principlejavascriptModerate
S3 bucket policies vs ACLs: bucket policies are the right approach
Viewed 0 times
S3 bucket policyACLObject OwnershipBlock Public Accesscross-account accessCloudFront OACaccess control
Error Messages
Access Denied403 ForbiddenProblem
S3 ACLs (Access Control Lists) are still used to make objects public or share with other accounts, but they are legacy, confusing, and harder to audit than bucket policies. AWS now recommends disabling ACLs entirely.
Solution
Use S3 bucket policies for all access control. Disable ACLs by setting Object Ownership to 'Bucket owner enforced'. Use bucket policies for cross-account access, public read (with Block Public Access settings), and service-level access.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": { "Service": "cloudfront.amazonaws.com" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/EXXXXX" } }
}
]
}
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": { "Service": "cloudfront.amazonaws.com" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/EXXXXX" } }
}
]
}
Why
ACLs apply per-object and require setting them on every uploaded object. Bucket policies apply at the bucket level, are centrally auditable, support condition keys, and are the standard IAM policy language. ACLs do not support condition keys or most advanced access patterns.
Gotchas
- Block Public Access settings override bucket policies — you cannot make objects public if Block Public Access is enabled at account level
- The canonical user ID required for ACL cross-account grants is hard to find and manage — use bucket policies with account ARN instead
- S3 Object Lock requires bucket owner enforced ACLs disabled to function correctly
- When using CloudFront OAC (Origin Access Control), use the bucket policy template from CloudFront — do not manually craft the condition
- Bucket policies have a 20KB size limit — split large policies using IAM roles instead
Context
Configuring access control for S3 buckets used with CloudFront, Lambda, or cross-account scenarios
Revisions (0)
No revisions yet.