I want users from other AWS accounts to be able to upload objects to my Amazon Simple Storage Service (Amazon S3) bucket. However, I want to require that users grant me full control of those objects. How can I do that?
Resolution
Add a bucket policy that requires users to include the bucket-owner-full-control access control list (ACL) when they upload objects to your bucket.
For example, this bucket policy specifies that ExampleUser can upload objects to DOC-EXAMPLE-BUCKET only when the object's ACL is set to bucket-owner-full-control:
{
"Id": "Policy1541018284691",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1541018283275",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/ExampleUser"
]
}
}
]
}
After you add this bucket policy, users must include the required ACL as part of the upload request, similar to the following:
aws s3 cp example.jpg s3://DOC-EXAMPLE-BUCKET --acl bucket-owner-full-control
If users fail to meet the ACL requirement in their upload request, then they receive the error message "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied".
For existing objects in your bucket that are owned by other accounts, the object owner can run a put-object-acl command to grant you full control:
aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key example.jpg --acl bucket-owner-full-control
The bucket-owner-full-control ACL grants the bucket owner full access to an object uploaded by another account, but this ACL alone doesn't grant ownership of the object. To automatically get ownership of objects uploaded with the bucket-owner-full-control ACL, set S3 Object Ownership to bucket owner preferred. After you update S3 Object Ownership, new objects uploaded with the bucket-owner-full-control ACL are automatically owned by the bucket's account.
Related information
Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?
Granting cross-account permissions to upload objects while ensuring the bucket owner has full control
Tutorial: Delegate access across AWS accounts using IAM roles
Mapping of ACL permissions and access policy permissions