By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Disable bucket ACL(s) in a given AWS account

0

Hi AWS,

I have a requirement where I need to disable the Access Control List (ACLs) for the s3 buckets in a given AWS account. Doing this manually is a time consuming and not the appropriate method so I have written a basic boto3 script to accomplish the same. The code snippet is as follows:

import boto3

def main():
    bucket_acl()

def bucket_acl():
    client = boto3.client('s3')
    response = client.list_buckets()
    for bucket in response['Buckets']:
        name = bucket['Name']
        bucket_acl_status = client.get_bucket_acl(
            Bucket=name
        )
        print(bucket_acl_status['Grants'])

        disable_bucket_acl = client.put_bucket_ownership_controls(
            Bucket=name,
            OwnershipControls={
                'Rules': [
                    {
                        'ObjectOwnership': 'BucketOwnerEnforced'
                    },
                ]
            }
        )
        print(disable_bucket_acl)

main()

While I am running the python code, the following error is coming:

botocore.exceptions.ClientError: An error occurred (InvalidBucketAclWithObjectOwnership) when calling the PutBucketOwnershipControls operation: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting

I was following the documentation to disable the bucket ACL: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/put_bucket_ownership_controls.html#

but it didn't work out. Please help!

Topics
Storage
Tags
Amazon Simple Storage ServiceStorage
Language
English
profile picture
Arjun Goel
asked a year ago882 views
1 Answer
2

From the docs is looks like you have to reset the ACL and migrate the permissions to a bucket policy.

For example, if an existing bucket ACL grants public read access, you cannot apply the bucket 
owner enforced setting for Object Ownership until you migrate these ACL permissions to a 
bucket policy and reset your bucket ACL to the default private ACL.
profile pictureAWS
EXPERT
kentrad
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago
  • Arjun Goel
    a year ago

    Is it possible that someone from the AWS community will update the boto3 script I provided above by taking an example of a dummy S3 bucket by applying different ACL types @kentrad and @alatech?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content