Last Updated: February 25, 2016
·
283
· mohangk

The very least you should know about controlling access to S3 resources

There are at least 3 different ways that permissions for a bucket can be setup

  1. by setting up permissions for the bucket in the users IAM setting
  2. by setting up a bucket policy
  3. by setting up ACLs for individual files and folders

When multiple permissions are set the final permission is the union of all the individual permissions, and in the case of overlaps the more restrictive policy applies.

We are moving towards only having permissions set via IAM, this way settings are centralized and hopefully reduces potential errors.

To strip ACLs off all items in a bucket, use s3cmd

s3cmd setacl s3://bucket/ --acl-private --recursive

For more information about s3 permissions refer to this blog post - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc