Enforce bucket owner ownership in S3
📑 On this page
Part 30 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
BucketOwnerEnforced makes the bucket owner own every object and disables ACL-based access control. Policies become the normal permission mechanism.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
The command
aws s3api put-bucket-ownership-controls \
--bucket "$BUCKET" \
--ownership-controls "Rules=[{ObjectOwnership=BucketOwnerEnforced}]"A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api get-bucket-ownership-controls \
--bucket "$BUCKET" \
--query "OwnershipControls.Rules[].ObjectOwnership" \
--output textRead the returned fields rather than assuming the write succeeded exactly as intended.
One tiny variation
echo "ownership demo" > ownership.txt
aws s3api put-object \
--bucket "$BUCKET" \
--key ownership.txt \
--body ownership.txtUploads without an ACL continue to work. Requests that attempt unsupported ACLs are rejected.
Common mistake
Do not switch ownership modes casually on a bucket whose workflow depends on object ACLs. First identify writers, replication, logging, and cross-account assumptions.
Cleanup
aws s3 rm "s3://$BUCKET/ownership.txt"
rm ownership.txt
aws s3api get-bucket-ownership-controls --bucket "$BUCKET"Keep BucketOwnerEnforced; it is the recommended modern default unless a documented ACL requirement exists.
Next, we will learn Read an S3 bucket policy line by line.