Disabling ACLs for all new buckets and enforcing Object Ownership
We recommend that you disable ACLs on your Amazon S3 buckets. You can do this by applying the Bucket owner enforced setting for S3 Object Ownership. When you apply this setting, ACLs are disabled and you automatically own and have full control over all objects in your bucket. To require that all new buckets are created with ACLs disabled, use Amazon Identity and Access Management (IAM) policies or Amazon Organizations service control policies (SCPs), as described in the next section.
To enforce object ownership for new objects without disabling ACLs, you can apply the Bucket
owner preferred setting. When you apply this setting, we strongly recommend that you
update your bucket policy to require the bucket-owner-full-control canned
ACL for all PUT requests to your bucket. Make sure you also update your
clients to send the bucket-owner-full-control canned ACL to your bucket
from other accounts.
Topics
Disabling ACLs for all new buckets (bucket owner enforced)
The following example IAM policy denies the s3:CreateBucket permission for a
specific IAM user or role unless the Bucket owner enforced setting is applied for
Object Ownership. The key-value pair in the Condition block specifies
s3:x-amz-object-ownership as its key and the
BucketOwnerEnforced setting as its value. In other words, the
IAM user can create buckets only if they set the Bucket owner enforced setting for
Object Ownership and disable ACLs. You can also use this policy as a boundary SCP
for your Amazon organization.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireBucketOwnerFullControl", "Action": "s3:CreateBucket", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "s3:x-amz-object-ownership": "BucketOwnerEnforced" } } } ] }
Requiring the bucket-owner-full-control
canned ACL for Amazon S3 PUT operations (bucket owner preferred)
With the Bucket owner preferred setting for Object Ownership, you, as the bucket owner,
own and have full control over new objects that other accounts write to your bucket
with the bucket-owner-full-control canned ACL. However, if other
accounts write objects to your bucket without the
bucket-owner-full-control canned ACL, the object writer maintains
full control access. You, as the bucket owner, can implement a bucket policy that
allows writes only if they specify the bucket-owner-full-control canned
ACL.
Note
If you have ACLs disabled with the Bucket owner enforced setting, you, as the bucket owner, automatically own and have full control over all the objects in your bucket. You don't need to use this section to update your bucket policy to enforce object ownership for the bucket owner.
The following bucket policy specifies that account
111122223333DOC-EXAMPLE-BUCKETbucket-owner-full-control. Be sure
to replace 111122223333DOC-EXAMPLE-BUCKET
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Only allow writes to my bucket with bucket owner full control", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws-cn:iam::111122223333:user/ExampleUser" ] }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
The following is an example copy operation that includes the
bucket-owner-full-control canned ACL by using the Amazon Command Line Interface
(Amazon CLI).
aws s3 cpfile.txts3://DOC-EXAMPLE-BUCKET--acl bucket-owner-full-control
After the bucket policy is put into effect, if the client does not include the
bucket-owner-full-control canned ACL, the operation fails, and the
uploader receives the following error:
An error occurred (AccessDenied) when calling the PutObject operation:
Access Denied.
Note
If clients need access to objects after uploading, you must grant additional permissions to the uploading account. For information about granting accounts access to your resources, see Example walkthroughs: Managing access to your Amazon S3 resources.