Access control is available by using the bucket policy and the access control list (ACL). If a bucket policy exists that matches the Resource, Principal, and Action elements for a specific operation, then the request is allowed or denied based on the Request element. Otherwise, the access is governed by the ACL associated with the resource.
For bucket operations, if a matching bucket policy exists, then that bucket policy takes precedence. For object operations, Hedvig supports only the s3:GetObject action exclusively through the bucket policy. For all other object operations, the bucket and object ACLs allow or deny access for a specific Principal.