When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me ownership of the objects?

Last updated: 2019-04-26

I want users from other AWS accounts to be able to upload objects to my Amazon Simple Storage Service (Amazon S3) bucket. However, I want to require that users grant me full control of those objects. How can I do that? 

Resolution

Add a bucket policy that grants users access to put objects in your bucket only when they grant you (the bucket owner) full control of the object.

For example, this bucket policy specifies that ExampleUser can upload objects to awsexamplebucket only when the object's access control list (ACL) is set to bucket-owner-full-control:

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1541018283275",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::awsexamplebucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/ExampleUser"
                ]
            }
        }
    ]
}

After you add this bucket policy, users must set the object's ACL to bucket-owner-full-control as part of the upload request, similar to the following:

aws s3 cp example.jpg s3://awsexamplebucket --acl bucket-owner-full-control

If users fail to meet the ACL requirement in their upload request, then they receive the error message "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied".

For existing objects in your bucket that are owned by other accounts, the object owner can run a put-object-acl command to grant you full control:

aws s3api put-object-acl --bucket awsexamplebucket --key example.jpg --acl bucket-owner-full-control