How do I change object ownership for an Amazon S3 bucket when the objects are uploaded by other AWS accounts?

Last updated: 2021-12-17

I'm trying to change ownership of objects in an Amazon Simple Storage Service (Amazon S3) bucket using S3 Object Ownership. How can I do this?

Short description

Important: Objects in S3 are no longer automatically owned by the AWS account that uploads it.

With the Bucket owner enforced setting in S3 Object Ownership, all objects in an Amazon S3 bucket can now be owned by the bucket owner. The Bucket owner enforced feature also disables all access control lists (ACLs), which simplifies access management for data stored in S3.

By default, any newly created buckets have the Bucket owner enforced setting enabled. However, for existing buckets, an Amazon S3 object is still owned by the AWS account that uploaded it, unless you explicitly disable the ACLs. To change object ownership of objects in an existing bucket, see How can I change the ownership of publicly owned objects in my S3 bucket?

Resolution

Changing object ownership of objects uploaded by other AWS accounts

Note: Before you use S3 Object Ownership to change object ownership for a bucket, make sure that you have access to the s3:PutBucketOwnershipControls action. Otherwise, you can't view the object ownership for objects in a bucket. For more information about S3 permissions, see Actions, resources, and condition keys for Amazon S3.

Changing object ownership for objects in an existing Amazon S3 bucket (disable ACLs)

If you're trying to change object ownership for objects in an existing Amazon S3 bucket, choose the ACLs disabled option under S3 Object Ownership. This option allows the bucket owner full control over all the objects in the S3 bucket and transfers the ownership to the bucket owner's account.

Using this option no longer affects permissions to access data in your S3 bucket. Rather, this option changes the ownership of all objects in the bucket, including the objects that exist and any objects that you add after setting the ACLs disabled option. To define access control, use a bucket policy.

Note: If your existing ACLs grant access to an external AWS account or any other group, then the Bucket owner enforced setting won't work. To apply the Bucket owner enforced setting, your bucket ACL must give full control only to the bucket owner. Before enabling the Bucket owner enforced setting, see Prerequisites for disabling ACLs.

Granting access to objects uploaded by other AWS accounts (enable ACLs)

From the list of enabled ACLs, choose the Bucket owner preferred option under S3 Object Ownership. Any new objects that are uploaded to this bucket are owned by the bucket owner with the bucket-owner-full-control default ACL. However, the Bucket owner preferred setting doesn't affect the ownership of existing objects. For more information about the Bucket owner preferred setting and ACLs, see Enforcing ownership of Amazon S3 objects in a multi-account environment.

Changing object ownership to the AWS account that uploaded it (enable ACLs)

To transfer object ownership to the AWS account that uploaded the object, enable the Object writer option under S3 Object Ownership. This option makes sure that the AWS account that uploaded the object owns the object. The object owner then has full control over the object, and can grant other users access to the object using ACLs.