How can I change the ownership of publicly (anonymously) owned objects in my Amazon S3 bucket?

Last updated: 2019-09-24

My Amazon Simple Storage Service (Amazon S3) bucket has an object with public (anonymous) ownership. How can I change the object's ownership so that my AWS account owns the object?

Short Description

By default, an S3 object is owned by the identity that uploaded the object. This means that if you allow public write access to your bucket, then objects uploaded by public (anonymous) users are publicly owned. To prevent security issues, the best practice is to block public access to your bucket.

If an object has already been uploaded to your bucket by an anonymous user and you want your AWS account to own the object, you must modify the object's access control list (ACL). Change the object's ACL to grant the bucket owner (your account) full control of the object.

Resolution

Follow these steps to change the object's ownership to the AWS account that owns the bucket:

1.    To add an object ACL, run the put-object-acl command using the AWS Command Line Interface (AWS CLI). Include the --acl option with the value bucket-owner-full-control to add an ACL that grants the bucket owner control of the object. Then, include the --no-sign-request option to use anonymous credentials for the request. The full put-object-acl command with the options that you need is similar to the following:  

aws s3api put-object-acl --bucket awsexamplebucket --key awsexampleobject  --acl bucket-owner-full-control   --no-sign-request

2.    To apply the ownership change, you must copy the object over itself. To do this, you can run the cp command, similar to the following:

aws s3 cp s3://awsexamplebucket/awsexampleobject  s3://awsexamplebucket/awsexampleobject  --metadata-directive REPLACE

3.    To check the ownership change, run the get-object-acl command, similar to the following:

aws s3api get-object-acl --bucket awsexamplebucket --key awsexampleobject

The command returns an output that displays the object's owner, similar to the following:

{
    "Owner": {
        "DisplayName": "jane",
        "ID": "75050348ef85628a0977bexamplebdbc3062ce76f35cb463345ae65c2608d099"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "jane",
                "ID": "75050348ef85628a0977bexamplebdbc3062ce76f35cb463345ae65c2608d099",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }]}

Did this article help you?

Anything we could improve?


Need more help?