How do I change object ownership for an Amazon S3 bucket when the objects are uploaded by other AWS accounts?

4 minute read
0

I want to use Amazon Simple Storage Service (Amazon S3) Object Ownership to change ownership of objects uploaded to a bucket by other AWS accounts.

Short description

Important: Objects in Amazon S3 aren't always automatically owned by the AWS account that uploaded them.

An Amazon S3 bucket owner can own all objects in the bucket with the bucket owner-enforced setting in S3 Object Ownership. To apply ownership of all objects within a newly created bucket to the bucket owner account, turn on Bucket owner enforced settings. The Bucket owner enforced setting also turns off all access control lists (ACLs), and simplifies access management for data stored in S3.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Change object ownership of objects uploaded by other AWS accounts

Note: Before you use S3 Object Ownership to change object ownership for a bucket, make sure that you have access to the s3:PutBucketOwnershipControls action. For more information, see Actions, resources, and condition keys for Amazon S3.

Change object ownership to bucket owner account for new and existing objects uploaded by other accounts in Amazon S3 buckets

If you want to change object ownership for objects in an existing Amazon S3 bucket, choose the ACLs disabled option under S3 Object Ownership. This option allows the bucket owner full control over all the objects in the S3 bucket and transfers the ownership to the bucket owner's account.

When you use this option, ACLs no longer affect the permission to access data in your S3 bucket. This option changes the ownership of all objects in the bucket and includes the objects that exist currently. The option also changes the ownership of any objects that you add after setting the ACLs disabled option. To define access control, use a bucket policy.

Note: If your existing ACLs grant access to an external AWS account or any other group, then the Bucket owner enforced setting doesn't work.

To apply the Bucket owner enforced setting, your bucket ACL must give full control to only the bucket owner. The bucket owner is the default ACL (private). To reset the ACL for your bucket to the default ACL, run the following AWS CLI command:

aws s3api put-bucket-acl --bucket example-bucket --acl private

Before you turn on the Bucket owner enforced setting, see Prerequisites for disabling ACLs.

Changing object ownership to bucket owner account for new objects uploaded by other accounts in Amazon S3 buckets

Under S3 Object Ownership settings, from the list of ACLs enabled options, choose the Bucket owner preferred option. With this setting, new objects that are written by other accounts with the bucket-owner-full-control canned ACL are automatically owned by the bucket owner. The new objects aren't owned by the object writer. However, the Bucket owner preferred setting doesn't affect the ownership of existing objects. You can update and use ACLs to grant permissions. For more information, see Enforcing ownership of Amazon S3 objects in a multi-account environment.

Changing object ownership to the AWS account that uploaded it

To transfer object ownership to the AWS account that uploaded the object, turn on the Object writer option. Find the Object writer option under the list of ACLs that are turned on under S3 Object Ownership. This option makes sure that the AWS account that uploaded the object owns the object. The object owner has full control over the object, and can use ACLs to grant other users access to the object.

Related information

Controlling ownership of objects and disabling ACLs for your bucket

How can I copy all objects from one Amazon S3 bucket to another bucket?

How can I add bucket-owner-full-control ACL to my objects in Amazon S3?

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
2 Comments

When object ownership is transferred from old account to new account, If the s3 Objects in old account are in encrypted format with a Customer-Managed KMS key , When those objects are transferred to new account, Are those objects are automatically in encrypted format in the new account or not?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago