S3 access can be controlled in two main ways:
User-based policies (IAM)
- IAM policies define which S3 actions a specific IAM user, group, or role can perform.
- Policies are attached to identities and evaluated at request time.
Resource-based policies
- Bucket policies: JSON-based, applied at the bucket level, can allow cross-account access.
- ACLs: Fine-grained permissions at the object or bucket level. Legacy feature, often disabled.
Evaluation logic
An IAM principal can access an S3 object if:
- IAM policy or resource policy allows it
- AND there is no explicit Deny anywhere
Bucket Policies – Structure and Use Cases
JSON structure includes Resource, Effect, Action, and Principal.
Common uses:
- Granting public access (
Principal: "*") for static website hosting
- Enforcing encryption at upload
- Granting cross-account access for data sharing
Access Scenarios
- Public Access: Enabled via bucket policy allowing
s3:GetObjectto everyone; no authentication needed.
- IAM User Access: Granted via an IAM policy specifying allowed S3 actions and resources.
- EC2 Instance Access: IAM role attached to EC2 defines S3 permissions; avoids static credentials.
- Cross-Account Access: Bucket policy lists an external AWS account or user in the
Principal.