Require that objects grant the bucket owner full control

• By default, an S3 object is owned by the AWS account that uploaded it even though the bucket is owned by another account.

• To get full access to the object, the object owner must explicitly grant the bucket owner access.

• You can create a bucket policy to require external users to grant bucket-owner-full-control when uploading objects so the bucket owner can have full access to the objects.

• For example, this bucket policy specifies that ExampleUser can upload objects to DOC-EXAMPLE-BUCKET only when the object's ACL is set to bucket-owner-full-control:

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1541018283275",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/ExampleUser"
                ]
            }
        }
    ]
}