         | Did this page help you? Yes No Tell us about it... |
When to Use ACLs vs Bucket Policies
ACLs provide a coarse-grain permission model, where you simply grant access permissions to buckets or objects. Bucket policies, on the other hand, provide fine-grain control over the permissions you are granting. For example, you can write a policy granting users access to a bucket or an object, provided the user sends the request from a specific IP address, or the request arrives after a specific date and time. Depending on your needs, you can use one or both of these permission models. However, there are specific use cases where ACL's may be the most appropriate:
- There is only a Bucket Policy (no Object Policy)—There are times when you will need to grant a wide variety of permissions on each object in your bucket. For example, if you grant write permission on your bucket, others can add objects to your bucket, which you don't have permissions. These new object owners must explicitly grant permissions on these objects before others to access them.
- Bucket Policies are Limited to 20 Kilobytes in Size—If you have a large number of objects and users, your bucket policy could reach the 20 K size limit. In this case, you should consider using ACLs for additional grants.
Amazon S3 supports both ACLs and bucket policies. If you already use ACLs, there is no need to change. In simpler scenarios, ACLs might provide the appropriate level of permissions for your use case. For example, when granting permissions to a smaller number of grantees, using ACLs might be adequate.
