How change S3 file ownership while cross-account uploading

Question

I have an application which upload ( copy ) some files to a S3 bucket in another AWS account, I use copyObject command from AWS SDK ( Nodejs )

var params = {
      Bucket: "MyBucket_AccountB", 
      CopySource: encodeURI('/Accunt_A_Bocket/file.png'),
      Key: "file.png",
      ACL: 'bucket-owner-full-control'
     };
s3.copyObject(params, function(err, datas) {
    if (err) console.log(err, err.stack); // an error occurred
    else     console.log(datas);           // successful response
});

This code, run from a diffrent AWS Account, let's say, AWS_ACCOUNT_A , and the files uploaded to a S3 bucket in AWS_ACCOUNT_B The thing is, when it upload the files to this bucket, the ownership of this files, are still AWS_ACCOUNT_A.

I want to know what should I do to give ownership of files to AWS_ACCOUNT_B, while uploading them. Anyone here can give me some guidance?

UPDATE :

I used this policy :

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::MY_ACCOUNT_B_ID:root"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::MYBUCKET_IN_ACCOUNT_A",
            "arn:aws:s3:::MYBUCKET_IN_ACCOUNT_A/*"
        ]
    }
]
}

but the uploaded files are still owned by Account_A, Did I do anything wrong in the policy?

Answer 1

If you have to copy a file from account A to account B, then you should have account A assume a role in account B before writing the file. If for some reason you can't assume a role in account B to do it, then you can set the access to allow full control to the bucket owner:

aws s3 cp --acl bucket-owner-full-control localFile s3://bucketname/path/filename

The bucket owner can enforce this requirement with the following rule:

{
    "Sid": "CrossAccountWritePermissionsDenier",
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn-of-account-A-pusher"
    },
    "Action": [
        "s3:PutObject"
    ],
    "Resource": [
        "arn:aws:s3:::bucketname/path/given/access/*",
        "arn:aws:s3:::bucketname/other/path/given/access/*"
    ],
    "Condition": {
        "StringNotEquals": {
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
    }
}

One caveat to this approach is that if you have an account C (reader) which was also granted read privileges by account B (bucket owner) for the path that account A (writer) pushed a file into, then account C will not be able to read files pushed by account A since they aren't actually owned by account B. This is the issue you are facing.

If account A instead assumed a role in account B before pushing, then the file would be owned by account B, and therefore, account C would be able to read it. Otherwise, account B will have to move the file (since account B has full access) and then account C will be able to read the file in its new location.

In theory, you can change ownership by copying the file to itself from the bucket owner's role:

aws s3 cp s3://bucketname/path/filename s3://bucketname/path/filename

It will not let you do this, however, unless you are changing something (such as the owner, metadata, acl, etc). So you can only do this from the bucket owner's role, not from the original (non-bucket-owner) uploader's role.