S3 policies

We can use two types of policies to control access to S3 buckets.

  • User-based (IAM) policies: These are the policies that we can attach to IAM roles and users.
  • Bucket policies: These are the resource-based policies attached to every bucket that controls access.

AWS combines these policies, so as long as either the bucket policy or IAM policy allows access, the user or principal has access to the bucket. An explicit denial in either policy will deny access.

Apart from the resource- and user-based policies, we can also use bucket and object access control lists (ACLs) to provide access to S3.

Bucket ACLs are a legacy access control mechanism that AWS introduced before IAM. Currently, AWS recommends only using IAM and bucket policies to control access to entire buckets.

Object ACLs allow us to implement fine-grained access control on the object level.

S3 bucket policy examples

Let’s dive into some examples of S3 policies.

Giving S3 access to other accounts

The following S3 policy can be used to give root users in the accounts 123123123123 and 987987987987 access to an S3 bucket.

Get hands-on with 1200+ tech skills courses.