AWS adds new S3 security and access control features

Amazon Web Services (AWS) has made available three new S3 (Simple Storage Service) security and access control features:

• Object Ownership
• Bucket Owner Condition
• Copy API via Access Points

Object Ownership

Object Ownership is a permission that can be set when creating a new object within an S3 bucket, to enforce the transfer of new object ownership onto the bucket owner.

“With the proper permissions in place, S3 already allows multiple AWS accounts to upload objects to the same bucket, with each account retaining ownership and control over the objects. This many-to-one upload model can be handy when using a bucket as a data lake or another type of data repository. Internal teams or external partners can all contribute to the creation of large-scale centralized resources,” explained Jeff Barr, Chief Evangelist for AWS.

But with this set up, the bucket owner doesn’t have full control over the objects in the bucket and therefore cannot use bucket policies to share and manage objects. If the object uploader needs retain access to it, bucket owners will need to grant additional permissions to the uploading account.

“Keep in mind that this feature does not change the ownership of existing objects. Also, note that you will now own more S3 objects than before, which may cause changes to the numbers you see in your reports and other metrics,” Barr added.

Bucket Owner Condition

Bucket Owner Condition allows bucket owners to confirm the ownership when they create a new object or perform other S3 operations.

AWS recommends using Bucket Owner Condition whenever users perform a supported S3 operation and know the account ID of the expected bucket owner.

The feature eliminates the risk of users accidentally interacting with buckets in the wrong AWS account. For example, it prevents situations like applications writing production data into a bucket in a test account.

Copy API via Access Points

S3 Access Points are “unique hostnames that customers create to enforce distinct permissions and network controls for any request made through the access point. Customers with shared data sets […] can easily scale access for hundreds of applications by creating individualized access points with names and permissions customized for each application.”

The feature can now be used together with the S3 CopyObject API, allowing customers to copy data to and from access points within an AWS Region.