doc-exports/docs/obs/umn/obs_03_0325.html

Relationship Between a Bucket ACL and a Bucket Policy

Mapping Between Bucket ACLs and Bucket Policies

Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket policies supplement bucket ACLs. In most cases (granting permissions to log delivery user groups excluded), you can use bucket policies to manage access to buckets. Table 1 shows the mapping between bucket ACL access permissions and bucket policy actions.

Table 1 Mapping between bucket ACL access permissions and bucket policy actions

ACL Permission	Option	Mapped Action in a Custom Bucket Policy
Access to bucket	Read	ListBucket ListBucketVersions ListBucketMultipartUploads
	Write	PutObject DeleteObject DeleteObjectVersion
Access to ACL	Read	GetBucketAcl
	Write	PutBucketAcl

Mapping Relationship Between Object ACLs and Bucket Policies

Object ACLs are used to control basic read and write access permissions for objects. The custom settings of bucket policies support more actions that can be performed on objects. Table 2 describes the mapping relationship between object ACL access permissions and bucket policy actions.

Table 2 Mapping relationship between object ACLs and bucket policies

Object ACL	Option	Mapped Action in a Custom Bucket Policy
Access to Object	Read	GetObject GetObjectVersion
Access to ACL	Read	GetObjectAcl GetObjectVersionAcl
	Write	PutObjectAcl PutObjectVersionAcl

Does Bucket Policy Change Effect on the ACL Setting?

When objects are uploaded to a bucket, object ACLs are set for those objects. When the bucket policy is modified, ACLs of the objects do not change. However, ACLs of newly uploaded objects will be the default setting, and will not inherit the object ACL rule set by existing objects.

Parent topic: Permission Control Mechanisms