0

Is it possible to default all new uploaded keys to a specific bucket to have bucket-owner-full-control acl permissions?

Couldn't find this in the documentation.

SomeGuyOnAComputer
  • 5,414
  • 6
  • 40
  • 72

1 Answers1

2

You can use an S3 bucket policy.

For example, to allow a specific principal (e.g. an IAM user) to upload to the bucket but require that the principal supplies the bucket-owner-full-control ACL:

{
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{ <principal here> },
      "Action":"s3:PutObject",
      "Resource":["arn:aws:s3:::mybucket/*"]
    },
    {
      "Effect":"Deny",
      "Principal":{ <principal here> },
      "Action":"s3:PutObject",
      "Resource":"arn:aws:s3:::mybucket/*",
      "Condition": {
        "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
      }
    }
  ]
}
jarmod
  • 71,565
  • 16
  • 115
  • 122
  • Thanks for the answer. Not ideal but it does prevents read issues on new keys. – SomeGuyOnAComputer May 03 '18 at 12:48
  • 1
    Unfortunately you can't configure S3 to apply a default ACL. By default, the principal that uploads an object to S3 owns that object, which makes perfect sense in some situations. The uploader therefore has to choose to give ownership of the S3 object to the bucket owner and the uploader does that with an explicit ACL grant. Note that, as bucket owner, you can always delete objects even if you don't own them (but you can't do anything else unless explicitly allowed by the object owner). – jarmod May 03 '18 at 13:21
  • This worked for me! One question though. Is there a reason to use a Deny effect with a Condition of StringNotEquals over just an Allow effect with a Condition of StringEquals ? The latter would remove the principal being used in both the Allow and Deny in the former, right? – SomeGuyOnAComputer May 04 '18 at 15:02
  • 1
    Yes, there is a reason to use Deny/Not rather than Allow/Equal, and which you use depends on what you want to achieve with your policy. Imagine a 2nd set of IAM credentials whose policy allows s3:PutObject to this bucket (without the condition requiring bucket-owner-full-control). If the S3 bucket policy is Allow/Equal then that user will be able to upload an object without giving the bucket owner full control over the object (because the IAM policy allows it and the S3 policy does not disallow it). If the S3 bucket policy is Deny/Not then that undesirable upload will be denied. – jarmod May 04 '18 at 16:23
  • Brilliant. This makes perfect sense. Thank you very much! – SomeGuyOnAComputer May 04 '18 at 16:25