Overwrite the permissions of the S3 object files not owned by the bucket owner

1
votes

I am the bucket owner. some of the files in my bucket are not owned by me or dont have full control over it. I will like to have full access to the files. Unfortunately, there is no owner of the file and not able t trace how the files have been uploaded to the bucket.

  • How can i overwrite the permissions of the files that are not owned by me in my bucket?
  • Going forward, how can i make sure the files uploaded in my bucket that i have full control over it.

I tried copy and paste the files to itself in the same s3 bucket to overwrite the permissions but failed.

This is the bucket policy

{ "Version": "2012-10-17", "Id": "abcd", "Statement": [ { "Sid": "abcd", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/xxx" ] }, "Action": [ "s3:GetObject", "s3:GetBucketLocation", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::xyz/*", "arn:aws:s3:::xyz" ] } ] }

I want to have access/download to the files not owned by me from my s3 bucket

1
amazon-web-servicesamazon-s3

1 Answers

2
votes

How can i overwrite the permissions of the files that are not owned by me in my bucket?

From AWS Documentation:

By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access.

The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket.

Right now your only solution is to change the Access Control List (ACL) of the existing files by running a cli command similar to the one below from the object owner's account or from the S3 console of the object owner.

aws s3api put-object-acl --bucket destination_awsexamplebucket --key keyname --acl bucket-owner-full-control

Going forward, how can i make sure the files uploaded in my bucket that i have full control over it?

You can create a bucket policy enforcing other users uploading to your bucket to grant you full access to those objects. This can be done by setting the object's access control list to bucket-owner-full-control.

A bucket policy similar to the one below will do the trick:

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1541018283275",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::awsexamplebucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/ExampleUser"
                ]
            }
        }
    ]
}

This will ensure that whoever uploads to your bucket needs to set the acl to bucket-owner-full-control or the upload will fail giving an AccessDenied error.

References: