Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

Last updated: 2022-01-24

An AWS Identity and Access Management (IAM) user from another AWS account uploaded an object to my Amazon Simple Storage Service (Amazon S3) bucket. When I try to access that object, I receive the 403 Access Denied error. How can I fix this?

Short description

For existing Amazon S3 buckets with the default object ownership settings, the object owner is the AWS account which uploaded the object to the bucket. For these existing buckets, an object owner had to explicitly grant permissions to an object (by attaching an access control list). Otherwise, the bucket owner would be unable to access the object.

With S3 Object Ownership, bucket owners can now manage the ownership of any objects uploaded to their buckets. By default, all newly created S3 buckets have the bucket owner enforced setting enabled. When the bucket owner enforced setting is enabled, bucket owners become the object owners for all objects inside the bucket. Additionally, any ACLs on a bucket and its objects are disabled.

You can also set S3 Object Ownership on existing buckets by either enabling the bucket owner enforced setting or bucket owner preferred setting. When the bucket owner preferred setting is enabled, ACLs are still enabled. Also, only objects uploaded to the bucket with a bucket-owner-full-control ACL are owned by the bucket owner. If you enable the bucket owner enforced setting on an existing bucket, then note that you can also disable it at any time. (Disabling the bucket owner enforced setting on an existing bucket re-enables any buckets and object ACLs that were previously applied.)

It's a best practice that bucket owners use the bucket owner enforced setting on new and existing buckets, while managing permissions through IAM and bucket policies.

Important: Before you disable any ACLs on existing buckets, assess the potential impact. If there are several ACLs on an object or bucket, review and update your bucket and IAM policies to grant the required permissions.

Resolution

To disable ACLs on for your bucket and to take ownership of all objects in the bucket, run the following command:

aws s3api put-bucket-ownership-controls --bucket example-bucket --ownership-controls 'Rules=[{ObjectOwnership=BucketOwnerEnforced}]'

If you can't disable ACLs on your bucket, then use the following options to grant access to objects in your bucket.

Grant access during a put or copy operation

During a put or copy operation, the object owner can specify that the ACL of the object gives full control to the bucket owner.

For a put operation, the object owner can run this command:

aws s3api put-object --bucket destination_DOC-EXAMPLE-BUCKET --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

For a copy operation of a single object, the object owner can run one of these commands:

aws s3api copy-object --bucket destination_DOC-EXAMPLE-BUCKET --key source_DOC-EXAMPLE-BUCKET/myobject --acl bucket-owner-full-control

-or-

aws s3 cp s3://source_DOC-EXAMPLE-BUCKET/myobject s3://destination_DOC-EXAMPLE-BUCKET/ --acl bucket-owner-full-control

For a copy operation of multiple objects, the object owner can run this command:

aws s3 cp s3://source_DOC-EXAMPLE-BUCKET/ s3://destination_DOC-EXAMPLE-BUCKET/ --acl bucket-owner-full-control --recursive

Grant access after the object is added to the bucket

If the object is already in a bucket in another account, then the object owner can grant the bucket owner access with a put-object-acl command:

aws s3api put-object-acl --bucket destination_DOC-EXAMPLE-BUCKET --key keyname --acl bucket-owner-full-control

Require that objects grant the bucket owner full control

You can use a bucket policy to require that any objects uploaded to your bucket by another account must set the ACL as "bucket-owner-full-control". For an example, see When other AWS accounts upload objects to my S3 bucket, how can I require that they grant me ownership of objects?