← All posts
2 min read

Enforce bucket owner ownership in S3

#aws#cli#s3#storage#security
📑 On this page

Part 30 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

BucketOwnerEnforced makes the bucket owner own every object and disables ACL-based access control. Policies become the normal permission mechanism.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api put-bucket-ownership-controls \
  --bucket "$BUCKET" \
  --ownership-controls "Rules=[{ObjectOwnership=BucketOwnerEnforced}]"

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-bucket-ownership-controls \
  --bucket "$BUCKET" \
  --query "OwnershipControls.Rules[].ObjectOwnership" \
  --output text

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

echo "ownership demo" > ownership.txt
aws s3api put-object \
  --bucket "$BUCKET" \
  --key ownership.txt \
  --body ownership.txt

Uploads without an ACL continue to work. Requests that attempt unsupported ACLs are rejected.

Common mistake

Do not switch ownership modes casually on a bucket whose workflow depends on object ACLs. First identify writers, replication, logging, and cross-account assumptions.

Cleanup

aws s3 rm "s3://$BUCKET/ownership.txt"
rm ownership.txt
aws s3api get-bucket-ownership-controls --bucket "$BUCKET"

Keep BucketOwnerEnforced; it is the recommended modern default unless a documented ACL requirement exists.

Next, we will learn Read an S3 bucket policy line by line.

Official AWS CLI reference