Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

Last updated: 2019-06-21

An AWS Identity and Access Management (IAM) user from another AWS account uploaded an object to my Amazon Simple Storage Service (Amazon S3) bucket. When I try to access that object, I receive the 403 Access Denied error. How can I fix this? 

Short Description

By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access.

The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket.

Resolution

Grant access during a put or copy operation

During a put or copy operation, the object owner can specify that the ACL of the object gives full control to the bucket owner.

For a put operation, the object owner can run this command: 

aws s3api put-object --bucket destination_awsexamplebucket --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control

For a copy operation of a single object, the object owner can run one of these commands: 

aws s3api copy-object --bucket destination_awsexammplebucket --key source_awsexamplebucket/myobject --acl bucket-owner-full-control

or

aws s3 cp s3://source_awsexamplebucket/myobject s3://destination_awsexamplebucket/ --acl bucket-owner-full-control

For a copy operation of multiple objects, the object owner can run this command:

aws s3 cp s3://source_awsexamplebucket/ s3://destination_awsexamplebucket/ --acl bucket-owner-full-control --recursive

Grant access after the object is added to the bucket

If the object is already in a bucket in another account, the object owner can grant the bucket owner access with a put-object-acl command:

aws s3api put-object-acl --bucket destination_awsexamplebucket --key keyname --acl bucket-owner-full-control

Require that objects grant the bucket owner full control

You can use a bucket policy to require that any objects uploaded to your bucket by another account must set the ACL as "bucket-owner-full-control". For an example, see When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me ownership of the objects?