Setting Object Ownership on an existing bucket - Amazon Simple Storage Service

Setting Object Ownership on an existing bucket

You can configure S3 Object Ownership on an existing S3 bucket. To apply Object Ownership when you create a bucket, see Setting Object Ownership when you create a bucket.

S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to disable access control lists (ACLs) and take ownership of every object in your bucket, simplifying access management for data stored in Amazon S3. We recommend that you disable ACLs unless you to need to control access at the individual object level.

Object Ownership has three settings that you can use to control ownership of objects uploaded to your bucket and to disable or enable ACLs:

ACLs disabled

  • Bucket owner enforced (recommended) – ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control.

ACLs enabled

  • Bucket owner preferred – The bucket owner owns and has full control over new objects that other accounts write to the bucket with the bucket-owner-full-control canned ACL.

  • Object writer (default) – The AWS account that uploads an object owns the object, has full control over it, and can grant other users access to it through ACLs.

Prerequisites: Before you apply the bucket owner enforced setting to disable ACLs, you must migrate bucket ACL permissions to bucket policies and reset your bucket ACLs to the default private ACL. We also recommend that you migrate object ACL permissions to bucket policies and edit bucket policies that require ACLs other than bucket owner full control ACLs. For more information, see Prerequisites for disabling ACLs.

Permissions: To use this operation, you must have the s3:PutBucketOwnershipControls permission. For more information about Amazon S3 permissions, see Actions, resources, and condition keys for Amazon S3.

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Buckets list, choose the name of the bucket that you want to apply an S3 Object Ownership setting to.

  3. Choose the Permissions tab.

  4. Under Object Ownership, choose Edit.

  5. Under Object Ownership, to disable or enable ACLs and control ownership of objects uploaded in your bucket, choose one of the following settings:

    ACLs disabled

    • Bucket owner enforced – ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control.

      To require that all new buckets are created with ACLs disabled by using IAM or AWS Organizations policies, see Disabling ACLs for all new buckets (bucket owner enforced).

    ACLs enabled

    • Bucket owner preferred – The bucket owner owns and has full control over new objects that other accounts write to the bucket with the bucket-owner-full-control canned ACL.

      If you apply the bucket owner preferred setting, to require all Amazon S3 uploads to include the bucket-owner-full-control canned ACL, you can add a bucket policy that only allows object uploads that use this ACL.

    • Object writer – The AWS account that uploads an object owns the object, has full control over it, and can grant other users access to it through ACLs.

  6. Choose Save.

To apply an Object Ownership setting for an existing bucket, use the put-bucket-ownership-controls command with the --ownership-controls parameter.

This example applies the bucket owner enforced setting for an existing bucket using the AWS CLI:

aws s3api put-bucket-ownership-controls --bucket DOC-EXAMPLE-BUCKET --ownership-controls Rules=[{ObjectOwnership=BucketOwnerEnforced}]

This example applies the BucketOwnerEnforced setting for Object Ownership on an existing bucket using the AWS SDK for Java:

// Build the ObjectOwnership for BucketOwnerEnforced OwnershipControlsRule rule = OwnershipControlsRule.builder() .objectOwnership(ObjectOwnership.BucketOwnerEnforced) .build(); OwnershipControls ownershipControls = OwnershipControls.builder() .rules(rule) .build() // Build the PutBucketOwnershipControlsRequest PutBucketOwnershipControlsRequest putBucketOwnershipControlsRequest = PutBucketOwnershipControlsRequest.builder() .bucket(BUCKET_NAME) .ownershipControls(ownershipControls) .build(); // Send the request to Amazon S3 s3client.putBucketOwnershipControls(putBucketOwnershipControlsRequest);

To use AWS CloudFormation to apply an Object Ownership setting for an existing bucket, see AWS::S3::Bucket OwnershipControls in the AWS CloudFormation User Guide.

To use the REST API to apply an Object Ownership setting to an existing S3 bucket, use PutBucketOwnershipControls. For more information, see PutBucketOwnershipControls in the Amazon Simple Storage Service API Reference.

Next steps: After you apply the bucket owner enforced or bucket owner preferred settings for Object Ownership, you can further take the following steps:

  • Bucket owner enforced – Require that all new buckets are created with ACLs disabled by using an IAM or Organizations policy.

  • Bucket owner preferred – Add an S3 bucket policy to require the bucket-owner-full-control canned ACL for all object uploads to your bucket.