Using S3 Storage Lens to audit Object Ownership settings - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using S3 Storage Lens to audit Object Ownership settings

Amazon S3 Object Ownership is an S3 bucket-level setting that you can use to disable access control lists (ACLs) and control ownership of the objects in your bucket. If you set Object Ownership to bucket owner enforced, you can disable access control lists (ACLs) and take ownership of every object in your bucket. This approach simplifies access management for data stored in Amazon S3.

By default, when another Amazon Web Services account uploads an object to your S3 bucket, that account (the object writer) owns the object, has access to it, and can grant other users access to it through ACLs. You can use Object Ownership to change this default behavior.

A majority of modern use cases in Amazon S3 no longer require the use of ACLs. Therefore, we recommend that you disable ACLs, except in unusual circumstances where you must control access for each object individually. By setting Object Ownership to bucket owner enforced, you can disable ACLs and rely on policies for access control. For more information, see Controlling ownership of objects and disabling ACLs for your bucket.

With S3 Storage Lens access-management metrics, you can identify buckets that don't have disabled ACLs. After identifying these buckets, you can migrate ACL permissions to policies and disable ACLs for these buckets.

Step 1: Identify general trends for Object Ownership settings

  1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/.

  2. In the left navigation pane, choose Storage Lens, Dashboards.

  3. In the Dashboards list, choose the name of the dashboard that you want to view.

  4. In the Snapshot for date section, under Metrics categories, choose Access management.

    The Snapshot for date section updates to display the % Object Ownership bucket owner enforced metric. You can see the overall percentage of buckets in your account or organization that use the bucket owner enforced setting for Object Ownership to disable ACLs.

Step 2: Identify bucket-level trends for Object Ownership settings

  1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/.

  2. In the left navigation pane, choose Storage Lens, Dashboards.

  3. In the Dashboards list, choose the name of the dashboard that you want to view.

  4. To view more detailed bucket-level metrics, choose the Bucket tab.

  5. In the Distribution by buckets for date section, choose the % Object Ownership bucket owner enforced metric.

    The chart updates to show a per-bucket breakdown for % Object Ownership bucket owner enforced. You can see which buckets use the bucket owner enforced setting for Object Ownership to disable ACLs.

  6. To view the bucket owner enforced settings in context, scroll down to the Buckets section. For Metrics categories, select Access management. Then clear Summary.

    The Buckets list displays data for all three Object Ownership settings: bucket owner enforced, bucket owner preferred, and object writer.

  7. To filter the Buckets list to display metrics only for a specific Object Ownership setting, choose the preferences icon ( 
                            A screenshot that shows the preferences icon in the S3 Storage Lens
                                dashboard.
                        ).

  8. Clear the metrics that you don't want to see.

  9. (Optional) Under Page size, choose the number of buckets to display in the list.

  10. Choose Confirm.

Step 3: Update your Object Ownership setting to bucket owner enforced to disable ACLs

After you've identified buckets that use the object writer and bucket owner preferred setting for Object Ownership, you can migrate your ACL permissions to bucket policies. When you've finished migrating your ACL permissions, you can then update your Object Ownership settings to bucket owner enforced in order to disable ACLs. For more information, see Prerequisites for disabling ACLs.