其他人在我的 AWS S3 存储桶中创建的对象的访问权限被拒绝

Question

We have an application that writes files to an Amazon S3 bucket. I am not able to download or copy the files to different bucket. I am getting access denied error. The owner of the file is someone else but the bucket is owned by us. That person is not accessible and is not there in the organization. How do I access the files and change the access permission or change the owner of the files?

I tried copying the objects from source bucket to destination bucket but Error 403 .

Here is the bucket policy:

{
    "Version": "2012-10-17",
    "Id": "abcd",
    "Statement": [
        {
            "Sid": "abcd",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/xxx"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::xyz/*",
                "arn:aws:s3:::xyz"
            ]
        }
    ]
} 

Expected: I want to move these files to different bucket or download these files. It is giving error Access denied 403 .

Answer 1

The uploader of the files needs to grant full control over the objects to the bucket owner.

How you do this depends on which tool or SDK you are using to upload files. For example, if you are using the awscli then you would append --acl bucket-owner-full-control to the aws s3 cp command.

As an S3 bucket owner, you can require uploaders to give you full control by specifying an appropriate S3 bucket policy.

Note that giving the bucket owner full control does not make the bucket owner the owner of the objects. They are still owned by the uploader. However, if the bucket owner has full control and wants ownership, then the bucket owner can simply copy each file over itself, and that will transfer the ownership.