How do I fix the error “Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting” in CloudFormation?

2 minute read

When I try to deploy an Amazon Simple Storage Service (Amazon S3) bucket through an AWS CloudFormation stack, I get an error.

Short description

For newly created buckets, Amazon S3 turns on ObjectOwnership and sets it to BucketOwnerEnforced by default. This setting turns off access controls lists (ACLs), and the bucket owner automatically owns and has full control over every object in the bucket. Therefore, deployments that try to invoke ACLs with this setting result in the following error:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: VCC82DDB; S3 Extended Request ID: itIVupTUTYxdhtOqXHTRxiwthYK4I/AvFqgNCWSqs8=; Proxy: null)

For example, the following deployment template results in this error:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  PortalBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite
      VersioningConfiguration:
        Status: Enabled
      WebsiteConfiguration:
        IndexDocument: 'index.html'
        ErrorDocument: 'error.html'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

To resolve this issue, change the value of ObjectOwnership for the bucket to allow ACLs.

Important: It's not a best practice to use ACLs for Amazon S3. If your use case requires ACLs, then refer to the following troubleshooting steps to allow them.

Resolution

Set the value of ObjectOwnership to ObjectWriter or BucketOwnerPreferred.
To deploy your S3 bucket, use the following template:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  PortalBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite
      VersioningConfiguration:
        Status: Enabled
      WebsiteConfiguration:
        IndexDocument: 'index.html'
        ErrorDocument: 'error.html'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      OwnershipControls:
        Rules:
          - ObjectOwnership: ObjectWriter

This allows you to activate ACLs on the bucket.

For more information on Amazon S3's default behavior with ACLs, see Heads-up: Amazon S3 security changes are coming in April of 2023.

Topics

Management & Governance

Relevant content

AWS S3: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting)
rePost-User-4356071
asked a year ago
Use boto3 to create buckets with ACLs enabled
Accepted Answer
AWS-User-7310704
asked a year ago
'Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting' occurred when create studio
tra-zuc
asked a year ago
Failed to create S3 bucket. AWS Portal: The bucket does not allow ACLs.
Accepted Answer
michi
asked 2 months ago
Storage S3 Bucket ACL Ownership Issue
ArunPB
asked 9 months ago
How do I troubleshoot errors when creating an Amazon S3 bucket?
AWS OFFICIALUpdated a year ago
How do I resolve change set errors in CloudFormation?
AWS OFFICIALUpdated 3 months ago
How do I use custom resources with Amazon S3 buckets in CloudFormation?
AWS OFFICIALUpdated 2 years ago
How can I add bucket-owner-full-control ACL to my objects in Amazon S3?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago