Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?
Last updated: 2021-09-08
An AWS Identity and Access Management (IAM) user from another AWS account uploaded an object to my Amazon Simple Storage Service (Amazon S3) bucket. When I try to access that object, I receive the 403 Access Denied error. How can I fix this?
By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access.
The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket.
Note: Avoid using a COPY request to change the object ACL after an object was uploaded to the S3 bucket. Instead, it's a best practice to use the put-object-acl command to update the object ACL.
Grant access during a put or copy operation
During a put or copy operation, the object owner can specify that the ACL of the object gives full control to the bucket owner.
For a put operation, the object owner can run this command:
aws s3api put-object --bucket destination_DOC-EXAMPLE-BUCKET --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
For a copy operation of a single object, the object owner can run one of these commands:
aws s3api copy-object --bucket destination_DOC-EXAMPLE-BUCKET --key source_DOC-EXAMPLE-BUCKET/myobject --acl bucket-owner-full-control
aws s3 cp s3://source_DOC-EXAMPLE-BUCKET/myobject s3://destination_DOC-EXAMPLE-BUCKET/ --acl bucket-owner-full-control
For a copy operation of multiple objects, the object owner can run this command:
aws s3 cp s3://source_DOC-EXAMPLE-BUCKET/ s3://destination_DOC-EXAMPLE-BUCKET/ --acl bucket-owner-full-control --recursive
Grant access after the object is added to the bucket
If the object is already in a bucket in another account, then the object owner can grant the bucket owner access with a put-object-acl command:
aws s3api put-object-acl --bucket destination_DOC-EXAMPLE-BUCKET --key keyname --acl bucket-owner-full-control
Require that objects grant the bucket owner full control
You can use a bucket policy to require that any objects uploaded to your bucket by another account must set the ACL as "bucket-owner-full-control". For an example, see When other AWS accounts upload objects to my S3 bucket, how can I require that they grant me ownership of objects?