There are 3 ways we can control access to our S3 resources:

IAM Policy: IAM policies specify what actions are allowed or denied on what AWS resources (e.g. allow ec2:TerminateInstance on the EC2 instance with instance_id=i-8b3620ec). You attach IAM policies to IAM users, groups, or roles, which are then subject to the permissions you’ve defined. In other words, IAM policies define what a principal can do in your AWS environment.

Bucket Policy: S3 bucket policies, on the other hand, are attached only to S3 buckets. S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached to (e.g. allow user Alice to PUT but not DELETE objects in the bucket).

Access Control Lists (ACL): An S3 ACL is a sub-resource that’s attached to every S3 bucket and object. It defines which AWS accounts or groups are granted access and the type of access. When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resource owner full control over the resource.

How do they get evaluated?

Whenever an AWS principal issues a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

In accordance with the principle of least-privilege, decisions default to DENY and an explicit DENY always trumps an ALLOW. For example, if an IAM policy grants access to an object, the S3 bucket policies denies access to that object, and there is no S3 ACL, then access will be denied. Similarly, if no method specifies an ALLOW, then the request will be denied by default. Only if no method specifies a DENY and one or more methods specify an ALLOW will the request be allowed.

This diagram illustrates the authorization process.








I hope that this post clarifies some of the confusion around the various ways you can control access to your S3 environment.

One thought to “How does authorization work with multiple access control mechanisms in S3?”

  • Ganapathy

    Hi Samart,
    I have a small clarification required here, Is there way we can restrict a S3 bucket access to one particular IAM group. I mean only the users within that group should have access to view, get and put objects.
    I see from your description for ACL, it says we can define which groups are granted access and the type of access.
    Just curious to know if we can restrict via a group. I have a use where I need to implement this feature.



Leave a comment

Your email address will not be published. Required fields are marked *