I'm using an Amazon Simple Storage Service (Amazon S3) bucket to store content for my website. A user from another AWS account uploaded an object for the website to my bucket. My bucket policy is correct, but the object won't load on the website. How can I fix this?

If another AWS account uploads an object to your bucket, you won't own the object by default, and you might not be able to read the object by default. The uploading account must explicitly grant you, the bucket owner, permissions to the object.

Additionally, a bucket policy doesn't apply to objects in the bucket that are owned by other accounts. This is why the bucket policy that grants read access to your website's users doesn't automatically apply to objects uploaded by another account.

To fix the loading issue, change the object's access control list (ACL) using one of these ways:

  • The object owner grants the object public read access.
  • The object owner grants the bucket owner full control of the object. Then, the bucket owner copies the object over itself to inherit ownership of the object.

Note the following when granting bucket access to another account:

  • Objects uploaded to a bucket by another account won't be readable by the bucket's account by default. The account that uploaded the object must explicitly update the ACL to grant read permissions.
  • Objects uploaded to a bucket by another account won't automatically inherit the permissions defined in the bucket policy. The bucket owner must take ownership of the object for the bucket policy to apply.
  • If you want to allow another account to access your bucket, we recommend that you use a bucket policy as a more centralized and comprehensive way to manage permissions.
  • If you want to allow another account to upload objects to your bucket, we recommend that you create an AWS Identity and Access Management (IAM) role from your account that the other account can assume. When the other account uses the IAM role to upload objects, your account then owns the objects because the role belongs to your account. For an example cross-account configuration using an IAM role, see Bucket Owner Granting Cross-account Permission to Objects It Does Not Own.

The object owner grants the object public read access

The account that uploaded the object can grant the object public read access by running this AWS Command Line Interface (AWS CLI) command:

Note: For the value of --bucket, enter the name of the bucket that stores your website content.

aws s3api put-object-acl --bucket awsexamplebucket --key example.jpg --acl public read

Then, if traffic to the object must be restricted, the bucket owner can use a bucket policy to allow access only when the request is from certain IP addresses or a certain Amazon Virtual Private Cloud (VPC).

For example, this bucket policy denies access to objects in awsexamplebucket unless the request is from the IP addresses listed as "aws:SourceIp", or from the VPC specified as "aws:sourceVpc":

{
    "Version": "2012-10-17",
    "Id": "Policy1415115909152",
    "Statement": [
        {
            "Sid": "Deny-Access-Except-For-Trusted-IPs-and-VPC",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::awsexamplebucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.1/32",
                        "2.2.2.2/32",
                        "3.3.3.3/32"
                    ]
                },
                "StringNotEquals": {
                    "aws:sourceVpc": "vpc-12345abc"
                }
            }
        }
    ]
}

The object owner grants the bucket owner full control of the object

The account that uploaded the object can grant the bucket owner full control of the object by running this AWS CLI command:

aws s3api put-object-acl --bucket awsexamplebucket --key example.jpg --acl bucket-owner-full-control

Then, the bucket owner must copy the object over itself to inherit ownership of the object. The bucket owner can run this command:

aws s3 cp s3://awsexamplebucket/example.jpg s3://awsexamplebucket/example.jpg --storage-class STANDARD

The bucket owner now owns the object, which means the object inherits the permissions set on the bucket policy.

Require that cross-account uploads grant the bucket owner full control of the object

To require that all uploads (s3:PutObject) from another account must grant the bucket owner full control of the object, you can use a bucket policy that's similar to the following:  

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequireBucketOwnerFullControlOnPuts",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/iam_user"                ]
            },
            "Action": [
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::awsexamplebucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

With this bucket policy, the user from the other account (111122223333) can upload to the bucket only when they specify that the object's ACL grants the bucket owner full control. The user must upload objects using a command similar to the following:

aws s3 cp path/to/local/file s3://awsexamplebucket --acl bucket-owner-full-control

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-03-19