Disable bucket ACL(s) in a given AWS account
Hi AWS,
I have a requirement where I need to disable the Access Control List (ACLs) for the s3 buckets in a given AWS account. Doing this manually is a time consuming and not the appropriate method so I have written a basic boto3 script to accomplish the same. The code snippet is as follows:
import boto3
def main():
bucket_acl()
def bucket_acl():
client = boto3.client('s3')
response = client.list_buckets()
for bucket in response['Buckets']:
name = bucket['Name']
bucket_acl_status = client.get_bucket_acl(
Bucket=name
)
print(bucket_acl_status['Grants'])
disable_bucket_acl = client.put_bucket_ownership_controls(
Bucket=name,
OwnershipControls={
'Rules': [
{
'ObjectOwnership': 'BucketOwnerEnforced'
},
]
}
)
print(disable_bucket_acl)
main()
While I am running the python code, the following error is coming:
botocore.exceptions.ClientError: An error occurred (InvalidBucketAclWithObjectOwnership) when calling the PutBucketOwnershipControls operation: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting
I was following the documentation to disable the bucket ACL: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/put_bucket_ownership_controls.html#
but it didn't work out. Please help!
- 新しい順
- 投票が多い順
- コメントが多い順
From the docs is looks like you have to reset the ACL and migrate the permissions to a bucket policy.
For example, if an existing bucket ACL grants public read access, you cannot apply the bucket
owner enforced setting for Object Ownership until you migrate these ACL permissions to a
bucket policy and reset your bucket ACL to the default private ACL.
Is it possible that someone from the AWS community will update the boto3 script I provided above by taking an example of a dummy S3 bucket by applying different ACL types @kentrad and @alatech?