Ensure that the S3 Object Ownership feature is configured for your Amazon S3 buckets in order to enable you to automatically assume ownership of the S3 objects uploaded to your buckets. The feature allows you to take ownership of new objects that other AWS accounts upload to your bucket using the "bucket-owner-full-control" canned Access Control List (ACL).
By default, when other AWS accounts upload objects to your Amazon S3 bucket, the objects remain owned by the uploading account. Once the S3 Object Ownership feature is enabled for your bucket, any new objects that are written by other accounts with the "bucket-owner-full-control" canned ACL automatically become owned by the bucket owner, who then has full control over the objects. With S3 Object Ownership, you can create shared data stores that multiple users and teams in different AWS accounts can write to and read from, and standardize ownership of new S3 objects in your bucket. As the bucket owner, you can then share and manage access to these objects via resource-based policies.
S3 Object Ownership does not affect existing S3 objects.
Audit
To determine if S3 Object Ownership is enabled and configured for your Amazon S3 buckets, perform the following operations:
Remediation/Resolution
To configure S3 Object Ownership to enable you to take ownership of the new objects uploaded to your Amazon S3 buckets, perform the following operations:
References
- AWS Documentation
- Amazon S3 FAQs
- Identity and access management in Amazon S3
- Controlling ownership of objects and disabling ACLs for your bucket
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-ownership-controls
- put-bucket-ownership-controls
- put-bucket-policy
- AWS Announcements
- Amazon S3 Object Ownership is available to enable bucket owners to automatically assume ownership of objects uploaded to their buckets
- CloudFormation Documentation
- Amazon Simple Storage Service resource type reference
- Terraform Documentation
- AWS Provider