I want to allow users from other AWS accounts to upload objects to my Amazon Simple Storage Service (Amazon S3) bucket. However, I want to require that users grant me full control of those objects.
Resolution
Add a bucket policy that requires users to include the bucket-owner-full-control access control list (ACL) when they upload objects to your bucket.
For example, this bucket policy specifies that ExampleUser can upload objects to DOC-EXAMPLE-BUCKET only when the object's ACL is set to bucket-owner-full-control:
{
"Id": "Policy1541018284691",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1541018283275",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/ExampleUser"
]
}
}
]
}
After you add this bucket policy, users must include the required ACL as part of the upload request, such as in the following example:
aws s3 cp example.jpg s3://DOC-EXAMPLE-BUCKET --acl bucket-owner-full-control
If users fail to meet the ACL requirement in their upload request, then they receive the following error message:
"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"
For objects in your bucket that other accounts own, the object owner can run a put-object-acl command to grant you control of the object:
aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key example.jpg --acl bucket-owner-full-control
The bucket-owner-full-control ACL grants the bucket owner full access to an object that another account uploads. However, this ACL alone doesn't grant ownership of the object. To automatically get ownership of objects that upload with the bucket-owner-full-control ACL, set S3 Object Ownership to bucket owner preferred. After you update S3 Object Ownership, the bucket owner automatically owns any new objects that upload with bucket-owner-full-control.
Related information
Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?
Managing buckets using canned ACLs
IAM tutorial: Delegate access across AWS accounts using IAM roles
Mapping of ACL permissions and access policy permissions