> For the complete documentation index, see [llms.txt](https://docs.ionos.com/cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.ionos.com/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/concepts/access-management.md).

# Access Management

IONOS S3 Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what.

By default, newly created user-owned buckets and objects are private, and only the bucket owner can access them. In the case of the newly created contract-owned buckets, the buckets and objects are private, and both the contract owner and administrators can access and manage them.

## Share access

Use the following options to share access to a bucket and to all or specific objects in a bucket:

* [<mark style="color:blue;">**Bucket Policy**</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/settings/bucket-policy.md)**:** This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access. With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy.
* [<mark style="color:blue;">**Bucket and Object Access Control Lists (ACLs)**</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/settings/access-control-list.md)**:** Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address.

## Grant access

There are two roles involved in granting access: **Owner** and **Grantee**. Their definitions depend on the [<mark style="color:blue;">Bucket Types</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/concepts/bucket-types.md).

{% tabs %}
{% tab title="Contract-owned Buckets" %}

* **Owner:** The contract owner owns all the buckets. Administrators have the same permissions as the contract owner but must use the [<mark style="color:blue;">access key</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/concepts/key-management.md#access-keys) that is created after they have become administrators.
* **Grantee:** Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:
  * A user of the same contract according to the Bucket Policy defined by the contract owner or administrator.
  * Another contract using ACL. If you share contract access, all contract users are granted access.
  * Specific users of another contract according to the Bucket Policy defined by the contract owner or administrator.
  * Predefined groups: All users and authenticated users of IONOS S3 Object Storage (users from any contract). Both ACL and Bucket Policy support this function.
    {% endtab %}

{% tab title="User-owned Buckets" %}

* **Owner:** The user who creates the bucket is called the owner. Each user owns buckets of their account.
* **Grantee:** Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:
  * A user from the same contract.
  * A user from another contract.
  * Predefined groups: All users, authenticated users of IONOS S3 Object Storage (users from any contract), and Log Delivery Group.

{% hint style="info" %}
**Note:** Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web interface due to the S3 protocol's architecture. To access the bucket, the user will need to utilize other [<mark style="color:blue;">S3 Tools</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/s3-tools.md), as the granted access does not translate to interface visibility.
{% endhint %}
{% endtab %}
{% endtabs %}

## Additional access management functions

* [<mark style="color:blue;">**Share Objects with Pre-Signed URLs**</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/how-tos/share-objects-pre-signed-urls.md)**:** An excellent choice for securely providing temporary access to your objects. Essential for sharing files with someone without requiring them to have an IONOS account, and for granting temporary access to authorized users for a specified period, after which the URL expires.
* [<mark style="color:blue;">**Cross-Origin Resource Sharing (CORS)**</mark>](/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/settings/cors.md)**:** If you allow public access to your bucket, you can specify which domains can make cross-origin requests to your Object Storage using this function. It is useful when you need to serve resources from your bucket to web applications hosted on different domains.
* **Block Public Access:** Overrides any other permissions applicable on buckets and objects. Maintaining your data’s privacy is essential. Using Block Public Access, ensure your buckets and objects are not accidentally made public and are accessible only to authorized individuals or systems. Currently, this feature is available only via the [<mark style="color:blue;">IONOS S3 Object Storage API</mark>](https://api.ionos.com/docs/s3/v2/).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.ionos.com/cloud/~/revisions/AMiYziCllTKB2y2lmONY/storage-and-backup/s3-object-storage/concepts/access-management.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
