Comparison of access policies

Last updated:2021-04-28 11:04:11

ACL Bucket policy User policy
Policy type Resource-based policy Resource-based policy User-based policy
Resource operation Only basic read/write operations are supported. Many operations are supported, except service operations such as bucket list query. Most operations are supported, including service operations such as bucket list query.
Authorize other accounts Supported Supported Not supported. You can create a role and select a trusted account for cross-account authorization.
Authorize IAM users Not supported Supported Supported
Authorize roles Not supported Supported Supported

Guidelines for using access policies

  1. Scenarios where ACLs are preferred
  • You only want to keep buckets or objects public or private without complex authorization logic.
  1. Scenarios where bucket policies are preferred
  • You want to grant resource-specific permissions to other accounts for cross-account access.

  • You want to grant resource-specific permissions to IAM users who do not need to log in to the console.

  1. Scenarios where user policies are preferred
  • You want to grant resource-specific permissions to IAM users who need to log in to the console.

  • You want to assign specific roles to IAM users to grant them temporary permissions.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈