Identity and Access Management in Amazon S3

By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy.

Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. The introductory topics provide general guidelines for managing permissions.

Introduction to Managing Access to Amazon S3 Resources

We recommend you first review the introductory topics that explain the options for managing access to your Amazon S3 resources:

• Overview of Managing Access
• How Amazon S3 Authorizes a Request
• Guidelines for Using the Available Access Policy Options
• Example Walkthroughs: Managing Access to Your Amazon S3 Resources

Several security best practices also address access control, including:

• Ensure Amazon S3 buckets are not publicly accessible
• Implement least privilege access
• Use IAM roles
• Enable MFA (Multi-Factor Authentication) Delete
• Identify and audit all your Amazon S3 buckets
• Monitor AWS security advisories

Amazon S3 Resource Access Options

After you've reviewed introductory topics about managing access to Amazon S3 resources, you can then use the following topics to get more information about specific access policy options:

• Using Bucket Policies and User Policies
• Managing Access with ACLs
• Using Amazon S3 Block Public Access