We recommend that you disable ACLs on your Amazon S3 buckets. You can do this by applying the Bucket owner enforced setting for S3 Object Ownership. When you apply this setting, ACLs are disabled and you automatically own and have full control over all objects in your bucket. To require that all new buckets are created with ACLs disabled, use AWS Identity and Access Management (IAM) policies or AWS Organizations service control policies (SCPs), as described in the next section.
To enforce object ownership for new objects without disabling ACLs, you can apply the Bucket owner preferred setting. When you apply this setting, we strongly recommend that you update your bucket policy to require the bucket-owner-full-control canned ACL for all PUT requests to your bucket. Make sure you also update your clients to send the bucket-owner-full-control canned ACL to your bucket from other accounts.
The following example IAM policy denies the s3:CreateBucket permission for a specific IAM user or role unless the Bucket owner enforced setting is applied for Object Ownership. The key-value pair in the Condition block specifies s3:x-amz-object-ownership as its key and the BucketOwnerEnforced setting as its value. In other words, the IAM user can create buckets only if they set the Bucket owner enforced setting for Object Ownership and disable ACLs. You can also use this policy as a boundary SCP for your AWS organization.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireBucketOwnerFullControl",
"Action": "s3:CreateBucket",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-object-ownership": "BucketOwnerEnforced"
}
}
}
]
}
PUT operations (bucket owner preferred)
With the Bucket owner preferred setting for Object Ownership, you, as the bucket owner, own and have full control over new objects that other accounts write to your bucket with the bucket-owner-full-control canned ACL. However, if other accounts write objects to your bucket without the bucket-owner-full-control canned ACL, the object writer maintains full control access. You, as the bucket owner, can implement a bucket policy that allows writes only if they specify the bucket-owner-full-control canned ACL.
If you have ACLs disabled with the Bucket owner enforced setting, you, as the bucket owner, automatically own and have full control over all the objects in your bucket. You don't need to use this section to update your bucket policy to enforce object ownership for the bucket owner.
The following bucket policy specifies that account 111122223333amzn-s3-demo-bucketbucket-owner-full-control. Be sure to replace 111122223333amzn-s3-demo-bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Only allow writes to my bucket with bucket owner full control",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/ExampleUser"
]
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::example-s3-bucket;/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
The following is an example copy operation that includes the bucket-owner-full-control canned ACL by using the AWS Command Line Interface (AWS CLI).
aws s3 cp file.txt s3://amzn-s3-demo-bucket --acl bucket-owner-full-controlAfter the bucket policy is put into effect, if the client does not include the bucket-owner-full-control canned ACL, the operation fails, and the uploader receives the following error:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4