Posted On: Nov 30, 2021

Amazon S3 introduces a new S3 Object Ownership setting, Bucket owner enforced, that disables access control lists (ACLs), simplifying access management for data stored in S3. When you apply this bucket-level setting, every object in an S3 bucket is owned by the bucket owner, and ACLs are no longer used to grant permissions. As a result, access to your data is based on policies, including AWS Identity and Access Management (IAM) policies applied to IAM identities, session policies, Amazon S3 bucket and access point policies, and Virtual Private Cloud (VPC) endpoint policies. This setting applies to both new and existing objects in a bucket, and you can control access to this setting using IAM policies. With the new S3 Object Ownership setting, you can easily review, manage, and modify access to your shared data sets in Amazon S3 using only policies.

ACLs were the original way to control access in S3. Subsequently, IAM and policies were introduced for permission control across AWS resources. Now, by enabling the S3 Object Ownership feature, you can change how S3 performs access control for a bucket so that only IAM policies are used. S3 Object Ownership's new Bucket owner enforced setting disables ACLs for your bucket and the objects in it, and updates every object so that each object is owned by the bucket owner. When you apply this setting, ownership change happens automatically, and applications that write data to a bucket no longer need to specify any ACL. You can enable this setting for existing buckets or when you create a new bucket.

Amazon S3 Object Ownership is available at no additional cost in all AWS Regions, excluding the AWS GovCloud (US) Regions and AWS China Regions. You can configure S3 Object Ownership through the S3 console, AWS Command Line Interface (CLI), Amazon S3 REST API, AWS Software Development Kits (SDKs), or AWS CloudFormation. To learn more about S3 Object Ownership, visit the S3 User Guide or read the AWS News Blog.