With the help of a detailed authorization system, based on the S3 Access Control List (ACL), you can control precisely who accesses and edits your content. By assigning ACLs to a group of users as per S3-compliant ACL, you can manage who may access the buckets and objects of your IONOS S3 Object Storage.
Use Bucket Policy instead of ACLs if you need to:
Manage access to prefixes like /folder/* or *.jpg.
Use conditions to grant access, for example, IP address.
Allow or deny certain actions like listing the object list.
Use Share Objects with Pre-Signed URLs instead of ACL for granting temporary access to authorized users for a specified period, after which the URL expires.
You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. IONOS S3 Object Storage offers the following ACL management methods:
If you have defined ACLs granting public access, activating the Block Public Access revokes these permissions, ensuring your data remains private. This feature is invaluable in scenarios where ensuring data privacy is paramount, or when you want to enforce a blanket no-public-access rule, irrespective of ACL settings.
You can manage ACL permission for buckets through the web console, IONOS S3 Object Storage API, or the command-line tool.
The following table shows the ACL permissions that you can configure for buckets in the IONOS S3 Object Storage.
Note: For security, granting some of the access permissions such as Public access WRITE, Public access WRITE_ACP, Authenticated users WRITE, Authenticated users WRITE_ACP is possible only through an API Call.
To manage ACL for buckets using the web console, follow these steps:
1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.
2. From the Buckets list, choose the bucket to which you want to access the ACL.
3. Click Bucket settings and choose the Access Control List (ACL) under the Access management section.
6. Click Save to apply the ACL settings to the bucket.
Result: The bucket ACL permissions are successfully applied on the bucket.
Prerequisites:
1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.
2. From the Buckets list, choose the bucket to which you want to add the grantee.
3. Click Bucket settings and choose the Access Control List (ACL) under the Access management section.
5. Add any number of grantees to the bucket by following step 4.
6. Click Save to add the additional grantees with corresponding ACL permissions to the bucket.
Result: The grantees are successfully added to the bucket.
4. Select the checkboxes against the access permissions to grant at each user level such as bucket owner, public access, authenticated users, and logging. For more information, see .
5. Add grantees to provide additional users with access permission to the bucket. For more information, see .
Make sure the canonical user ID of the grantee is known. To retrieve the ID, see .
The grantee should already exist. If not, create a user and retrieve the Canonical user ID by following the steps in .
4. In the Additional Grantees section, enter the retrieved Canonical user ID of the grantee, select the checkboxes on the ACL permissions to grant, and click Add. For ACL permissions, see .
Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web console due to the S3 protocol's architecture. To access the bucket, the user must utilize other as the granted access does not translate to interface visibility.
Use the Object Storage API to manage bucket ACL permissions.
Use to manage ACL permission for buckets.
User | Console permission | ACL permission | Access granted |
Bucket Owner | Objects - Read | READ | Allows grantee to read the object data and its metadata. |
Bucket Owner | Objects - Write | WRITE | Enables the grantee to write object data and its metadata, including deleting the object. |
Bucket Owner | Bucket ACL - Read | READ_ACP | Grants the ability to read the ACL of the bucket. |
Bucket Owner | Bucket ACL - Write | WRITE_ACP | Allows the grantee to write the ACL of the bucket. |
Public access | Objects - Read | READ | Grants public read access for the objects in the bucket. Anyone can access the objects in the bucket. |
Public access | Bucket ACL - Read | READ_ACP | Grants public read access for the bucket ACL. Anyone can access the bucket ACL. |
Authenticated users | Objects - Read | READ | Grants read access to objects in the bucket to anyone with an IONOS account using which they can access the objects in the bucket. |
Authenticated users | Bucket ACL - Read | Read_ACP | Grants read access to bucket ACL to anyone with an IONOS account. |
Logging | Objects - Read | READ | Allows grantee to read the object log data. |
Logging | Objects - Write | WRITE | Enables the grantee to write object data and its metadata, including deleting the object. |
Logging | Bucket ACL - Read | READ_ACP | Grants the ability to read the log data of the bucket. |
Logging | Bucket ACL - Write | WRITE_ACP | Allows the grantee to write the ACL of the bucket. |
You can manage ACL permission for objects through the web console, IONOS S3 Object Storage API, or the command-line tool.
The following table shows the ACL permissions that you can configure for objects in a bucket in the IONOS S3 Object Storage.
These permissions are applied at individual object levels within a bucket, offering a high level of granularity in access control.
Note: For security, granting some of the access permissions such as Public access WRITE_ACP and Authenticated users WRITE_ACP is possible only through an API Call.
To manage ACL for objects using the web console, follow these steps:
1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.
2. From the Buckets list, choose the bucket under which the object ACL to be modified exists.
3. From the Objects list, choose the object for which ACL permissions are to be modified.
4. From the Object Settings, click Access Control List (ACL).
5. Select the checkboxes against the access permissions to grant at each user level such as bucket owner, public access, and authenticated users. For more information, see ACL permission for objects.
6. Add grantees to provide additional users with access permission to the object. For more information, see Add grantees for objects.
7. Click Save to apply the ACL settings to the object.
Result: The object ACL permissions are successfully applied to the object.
Prerequisites:
Make sure the canonical user ID of the grantee is known. To retrieve the ID, see Object Lock.
The grantee should already exist. If not, create a user and retrieve the Canonical user ID by following the steps in Retrieve the Canonical User ID of a new user.
1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.
2. From the Buckets list, choose the bucket under which the object ACL to be modified exists.
3. From the Objects list, choose the object for which you want to add the grantee.
4. In the Additional Grantees section, enter the retrieved Canonical user ID of the grantee, select the checkboxes on the ACL permissions to grant, and click Add. For ACL permissions, see ACL permission for objects.
5. Add any number of grantees to the object by following step 4.
6. Click Save to add the additional grantees with corresponding ACL permissions to the object.
Result: The grantees are successfully added to the object.
Use the PutObjectAcl Object Storage API to manage object ACL permissions.
Use CLI to manage ACL permission for objects.
User
Console permission
ACL permission
Access granted
Bucket Owner
Objects - Read
READ
Allows grantee to read the object data and its metadata.
Bucket Owner
Object ACL - Read
READ_ACP
Grants the ability to read the object ACL.
Bucket Owner
Object ACL - Write
WRITE_ACP
Allows the grantee to write the ACL of the applicable object.
Public access
Objects - Read
READ
Grants public read access for the objects in the bucket. Anyone can access the objects in the bucket.
Public access
Object ACL - Read
READ_ACP
Grants public read access for the object ACL. Anyone can access the object ACL.
Authenticated users
Objects - Read
READ
Grants read access to objects in the bucket to anyone with an IONOS account using which they can access the objects in the bucket.
Authenticated users
Object ACL - Read
Read_ACP
Grants read access to object ACL to anyone with an IONOS account.
