When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me full control of the objects?

2 minute read

I want to allow users from other AWS accounts to upload objects to my Amazon Simple Storage Service (Amazon S3) bucket. However, I want to require that users grant me full control of those objects.

Resolution

Add a bucket policy that requires users to include the bucket-owner-full-control access control list (ACL) when they upload objects to your bucket.

For example, this bucket policy specifies that ExampleUser can upload objects to DOC-EXAMPLE-BUCKET only when the object's ACL is set to bucket-owner-full-control:

{
  "Id": "Policy1541018284691",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1541018283275",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      },
      "Principal": {
        "AWS": [
          "arn:aws:iam::111122223333:user/ExampleUser"
        ]
      }
    }
  ]
}

After you add this bucket policy, users must include the required ACL as part of the upload request, such as in the following example:

aws s3 cp example.jpg s3://DOC-EXAMPLE-BUCKET --acl bucket-owner-full-control

If users fail to meet the ACL requirement in their upload request, then they receive the following error message:

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

For objects in your bucket that other accounts own, the object owner can run a put-object-acl command to grant you control of the object:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key example.jpg --acl bucket-owner-full-control

The bucket-owner-full-control ACL grants the bucket owner full access to an object that another account uploads. However, this ACL alone doesn't grant ownership of the object. To automatically get ownership of objects that upload with the bucket-owner-full-control ACL, set S3 Object Ownership to bucket owner preferred. After you update S3 Object Ownership, the bucket owner automatically owns any new objects that upload with bucket-owner-full-control.

Related information

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

Managing buckets using canned ACLs

IAM tutorial: Delegate access across AWS accounts using IAM roles

Mapping of ACL permissions and access policy permissions

Topics

Storage

Relevant content

Make object that upload by account-b role public in account-a bucket
Accepted Answer
dxs
asked 6 years ago
Unable to upload an object to cross account S3 bucket through console - ACLs disabled
Accepted Answer
Prachi Kashikar
asked a year ago
S3 Bucket Object Ownership "The bucket ownership controls were not found"
awsuser199229993
asked a month ago
Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront
Accepted Answer
InfinityString
asked 3 years ago
S3 Static Website Objects 403 Forbidden when Uploaded from Different Account
total_snooze
asked 3 years ago
How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
How do I change object ownership for an Amazon S3 bucket when the objects are uploaded by other AWS accounts?
AWS OFFICIALUpdated 9 months ago
Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?
AWS OFFICIALUpdated 8 months ago
How do I add the bucket-owner-full-control ACL to my objects in Amazon S3?
AWS OFFICIALUpdated 8 months ago
Why can't my S3 File Gateway access objects uploaded by cross-account users?
EXPERT
Tyler
published 10 months ago

When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me full control of the objects?

Resolution

Related information

Related videos

Relevant content