ACLs
ACLs (Access Control Lists) define who can access objects and what operations they can perform. They protect stored data by controlling read, write, and delete permissions at the object and bucket level. The following ACL flags are available for AWS CLI (aws s3api put-object-acl or put-bucket-acl) and S3cmd (s3cmd setacl):
| AWS CLI | S3cmd | Description |
|---|---|---|
| —public-read | —acl-public | Making an object publicly accessible |
| —private | —acl-private | Making an object private |
| —grant-full-control | —acl-grant=full-control | Granting full control over the bucket |
| —grant-read | —acl-grant=read | Allowing the listing of objects in the bucket |
| —grant-read-acp | —acl-grant=read_acp | Allowing the reading of ACLs |
| —grant-write | —acl-grant=write | Allowing recording, overwriting, and deleting of objects |
Policies
Policies are JSON documents that define access rules at a granular level — specifying which actions a user or all users can perform on objects and buckets. The maximum policy size is 20 KB.The storage owner configures policies. The AWS reference lists all supported S3 actions, conditions, and resource types.
Configure access via ACLs and policies
All commands use AWS CLI and S3cmd interchangeably — choose whichever is already configured on the system. In all commands and JSON files, replace the following placeholders:sample.jpg— the object name.my_bucket— the bucket name.s-ed1.cloud.gcore.lu— the storage hostname from the Details dialog; the service URLs reference lists all location endpoints.
Public object access via ACL
To allow all users to download an object, apply thepublic-read ACL (--acl public-read in AWS CLI or --acl-public in S3cmd).
AWS CLI:
Bucket listing via ACL
To allow all users to list objects in a bucket, apply thepublic-read ACL to the bucket.
AWS CLI:
Public object access via policy
Directory access denial via policy
Create the policy file
Create a JSON file that allows public read on the bucket but denies access to the
secret/ directory:IP-based access via policy
Create the policy file
Create a JSON file that restricts access to a specific IP address or CIDR range. Replace
10.0.0.0/24 with the actual IP or range:Referrer-based access via policy
Create the policy file
Create a JSON file that restricts access to requests originating from specific websites. Replace
http://www.example.com/ and http://example.com/ with the actual URLs: