How do I change object ownership for an Amazon S3 bucket when the objects are uploaded by other AWS accounts?

Last updated: 2022-11-03

I'm trying to change ownership of objects uploaded by other AWS accounts in an Amazon Simple Storage Service (Amazon S3) bucket using S3 Object Ownership. How can I do this?

Short description

Important: Objects in S3 are no longer always automatically owned by the AWS account that uploads it.

With the Bucket owner-enforced setting in S3 Object Ownership, all objects in an Amazon S3 bucket can now be owned by the bucket owner. The Bucket owner enforced feature also turns off all access control lists (ACLs), which simplifies access management for data stored in S3.

You can turn on Bucket owner enforced settings to apply ownership of all objects within a newly created bucket to the bucket owner account.

Resolution

Changing object ownership of objects uploaded by other AWS accounts

Note: Before you use S3 Object Ownership to change object ownership for a bucket, make sure that you have access to the s3:PutBucketOwnershipControls action. For more information about S3 permissions, see Actions, resources, and condition keys for Amazon S3.

Changing object ownership to bucket owner account for new and existing objects uploaded by other accounts in Amazon S3 buckets (disable ACLs)

If you're trying to change object ownership for objects in an existing Amazon S3 bucket, choose the ACLs disabled option under S3 Object Ownership. This option allows the bucket owner full control over all the objects in the S3 bucket and transfers the ownership to the bucket owner's account.

When using this option, ACLs no longer affect the permission to access data in your S3 bucket. This option changes the ownership of all objects in the bucket, including the objects that exist currently and any objects that you add after setting the ACLs disabled option. To define access control, use a bucket policy.

Note: If your existing ACLs grant access to an external AWS account or any other group, then the Bucket owner enforced setting won't work. To apply the Bucket owner enforced setting, your bucket ACL must give full control only to the bucket owner. Before turning on the Bucket owner enforced setting, see Prerequisites for disabling ACLs.

Changing object ownership to bucket owner account for new objects uploaded by other accounts in Amazon S3 buckets (enable ACLs)

Under S3 Object Ownership settings, from the list of ACLs enabled options, choose the Bucket owner preferred option. With this setting, new objects that are written by other accounts with the bucket-owner-full-control canned ACL are automatically owned by the bucket owner rather than the object writer. However, the Bucket owner preferred setting doesn't affect the ownership of existing objects. Also, ACLs can be updated and used to grant permissions. For more information about the Bucket owner preferred setting and ACLs, see Enforcing ownership of Amazon S3 objects in a multi-account environment.

Changing object ownership to the AWS account that uploaded it (enable ACLs)

To transfer object ownership to the AWS account that uploaded the object, turn on the Object writer option from the list of ACLs that are turned on under S3 Object Ownership. This option makes sure that the AWS account that uploaded the object owns the object. The object owner then has full control over the object, and can grant other users access to the object using ACLs.