Access Management

IONOS S3 Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what.

By default, newly created user-owned buckets and objects are private, and only the bucket owner can access them. In the case of the newly created contract-owned buckets, the buckets and objects are private, and both the contract owner and administrators can access and manage them.

Share access

Use the following options to share access to a bucket and to all or specific objects in a bucket:

  • Bucket Policy: This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access. With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy.

  • Bucket and Object Access Control Lists (ACLs): Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address.

Grant access

There are two roles involved in granting access: Owner and Grantee. Their definitions depend on the Bucket Types.

  • Owner: The contract owner owns all the buckets. Administrators have the same permissions as the contract owner but must use the access key that is created after they have become administrators.

  • Grantee: Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:

    • A user of the same contract according to the Bucket Policy defined by the contract owner or administrator.

    • Another contract using ACL. If you share contract access, all contract users are granted access.

    • Specific users of another contract according to the Bucket Policy defined by the contract owner or administrator.

    • Predefined groups: All users and authenticated users of IONOS S3 Object Storage (users from any contract). Both ACL and Bucket Policy support this function.

Additional access management functions

  • Share Objects with Pre-Signed URLs: An excellent choice for securely providing temporary access to your objects. Essential for sharing files with someone without requiring them to have an IONOS account, and for granting temporary access to authorized users for a specified period, after which the URL expires.

  • Cross-Origin Resource Sharing (CORS): If you allow public access to your bucket, you can specify which domains can make cross-origin requests to your Object Storage using this function. It is useful when you need to serve resources from your bucket to web applications hosted on different domains.

  • Block Public Access: Overrides any other permissions applicable on buckets and objects. Maintaining your data’s privacy is essential. Using Block Public Access, ensure your buckets and objects are not accidentally made public and are accessible only to authorized individuals or systems. Currently, this feature is available only via the IONOS S3 Object Storage API.

Last updated