Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure S3 Object Ownership

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the S3 Object Ownership feature is configured for your Amazon S3 buckets in order to enable you to automatically assume ownership of the S3 objects uploaded to your buckets. The feature allows you to take ownership of new objects that other AWS accounts upload to your bucket using the "bucket-owner-full-control" canned Access Control List (ACL).

Security

By default, when other AWS accounts upload objects to your Amazon S3 bucket, the objects remain owned by the uploading account. Once the S3 Object Ownership feature is enabled for your bucket, any new objects that are written by other accounts with the "bucket-owner-full-control" canned ACL automatically become owned by the bucket owner, who then has full control over the objects. With S3 Object Ownership, you can create shared data stores that multiple users and teams in different AWS accounts can write to and read from, and standardize ownership of new S3 objects in your bucket. As the bucket owner, you can then share and manage access to these objects via resource-based policies.

S3 Object Ownership does not affect existing S3 objects.


Audit

To determine if S3 Object Ownership is enabled and configured for your Amazon S3 buckets, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://s3.console.aws.amazon.com/s3.

03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.

04 Select the Permissions tab, locate the Object ownership section, and check the Object ownership configurationattribute value. If the Object ownership attributevalue is set to Object writer , theobject writer remains the object owner, therefore the S3 Object Ownership configuration set for the selected Amazon S3 bucket does not enables you to take ownership of new S3 objects.

05 Repeat steps no. 3 and 4 for each Amazon S3 bucket that you want to examine, available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
  --query 'Buckets[*].Name'

02 The command output should return the name(s) of your Amazon S3 bucket(s):

[
	"cc-project5-api-bucket",
	"cc-project5-media-bucket",
	"cc-project5-backup-bucket"
]

03 Run get-bucket-ownership-controls command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter and custom query filters to describe the S3 Object Ownership feature configuration set for the selected bucket:

aws s3api get-bucket-ownership-controls
  --bucket cc-project5-api-bucket
  --query 'OwnershipControls.Rules[*].ObjectOwnership'

04 The command output should return the requested configuration information:

[
	"ObjectWriter"
]

If the command output returns the OwnershipControlsNotFoundError error message, i.e. "An error occurred (OwnershipControlsNotFoundError) when calling the GetBucketOwnershipControls operation: The bucket ownership controls were not found", the S3 Object Ownership feature is not enabled and configured, therefore, the S3 objects are owned by the identity that uploaded those object (default behavior). If the get-bucket-ownership-controls command output returns "ObjectWriter" , as shown in the output example above, the object writer remains the object owner, therefore the S3 Object Ownership feature is not configured to enable you to take ownership of the new S3 objects uploaded to the selected bucket.

05 Repeat step no. 3 and 4 for each Amazon S3 bucket that you want to examine, available within your AWS cloud account.

Remediation/Resolution

To configure S3 Object Ownership to enable you to take ownership of the new objects uploaded to your Amazon S3 buckets, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure S3 Object Ownership",
	"Resources": {
		"S3Bucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "cc-project5-api-bucket",
				"OwnershipControls": {
					"Rules": [
						{
							"ObjectOwnership": "BucketOwnerPreferred"
						}
					]
				}
			}
		},
		"S3BucketPolicy": {
			"Type": "AWS::S3::BucketPolicy",
			"UpdateReplacePolicy": "Delete",
			"Properties": {
				"Bucket": "cc-project5-api-bucket",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Only allow writes to my S3 bucket with bucket owner full control",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/project5-owner"
								]
							},
							"Action": [
								"s3:PutObject"
							],
							"Resource": "arn:aws:s3:::cc-project5-api-bucket/*",
							"Condition": {
								"StringEquals": {
									"s3:x-amz-acl": "bucket-owner-full-control"
								}
							}
						}
					]
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure S3 Object Ownership
	Resources:
	S3Bucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: cc-project5-api-bucket
		OwnershipControls:
			Rules:
			- ObjectOwnership: BucketOwnerPreferred
	S3BucketPolicy:
		Type: AWS::S3::BucketPolicy
		UpdateReplacePolicy: Delete
		Properties:
		Bucket: cc-project5-api-bucket
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Sid: Only allow writes to my S3 bucket with bucket owner full control
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/project5-owner
				Action:
				- s3:PutObject
				Resource: arn:aws:s3:::cc-project5-api-bucket/*
				Condition:
				StringEquals:
					s3:x-amz-acl: bucket-owner-full-control

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}

		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_s3_bucket" "s3-bucket" {
		bucket = "cc-project5-api-bucket"
	}

	resource "aws_s3_bucket_ownership_controls" "s3-bucket-ownership" {
		bucket = aws_s3_bucket.s3-bucket.id

		rule {
			object_ownership = "BucketOwnerPreferred"
		}

	}

	resource "aws_s3_bucket_policy" "s3-bucket-policy" {
		bucket = aws_s3_bucket.s3-bucket.id
		policy = jsonencode({
			"Version": "2012-10-17",
			"Statement": [
				{
					"Sid": "Only allow writes to my S3 bucket with bucket owner full control",
					"Effect": "Allow",
					"Principal": {
						"AWS": [
							"arn:aws:iam::123456789012:user/project5-owner"
						]
					},
					"Action": [
						"s3:PutObject"
					],
					"Resource": "arn:aws:s3:::cc-project5-api-bucket/*",
					"Condition": {
						"StringEquals": {
							"s3:x-amz-acl": "bucket-owner-full-control"
						}
					}
				}
			]
		})
	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://s3.console.aws.amazon.com/s3.

03 Click on the name (link) of the S3 bucket that you want to reconfigure.

04 Select the Permissions tab, locate the Object ownership section, and choose Edit.

05 On the Edit object ownership configuration page, under Object ownership , select Bucket owner preferred to enable the bucket owner to own the new S3 objects if the objects are uploaded with the bucket-owner-full-control canned ACL. As bucket owner, this will enable you to take ownership of the new objects uploaded to the selected Amazon S3 bucket. Choose Save changes to apply the configuration changes.

06 To enforce the object ownership, you must add a bucket policy to require all S3 PUT operations to include the bucket-owner-full-control ACL. This Access Control List (ACL) grants the bucket owner full control of the new objects. With the S3 Object Ownership set to Bucket owner preferred , it transfers object ownership to the bucket owner. If the object writer doesn't meet the ACL requirements during the object upload, the request fails. This enables S3 bucket owners to enforce uniform object ownership across all newly uploaded objects. To apply the required policy, select the Permissions tab, find the Bucket policy section, choose Edit , and add the policy document listed below (replace the highlighted placeholders with the corresponding information). Once the bucket policy is added, choose Save changes to apply the changes. The following S3 bucket policy specifies that the identity represented by "arn:aws:iam::\:user/\" can upload objects to \ only when the object's ACL is set to bucket-owner-full-control :

{
	"Version": "2012-10-17",
	"Statement": [
	   {
		  "Sid": "Only allow writes to my S3 bucket with bucket owner full control",
		  "Effect": "Allow",
		  "Principal": {
			 "AWS": [
				"arn:aws:iam::<aws-account-id>:user/<user-name>"
			 ]
		  },
		  "Action": [
			 "s3:PutObject"
		  ],
		  "Resource": "arn:aws:s3:::<bucket-name>/*",
		  "Condition": {
			 "StringEquals": {
				"s3:x-amz-acl": "bucket-owner-full-control"
			 }
		  }
	   }
	]
 }

07 Repeat steps no. 3 – 6 to configure S3 Object Ownership for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Run put-bucket-ownership-controls command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter, to configure the S3 Object Ownership feature to enable the bucket owner to own the new S3 objects if the objects are uploaded with the bucket-owner-full-control canned ACL. As bucket owner, this will enable you to take ownership of the new objects uploaded to the selected Amazon S3 bucket (the command does not produce an output):

aws s3api put-bucket-ownership-controls
  --bucket cc-project5-api-bucket
  --ownership-controls Rules={ObjectOwnership="BucketOwnerPreferred"}

02 To enforce the object ownership, you must add a bucket policy to require all S3 PUT operations to include the bucket-owner-full-control ACL. This Access Control List (ACL) grants the bucket owner full control of the new objects. If the object writer doesn't meet the ACL requirements during the object upload, the request fails. This enables S3 bucket owners to enforce uniform object ownership across all newly uploaded objects. To create the required policy, add the policy document listed below to a JSON file named bucket-policy.json (replace the highlighted placeholders with the corresponding information). The following S3 bucket policy specifies that the AWS identity represented by "arn:aws:iam::\:user/\" can upload objects to \ only when the object's ACL is set to bucket-owner-full-control :

{
	"Version": "2012-10-17",
	"Statement": [
	   {
		  "Sid": "Only allow writes to my S3 bucket with bucket owner full control",
		  "Effect": "Allow",
		  "Principal": {
			 "AWS": [
				"arn:aws:iam::<aws-account-id>:user/<user-name>"
			 ]
		  },
		  "Action": [
			 "s3:PutObject"
		  ],
		  "Resource": "arn:aws:s3:::<bucket-name>/*",
		  "Condition": {
			 "StringEquals": {
				"s3:x-amz-acl": "bucket-owner-full-control"
			 }
		  }
	   }
	]
 }

03 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy created at the previous step to the S3 bucket that you want to enforce S3 Object Ownership for (the command does not produce an output):

aws s3api put-bucket-policy
  --bucket cc-project5-api-bucket
  --policy file://bucket-policy.json

04 Repeat steps no. 1 – 3 to configure S3 Object Ownership for other Amazon S3 buckets available within your AWS cloud account.

References

Publication date Sep 5, 2023