Welcome to Amazon S3
Introduction to Amazon S3
Making Requests
- Making Requests using AWS SDKs
- Making Requests using the REST API
Working with Amazon S3 Buckets
- Bucket Restrictions and Limitations
- Bucket Configuration Options
  - Buckets and Regions
- Managing Bucket Website Configuration
- Requester Pays Buckets
- Buckets and Access Control
- Billing and Reporting of Buckets
Working with Amazon S3 Objects
- Object Key and Metadata
- Object Subresources
- Object Versioning
- Object Expiration
  - Manage Object Expiration Using AWS Management Console
  - Manage Object Expiration Using the REST API
- Operations on Objects
  - Multipart Upload Overview
- Getting Objects
- Uploading Objects
- Copying Objects
  - Copying Objects in a Single Operation
  - Copying Objects Using the Multipart Upload API
- Listing Object Keys
- Deleting Objects
  - Deleting One Object Per Request
  - Deleting Multiple Objects Per Request
Access Control
- Using IAM Policies
- Using Bucket Policies
- Using ACLs
- Using ACLs and Bucket Policies Together
- Using Query String Authentication
Data Protection
- Using Data Encryption
  - Using Server-Side Encryption
  - Using Client-Side Encryption
    - Specifying Client-Side Encryption Using the AWS SDK for Java
      - Customizing Your Client-Side Encryption Environment
- Using Reduced Redundancy Storage
  - Setting the Storage Class of an Object You Upload
  - Changing the Storage Class of an Object in Amazon S3
    - Return Code For Lost Data
- Using Versioning
Hosting Websites on Amazon S3
- Setting Up a Website
- Website Endpoints
- Index Document Support
- Custom Error Document Support
- How Do I Configure My Bucket As a Website?
- Permissions Required for Website Access
Setting Up Notification of Bucket Events
Request Routing
- Request Redirection and the REST API
- DNS Considerations
Performance Optimization
- TCP Window Scaling
- TCP Selective Acknowledgement
Using BitTorrent with Amazon S3
- How You are Charged for BitTorrent Delivery
- Using BitTorrent to Retrieve Objects Stored in Amazon S3
- Publishing Content Using Amazon S3 and BitTorrent
Using Amazon DevPay with Amazon S3
- Amazon S3 Customer Data Isolation
- Amazon DevPay Token Mechanism
- Amazon S3 and Amazon DevPay Authentication
- Amazon S3 Bucket Limitation
- Amazon S3 and Amazon DevPay Process
- Additional Information
Handling Errors
- The REST Error Response
  - Error Response
- The SOAP Error Response
- Amazon S3 Error Best Practices
Server Access Logging
- Server Access Logging Configuration API
- Delivery of Server Access Logs
- Server Access Log Format
- Setting Up Server Access Logging
Using the AWS SDKs and Explorers
- Using the AWS SDK for Java
- Using the AWS SDK for .NET
- Using the AWS SDK for PHP
- Using the AWS SDK for Ruby
Appendices
- Appendix A: The Access Policy Language
- Appendix B: Using the SOAP API
Amazon S3 Resources
Document History
Glossary
Index

Did this page help you? Yes No Tell us about it...

Versioned Object Permissions and ACLs

Permissions are set at the version level. Each version has its own object owner—whoever PUT the version. So, you can set different permissions for different versions of the same object. To do so, you must specify the version ID of the object whose permissions you want to set in a PUT Object versionId acl request. For a detailed description and instructions on using ACLs, see Authentication and Access Control.

Example Setting Permissions for an Object Version

The following request sets the permission of the grantee, BucketOwner@amazon.com, to FULL_CONTROL on the key, my-image.jpg, version ID, 3HL4kqtJvjVBH40Nrjfkd.

PUT /my-image.jpg?acl&versionId=3HL4kqtJvjVBH40Nrjfkd HTTP/1.1
Host: bucket.s3.amazonaws.com
Date: Wed, 28 Oct 2009 22:32:00 GMT
Authorization: AWS 02236Q3V0WHVSRW0EXG2:0RQf4/cRonhpaBX5sCYVf1bNRuU=
Content-Length: 124
 
<AccessControlPolicy>
  <Owner>
    <ID>8a6925ce4adf5f21c32aa379004fef</ID>
    <DisplayName>mtd@amazon.com</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>8a6925ce4adf588a4532142d3f74dd8c71fa124b1ddee97f21c32aa379004fef</ID>
        <DisplayName>BucketOwner@amazon.com</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
  </AccessControlPolicy>

Likewise, to get the permissions of a specific object version, you must specify its version ID in a GET Object versionId acl request. You need to include the version ID because, by default, GET Object acl returns the permissions of the latest version of the object.

Example Retrieving the Permissions for a Specified Object Version

In the following example, Amazon S3 returns the permissions for the key, my-image.jpg, version ID, DVBH40Nr8X8gUMLUo.

GET /my-image.jpg?versionId=DVBH40Nr8X8gUMLUo&acl HTTP/1.1
Host: bucket.s3.amazonaws.com
Date: Wed, 28 Oct 2009 22:32:00 GMT
Authorization: AWS 02236Q3V0WHVSRW0EXG2:0RQf4/cRonhpaBX5sCYVf1bNRuU

For more information, go to GET Object acl.

Document Conventions
Terms of Use

Did this page help you? Yes No Tell us about it...

Warning

Javascript is disabled or is unavailable in your browser.
To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.