Why can't I load website content uploaded to my Amazon S3 bucket from another AWS account?

5 minute read
0

I use an Amazon Simple Storage Service (Amazon S3) bucket to store content for my website. A user from another AWS account uploaded an object for the website to my bucket. My bucket policy is correct, but the object won't load on the website.

Short description

When your bucket has access control lists (ACLs) activated, you don't own the objects that other AWS accounts upload to your bucket, by default. As a result, you might not be able to read the object. The uploading account must explicitly grant you, the bucket owner, permissions to the object.

Also, a bucket policy doesn't apply to objects in the bucket that are owned by other accounts. Therefore, the bucket policy that grants read access to your website's users doesn't automatically apply to objects that other accounts upload.

To fix this issue, use one of these methods:

  • Deactivate ACLs on your S3 bucket (best practice).
  • Have the object owner grant the object public read access.
  • Have the object owner grant you full control of the object.

Resolution

Deactivate ACLs on your S3 bucket (best practice)

To deactivate ACLs on your Amazon S3 bucket, choose the Bucket owner enforced Object Ownership setting. When you apply this setting, the ACL is turned off, and you automatically own and have full control over all objects in your bucket. Even for cross-account uploaded objects, the ownership of this object belongs to the bucket owner. The bucket owner also controls the bucket policy that grants read access applies to those objects.

Prerequisites

Before you deactivate ACLs, see Prerequisites for deactivating ACLs.

Turn off ACLs

  1. Open the Amazon S3 console.
  2. Choose Buckets, and then select the name of the bucket that you want to apply an S3 Object Ownership setting to.
  3. Choose the Permissions tab.
  4. Under Object Ownership, choose Edit.
  5. Under Object Ownership, choose Bucket owner enforced.
  6. Choose Save.

If your use case doesn't allow you to deactivate ACLs, then use one of these alternate methods.

Have the object owner grant the object public read access

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

The account that uploaded the object can grant the object public read access. To do this, run this AWS Command Line Interface (AWS CLI) command:

aws s3api put-object-acl --bucket docexamplebucket --key example.jpg --acl public read

Note: Replace --bucket with the name of the bucket that stores your website content.

Have the object owner grant you full control of the object

Object owners can automatically grant the bucket owner full control of an object. To do this, turn on S3 Object Ownership on the destination bucket. This grants the bucket owner control when the object owner uploads an object, and includes the bucket-owner-full-control canned ACL.

After the bucket owner configures their S3 Object Ownership to bucket owner preferred, the bucket owner can add another bucket policy. This additional bucket policy must require all Amazon S3 PUT operations to include the bucket-owner-full-control canned ACL. This ACL grants the bucket owner full control of new objects.

To grant the bucket owner full control of the object, the uploading account must use the CLI syntax during object upload:

aws s3api put-object --bucket docexamplebucket --key example.jpg --acl bucket-owner-full-control

The bucket owner now owns the object, and the object inherits the permissions set on the bucket policy.

For existing objects that were uploaded before you activated S3 Object Ownership, the object owner must grant the bucket owner permissions on the object. Then, the bucket owner must copy over the object itself.

To grant the bucket owner full control of the object, the uploading account must use the CLI syntax:

aws s3api put-object-acl --bucket docexamplebucket --key example.jpg --acl bucket-owner-full-control

To inherit object ownership of the object, the bucket owner must copy over the object itself:

aws s3 cp s3://docexamplebucket/example.jpg s3://docexamplebucket/example.jpg --acl bucket-owner-full-control

The bucket owner now owns the object, and the object inherits the permissions set on the bucket policy.

Require that cross-account uploads grant the bucket owner full control of the object

To require that all uploads (s3:PutObject) from another account grant the bucket owner full object control, use a bucket policy like this example:

{
  "Id": "Policy1541018284691",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireBucketOwnerFullControlOnPuts",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111122223333:user/iam_user"
        ]
      },
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::docexamplebucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

With this bucket policy, the user from the other account (111122223333) can upload to the bucket only when the user specifies the object's ACL. The object's ACL must grant the bucket owner full control. The other account user must then upload the objects, such as in this command:

aws s3 cp path/to/local/file s3://docexamplebucket --acl bucket-owner-full-control

Related information

How Amazon S3 authorizes a request

Access policy guidelines

Setting permissions for website access

Controlling access to a bucket with user policies

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago