Labs ICT
Pro Login

S3 Policies

Understanding S3 Access Control

S3 gives you two layers of access control: bucket policies and ACLs (Access Control Lists). Both control who can access your bucket and what they can do with it.

Think of bucket policies as the front gate rules — who gets in and what they can do once inside. ACLs are more granular, controlling permissions for individual objects. For most use cases, bucket policies are the way to go.

Writing a Bucket Policy

A bucket policy is a JSON document that specifies who can do what with your bucket. Here's a simple example that makes a bucket publicly readable:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-bucket/*"
  }]
}

The "Principal": "*" means everyone. Be careful with this — it's like leaving your front door wide open. Only use it for public content like static websites.

Common Policy Patterns

Read-only access allows listing and downloading objects. Write-only access allows uploading but not reading. Full access allows everything including deleting the bucket.

You can also restrict access by IP address, require MFA for deletes, or limit access to specific time windows. It's like having a doorman with a very detailed guest list and rules.

ACLs: The Older Approach

ACLs are a simpler, older way to control access. They can be applied at the bucket level or individual object level. For example, you could make one specific file public while keeping the rest of the bucket private.

However, ACLs are limited in what they can do compared to bucket policies. AWS recommends using bucket policies for most scenarios and only reaching for ACLs when you need per-object permissions.

Block Public Access Settings

AWS has a safety feature called "Block Public Access" that prevents accidental public exposure. By default, all new buckets have public access blocked. This is a good thing — it's like having a child-proof cap on dangerous substances.

If you need to make a bucket public (for a static website, for example), you explicitly disable block public access and add a bucket policy. The extra steps ensure you don't accidentally expose sensitive data to the world.