When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me full control of the objects?

Resolution

Add a bucket policy that requires users to include the bucket-owner-full-control access control list (ACL) when they upload objects to your bucket.

For example, this bucket policy specifies that ExampleUser can upload objects to DOC-EXAMPLE-BUCKET only when the object's ACL is set to bucket-owner-full-control:

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1541018283275",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/ExampleUser"
                ]
            }
        }
    ]
}

After you add this bucket policy, users must include the required ACL as part of the upload request, similar to the following:

aws s3 cp example.jpg s3://DOC-EXAMPLE-BUCKET --acl bucket-owner-full-control

If users fail to meet the ACL requirement in their upload request, then they receive the error message "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied".

For existing objects in your bucket that are owned by other accounts, the object owner can run a put-object-acl command to grant you full control:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key example.jpg --acl bucket-owner-full-control

The bucket-owner-full-control ACL grants the bucket owner full access to an object uploaded by another account, but this ACL alone doesn't grant ownership of the object. To automatically get ownership of objects uploaded with the bucket-owner-full-control ACL, set S3 Object Ownership to bucket owner preferred. After you update S3 Object Ownership, new objects uploaded with the bucket-owner-full-control ACL are automatically owned by the bucket's account.

Related information

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

Granting cross-account permissions to upload objects while ensuring the bucket owner has full control

Tutorial: Delegate access across AWS accounts using IAM roles

Mapping of ACL permissions and access policy permissions