How can I change the ownership of publicly (anonymously) owned objects in my Amazon S3 bucket?

Short description

By default, an identity that uploads an Amazon S3 object owns that object. This means that if you allow public write access to your bucket, then the objects that public (anonymous) users upload are publicly owned. To prevent security issues, it's a best practice to block public access to your bucket.

If an anonymous user uploaded an object to your bucket and you want to change object ownership, then modify the object's access control list (ACL). Change the object's ACL to grant the bucket owner (your AWS account) full control of the object.

Note: You can also use Amazon S3 Object Ownership to control ownership of objects that another AWS account uploads.

Resolution

To change an object's ownership to the AWS account that owns the bucket, follow these steps:

1. To add an object ACL, run the put-object-acl command in the AWS Command Line Interface (AWS CLI). Include the --acl option with the value bucket-owner-full-control to add an ACL that grants the bucket owner control of the object. Then, include the --no-sign-request option to use anonymous credentials for the request. The full put-object-acl command with the options that you need is similar to the following example:

   aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key awsexampleobject --acl bucket-owner-full-control --no-sign-request

   Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

2. To apply the ownership change, you must copy the object over itself. To do this, run the cp command:

   aws s3 cp s3://DOC-EXAMPLE-BUCKET/awsexampleobject s3://DOC-EXAMPLE-BUCKET/awsexampleobject --storage-class STANDARD

   Note: Make sure to change the --storage-class value in the example command to the storage class that's applicable to your use case. Also, make sure to include other cp command options that you need for your object.

3. To check the ownership change, run the get-object-acl command:

   aws s3api get-object-acl --bucket DOC-EXAMPLE-BUCKET --key awsexampleobject

   This command returns an output that displays the object's owner:

   {
     "Owner": {
       "DisplayName": "jane",
       "ID": "75050348ef85628a0977bexamplebdbc3062ce76f35cb463345ae65c2608d099"
     },
     "Grants": [
       {
         "Grantee": {
           "DisplayName": "jane",
           "ID": "75050348ef85628a0977bexamplebdbc3062ce76f35cb463345ae65c2608d099",
           "Type": "CanonicalUser"
         },
         "Permission": "FULL_CONTROL"
       }
     ]
   }

4. If your bucket has versioning, then you must also delete the previous version of the object that generated from the cp command in Step 2. The previous object version has public (anonymous) ownership. To delete this object version, first run the list-object-versions command on the bucket. Include the --prefix option of the command to filter the results to the object that had public ownership:

   aws s3api list-object-versions --bucket DOC-EXAMPLE-BUCKET --prefix example.txt

   From the command output, copy the version ID of the object version that had public ownership. Then, run the delete-object command for the version ID that you want to delete:

   aws s3api delete-object --bucket DOC-EXAMPLE-BUCKET --key example.txt --version-id 'example.d6tjAKF1iObKbEnNQkIMPjj'

   Warning: Review the version ID carefully to be sure that it is the version ID of the object version with public ownership. If you delete an object version, then you can't retrieve it.

Related information

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?