How do I fix the error “Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting” in CloudFormation?

2 minute read
0

When I try to deploy an Amazon Simple Storage Service (Amazon S3) bucket through an AWS CloudFormation stack, I get an error.

Short description

For newly created buckets, Amazon S3 turns on ObjectOwnership and sets it to BucketOwnerEnforced by default. This setting turns off access controls lists (ACLs), and the bucket owner automatically owns and has full control over every object in the bucket. Therefore, deployments that try to invoke ACLs with this setting result in the following error:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: VCC82DDB; S3 Extended Request ID: itIVupTUTYxdhtOqXHTRxiwthYK4I/AvFqgNCWSqs8=; Proxy: null)

For example, the following deployment template results in this error:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  PortalBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite
      VersioningConfiguration:
        Status: Enabled
      WebsiteConfiguration:
        IndexDocument: 'index.html'
        ErrorDocument: 'error.html'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

To resolve this issue, change the value of ObjectOwnership for the bucket to allow ACLs.

Important: It's not a best practice to use ACLs for Amazon S3. If your use case requires ACLs, then refer to the following troubleshooting steps to allow them.

Resolution

  1. Set the value of ObjectOwnership to ObjectWriter or BucketOwnerPreferred.
  2. To deploy your S3 bucket, use the following template:
AWSTemplateFormatVersion: "2010-09-09"

Resources:
  PortalBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite
      VersioningConfiguration:
        Status: Enabled
      WebsiteConfiguration:
        IndexDocument: 'index.html'
        ErrorDocument: 'error.html'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      OwnershipControls:
        Rules:
          - ObjectOwnership: ObjectWriter

This allows you to activate ACLs on the bucket.

For more information on Amazon S3's default behavior with ACLs, see Heads-up: Amazon S3 security changes are coming in April of 2023.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago