# ACL for Objects

This document provides instructions to [<mark style="color:blue;">Manage ACL for Objects</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/access-control-list/access-control-list-objects) using the AWS CLI. Additionally, these tasks can also be performed using the [<mark style="color:blue;">DCD</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/settings/access-control-list/access-control-list-objects#dcd) and [<mark style="color:blue;">API</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/settings/access-control-list/access-control-list-objects#api).

{% hint style="info" %}
**Prerequisites:**

* Set up the AWS CLI by following the [<mark style="color:blue;">installation instructions</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools/awscli/awscli-configure).
* Make sure to consider the supported [<mark style="color:blue;">Endpoints</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/endpoints) for object upload.
  {% endhint %}

Use the following keys to define access permissions:

* `--grant-read`: Grants read-only access.
* `--grant-write`: Grants write-only access.
* `--grant-read-acp`: Grants permission to read the Access Control List.
* `--grant-write-acp`: Grants permission to modify the Access Control List.
* `--grant-full-control`: Grants full access, encompassing the permissions listed above (read, write, read ACL, and write ACL).

Use `--key` to specify the object for granting access:

```
aws s3api put-object-acl --bucket MY-BUCKET --key my-object.txt --grant-full-control id=CANONICAL_USER_ID --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

Use the following values for the `--acl` key:

* `private` removes public access.
* `public-read` allows public read-only access.
* `public-read-write` allows public read/write access.
* `authenticated-read` allows read-only access to all authenticated users of IONOS Object storage (including ones out of your contract).

Allow public read-only access to the object:

```
aws s3api put-object-acl --bucket MY-BUCKET --acl public-read --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

Remove public access from the object:

```
aws s3api put-object-acl --bucket MY-BUCKET --acl private --endpoint-url https://s3.eu-central-2.ionoscloud.com
```