Require that objects grant the bucket owner full control

By default, an S3 object is owned by the AWS account that uploaded it even though the bucket is owned by another account.
To get full access to the object, the object owner must explicitly grant the bucket owner access.
You can create a bucket policy to require external users to grant bucket-owner-full-control when uploading objects so the bucket owner can have full access to the objects.
For example, this bucket policy specifies that ExampleUser can upload objects to DOC-EXAMPLE-BUCKET only when the object's ACL is set to bucket-owner-full-control:

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1541018283275",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/ExampleUser"
                ]
            }
        }
    ]
}

PreviousRDS encryption in-transit (SSL)NextIdentity Federation

Last updated 4 years ago

Was this helpful?