Amazon S3 — download to your machine

Beginner
⏱️ 6 min read
📚 Updated: Aug 2025
S3 / AWS CLI
Downloading files from Amazon S3 to a local computer

What you’ll learn

Amazon Simple Storage Service (S3) is object storage for files, backups, static sites, and data lakes. This guide focuses on the AWS Command Line Interface (CLI): creating access keys for a local profile, running aws configure, and copying objects from a bucket to a folder on your computer.

Prerequisites

Before you begin, ensure you have the following:

  • An AWS account with permission to read the target S3 bucket (for example s3:GetObject and list on the prefix you need).
  • The AWS CLI installed on your computer.

Create an access key ID and secret access key

To authenticate the CLI as an IAM user, create an access key pair in the console (exact labels can vary slightly over time):

  1. Log in to the AWS Management Console.

  2. Open your account menu (top right), then Security credentials (or open IAM → your user → Security credentials).

    AWS console security credentials in the account menu
    AWS Management Console

  3. Under Access keys, choose Create access key and complete the wizard. Store the secret immediately; you cannot view it again later.

    Creating a new AWS access key in the console
    AWS Management Console

  4. You should now have an Access key ID and Secret access key to use with aws configure on your machine.

    Access key created successfully in the AWS console
    AWS Management Console

Configure the AWS CLI

Open a terminal or command prompt and run:

Terminal
aws configure

Enter your Access key ID, Secret access key, default Region (for example us-east-1), and output format (for example json) when prompted.

Terminal running aws configure
Local terminal

Warning: Only paste credentials into a machine you trust. Anyone with the secret key can call the AWS API as that principal until the key is disabled.

When configuration succeeds, you are ready to run aws s3 commands against your bucket.

Download a single file

Copy one object to a local path (adjust bucket, key, and destination):

Terminal
aws s3 cp s3://your-bucket-name/path/to/image.jpg /path/on/local/machine/
Terminal showing successful download of one image from S3
Local terminal

Download all objects under a prefix

Use --recursive to copy every object under the given S3 URI into a local directory:

Terminal
aws s3 cp s3://your-bucket-name/ /path/on/local/machine/ --recursive

For repeated runs where you only want new or changed files, aws s3 sync is often a better fit than a full recursive copy.

Terminal showing recursive download of all objects from an S3 prefix
Local terminal

Download a subset (for example only JPEGs)

With aws s3 cp --recursive, you can add --exclude and --include filters. This example downloads only files ending in .jpg:

Terminal
aws s3 cp s3://your-bucket-name/ /path/on/local/machine/ --recursive --exclude "*" --include "*.jpg"

Filters are evaluated in order; start from a broad exclude and then add narrower includes, or consult the AWS CLI reference for s3 cp for advanced patterns.

Terminal showing S3 recursive copy with include filter for jpg files
Local terminal

Key takeaways

1

Use aws configure (or another supported credential source) so the CLI can call S3 with the right account and Region.

2

aws s3 cp copies a single object or a tree with --recursive; aws s3 sync helps keep a local folder aligned over time.

3

--exclude and --include let you pull only the file types you need from a large prefix.

Frequently asked questions

Run aws s3 cp with the s3:// URI for the object and a destination path on disk, for example aws s3 cp s3://my-bucket/photos/a.png ./a.png.
aws s3 cp copies the paths you specify; with --recursive it walks the prefix. aws s3 sync compares source and destination and skips files that already match size and timestamp (or ETag), which is useful for incremental backups.
Check IAM permissions on the principal configured in the CLI, S3 bucket policies, object ownership, and any explicit denies. Also confirm the bucket Region matches the endpoint behavior you expect if you set a default Region in the profile.

Next: HTTPS on AWS

After moving data with S3 and the CLI, use ACM to provision certificates for load balancers, APIs, and CloudFront.

AWS Certificate Manager (ACM) →
Did you know?

For day-to-day AWS access from your laptop, IAM Identity Center (SSO) or short-lived credentials are preferable to long-lived access keys. Use keys from this guide only in trusted environments and rotate or delete them when you are done.

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

AWS Certified Developer – Associate (Credly)

8 people found this page helpful

Amazon S3 — buckets and public objects AWS Certificate Manager (ACM)