Ownership Controls

Ownership Controls (also mentioned as Object Ownership) is a bucket-level setting that determines the owner of the objects in a bucket. By default, the user who uploads the object is the object owner, but Object Ownership allows you to change this behavior.

Object Ownership is closely related to ACLs (Access Control Lists) because they are used to determine who has access to objects in the bucket. In this article, we'll explore the different settings for Object Ownership and their impact on ACLs and uploads.

Settings for Ownership Controls​

There are three possible settings for Ownership Controls.

BucketOwnerEnforced​

With BucketOwnerEnforced, the bucket owner becomes the object owner regardless of who uploaded the object. This setting enforces object ownership by the bucket owner. ACLs are disabled and no longer affect access permissions to your bucket.

Attempts to modify ACLs will fail

Requests to set update ACLs or any upload which also attempts to specify an ACL (different from the bucket-owner-full-control canned ACL) will fail with an AccessControlListNotSupported error. However, requests to read ACLs are still supported.

BucketOwnerPreferred​

With BucketOwnerPreferred, the original uploader is still the object owner, but the bucket owner can also become the owner if necessary, specifying the bucket-owner-full-control canned ACL. This setting can be useful for environments where the original uploader may not be known or may not be the appropriate owner. ACLs and uploads work as usual.

ObjectWriter (default)​

With ObjectWriter, the original uploader remains the object owner, and the bucket owner has no special ownership rights. ACLs and uploads work as usual. This setting is the default value for Cubbit.

How to disable ACLs​

As just mentioned, to disable ACLs for a bucket it's sufficient to set its Ownership Controls to BucketOwnerEnforced. But first, there is a prerequisite to verify.

If you have given read or write access to any other account outside of yours through your bucket ACLs, you must remove these permissions, otherwise, your attempt will fail with an InvalidBucketAclWithObjectOwnership error.

Usage​

Here are some examples of how you might work with Ownership Controls with the s3api CLI.

Set Ownership Controls while creating a bucket​

In the usual CreateBucket API, specify also --object-ownership with the BucketOwnerEnforced, BucketOwnerPreferred, or ObjectWriter value:

aws s3api create-bucket --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-ownership BucketOwnerEnforced

Set Ownership Controls on an existing bucket​

You can use the PutOwnershipControls API with the BucketOwnerEnforced, BucketOwnerPreferred, or ObjectWriter value:

aws s3api put-ownership-controls --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --ownership-controls BucketOwnerEnforced

Get Ownership Controls for a bucket​

You can use the GetOwnershipControls API to read the current setting for a bucket:

aws s3api get-ownership-controls --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket

Delete Ownership Controls for a bucket​

You can use the DeleteOwnershipControls API to delete any setting for a bucket (which has the same effect as applying the default value of ObjectWriter):

aws s3api delete-ownership-controls --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket