  • Set Amazon S3 ACL using request headers
  • Set Amazon S3 ACL using request body

To grant access permissions, using one these two methods:

🔰 Canned ACL (x-amz-acl): Amazon S3 offers "canned ACLs," which are pre-made ACL sets. There is a preset set of grantees and permissions for each prepackaged ACL.
🔰 Access Permissions: Use the following headers to specifically provide access permissions to certain AWS accounts or groups. Every header corresponds to a particular set of permissions supported by Amazon S3 in an ACL. You include a list of grantees who have the particular permission in the header.
• x-amz-grant-read
• x-amz-grant-write
• x-amz-grant-read-acp
• x-amz-grant-write-acp
• x-amz-grant-full-control

How to Securely Back Up Your Data to Amazon S3

Amazon S3 is a highly scalable, reliable and low-latency data storage infrastructure. Many organizations use it as a vault for important data. How to securely back up your data to Amazon S3?

AOMEI Cyber Backup is a professional data backup and recovery solution designed to protect your data from loss or corruption. It offers comprehensive features that make data backup and recovery straightforward and efficient. Whether you're an individual user or a business, AOMEI Cyber Backup provides robust solutions to safeguard your critical data.

  • Support various backup types to meet different needs, such as Full, Incremental, and Differential backups.
  • Set up automated backup schedules to ensure your data is backed up regularly without manual intervention.
  • Integrates seamlessly with cloud storage services like Amazon S3, allowing you to store your backups securely.
  • Quickly recover your files or entire systems from your backups.
Download Freeware Centralized Backup Solution
Secure Download

1. Click Target Storage > Amazon S3 > Add Target to open the add target page. Enter your Amazon S3 credentials including username, keyword, and bucket name, then click Confirm. Ensure you have the necessary permissions set up in your AWS account.

add amazon s3

2. Click Backup Task > Create New Task to starting archiving your important data to Amazon S3. Select File Backup (for example) and choose files or folders for backup.

file backup

3. Check Archiving backup versions to Amazon S3 and click Select to choose the added Amazon S3.

4. Schedule backup task to run daily/weekly/monthly, and select backup retention policies to delete old backups automatically.

5. Click "Start Backup" to begin the backup process. It will first create a backup locally or on the NAS and then upload the backup to Amazon S3. According to the 3-2-1 backup rule, this ensures that the security of critical data and business continuity.

backup files to amazon s3

Conclusion

By following these steps, you can efficiently set ACL permissions for your S3 buckets using various methods. AOMEI Cyber Backup’s user-friendly interface, flexible backup options, and seamless cloud integration make it an excellent choice for individuals and businesses looking to implement a reliable backup strategy.

Crystal
Crystal · Editor
Crystal is an editor from AOMEI Technology. She mainly writes articles about virtual machine. She is a positive young lady likes to share articles with peolpe. Off work she loves travelling and cooking which is wonderful for life.