An AWS Identity and Access Management (IAM) user from another AWS account uploaded an object to my Amazon Simple Storage Service (Amazon S3) bucket. When I try to access that object, I receive the 403 Access Denied error.
Short description
For S3 buckets with object-writer as the object ownership setting, the AWS account that uploaded the object to the bucket becomes the object owner. In this case, the object owner must explicitly grant permissions to the object through an access control list (ACL) with bucket-owner-full-control permission. Without that permission, the bucket owner doesn't have access to the object.
With S3 Object Ownership, bucket owners can manage the ownership of all objects uploaded to their buckets. By default, all newly created S3 buckets have the bucket owner enforced setting activated. When the bucket owner enforced setting is activated, the bucket owner becomes the object owner for all objects inside their bucket. The bucket owner enforced setting also nullifies all ACLs on the bucket and its objects.
You can set S3 Object Ownership on buckets that already exist. To do so, turn on the bucket owner enforced setting or turn on the bucket owner preferred setting. If you turn on the bucket owner preferred setting, then ACLs remain activated and objects without a bucket-owner-full-control aren't owned by the bucket owner. You can turn off the bucket owner enforced setting at any time. If you turn off the bucket owner enforced setting, then ACLs attached to the bucket on its objects are activated again.
Note: It's a best practice to turn on bucket owner preferred and manage your bucket permissions with IAM policies and bucket policies instead of ACLs.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Turn off ACLs on your bucket
To turn off ACLs on for your bucket and to take ownership of all objects in the bucket, run the following command:
aws s3api put-bucket-ownership-controls --bucket example-bucket --ownership-controls 'Rules=[{ObjectOwnership=BucketOwnerEnforced}]'
If you can't turn off ACLs on your bucket, then use the following options to grant access to objects in your bucket.
Grant access during a PUT or COPY operation
To give full control of an object to the bucket owner during a PUT or COPY operation, the object owner can run the following command:
aws s3api put-object --bucket destination_DOC-EXAMPLE-BUCKET --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control
For a COPY operation of a single object, the object owner can run one of the following commands:
aws s3api copy-object --bucket destination_DOC-EXAMPLE-BUCKET --key source_DOC-EXAMPLE-BUCKET/myobject --acl bucket-owner-full-control
-or-
aws s3 cp s3://source_DOC-EXAMPLE-BUCKET/myobject s3://destination_DOC-EXAMPLE-BUCKET/ --acl bucket-owner-full-control
For a COPY operation of multiple objects, the object owner can run the following command:
aws s3 cp s3://source_DOC-EXAMPLE-BUCKET/ s3://destination_DOC-EXAMPLE-BUCKET/ --acl bucket-owner-full-control --recursive
Grant access after the object is added to the bucket
If the object is in a bucket owned by another account, then the object owner runs the put-object-acl command to grant access to the bucket owner:
aws s3api put-object-acl --bucket destination_DOC-EXAMPLE-BUCKET --key keyname --acl bucket-owner-full-control
Require that objects grant the bucket owner full control
You can use a bucket policy to require that objects uploaded to your bucket by another account set the ACL as bucket-owner-full-control. For an example, see When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me full control of the objects?
Related information
IAM tutorial: Delegate access across AWS accounts using IAM roles
Grant cross-account permissions to upload objects while ensuring that the bucket owner has full control
Prerequisites for disabling ACLs