How can I change the ownership of publicly (anonymously) owned objects in my Amazon S3 bucket?

Last updated: 2020-12-23

My Amazon Simple Storage Service (Amazon S3) bucket has an object with public (anonymous) ownership. How can I change the object's ownership so that my AWS account owns the object?

Short description

By default, an S3 object is owned by the identity that uploaded the object. This means that if you allow public write access to your bucket, then objects uploaded by public (anonymous) users are publicly owned. To prevent security issues, the best practice is to block public access to your bucket.

If an object was already uploaded to your bucket by an anonymous user and you want your AWS account to own the object, you must modify the object's access control list (ACL). Change the object's ACL to grant the bucket owner (your account) full control of the object.

Resolution

Follow these steps to change the object's ownership to the AWS account that owns the bucket:

1.    To add an object ACL, run the put-object-acl command using the AWS Command Line Interface (AWS CLI). Include the --acl option with the value bucket-owner-full-control to add an ACL that grants the bucket owner control of the object. Then, include the --no-sign-request option to use anonymous credentials for the request. The full put-object-acl command with the options that you need is similar to the following:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key awsexampleobject  --acl bucket-owner-full-control   --no-sign-request

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

2.    To apply the ownership change, you must copy the object over itself. To do this, you can run the cp command, similar to the following:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/awsexampleobject  s3://DOC-EXAMPLE-BUCKET/awsexampleobject --storage-class STANDARD

Note: Make sure to change the --storage-class value in the example command to the storage class applicable to your use case. Additionally, make sure to include other cp command options that you need for your object.

3.    To check the ownership change, run the get-object-acl command, similar to the following:

aws s3api get-object-acl --bucket DOC-EXAMPLE-BUCKET --key awsexampleobject

The command returns an output that displays the object's owner, similar to the following:

{
    "Owner": {
        "DisplayName": "jane",
        "ID": "75050348ef85628a0977bexamplebdbc3062ce76f35cb463345ae65c2608d099"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "jane",
                "ID": "75050348ef85628a0977bexamplebdbc3062ce76f35cb463345ae65c2608d099",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }]}

4.    If versioning is enabled on the bucket, then you must also delete the previous version of the object that was generated from the cp command in step 2. The previous object version has public (anonymous) ownership. To delete this object version, first run the list-object-versions command on the bucket. Include the --prefix option of the command to filter the results to the object that had public ownership:

aws s3api list-object-versions --bucket DOC-EXAMPLE-BUCKET --prefix example.txt

From the command output, copy the version ID of the object version that had public ownership. Then, run the delete-object command for the version ID that you want to delete:

aws s3api delete-object --bucket DOC-EXAMPLE-BUCKET --key example.txt --version-id 'example.d6tjAKF1iObKbEnNQkIMPjj'

Warning: Review the version ID carefully to be sure that it is the version ID of the object version with public ownership. If you delete an object version, it can't be retrieved.


Did this article help?


Do you need billing or technical support?