When to Use S3 Access Control Lists
IAM Policies, Bucket Policies, and S3 ACLs
Best practice is to use S3 bucket policies or IAM policies for access control in S3, rather than S3 access control lists (ACLs). S3 ACLs manage access to S3 by attaching ACLs as subresources to buckets and objects. S3 ACLs are now considered a legacy control mechanism, but if you’re comfortable using them, you still can. It’s important to note that S3 ACLs might conflict with your IAM policies, so you must be diligent in checking your permissions.
To determine whether you want to continue using S3 ACLs, visit the AWS documentation on IAM policies vs. bucket policies vs. S3 ACLs.
S3 ACLs aren't recommended for use by AWS anymore because IAM and bucket policies are easier to manage. However, if they're already in place and you're comfortable using them, there's no reason to change that. You just need to keep some things in mind. First, you won't be able to change granular information for IAM policies. You'll have to do this using the CLI or API. Also keep in mind that S3 ACLs may conflict with some of your IAM policies, and that there is a right permission that you may assign to users that will allow them to upload objects that you may be charged for. So it's just something to look out for.