S3 Object Ownership

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

S3 Object Ownership lets you set ownership of objects uploaded to a given bucket and to determine whether ACLs are used to control access to objects within this bucket.

A bucket can be configured with one of the following ownership modes:

  • ACLs enabled (default). The user which uploads the object, becomes the object owner. Access is authorized based on ACLs, as well as identity and bucket policies. The policies take precedence over ACLs; if the decision to allow or deny access is made based on an identity or bucket policy, the ACLs are not checked.

    This mode corresponds to the S3 ObjectWriter ownership rule.

    Note

    Note that the default behavior of VAST Clusterdiffers from that of AWS. With AWS, the BucketOwnerEnforced ownership rule is used by default.

  • ACLs disabled. The bucket owner has full control over any object in the bucket, including objects that were created prior to configuring this ownership rule for the bucket, and regardless of the access protocol used to create objects. Access to objects is authorized based on identity and bucket policies configured for the bucket. ACLs are not used, neither for S3 nor for other access protocols.

    It is not allowed to upload objects where the S3 request contains an ACL, unless it is the bucket-owner-full-control canned ACL or an equivalent ACL.

    This mode corresponds to the S3 BucketOwnerEnforced ownership rule.

Ownership mode is configurable only for S3-enabled views controlled with the S3 Native security flavor. With other security flavors, the ACLs enabled mode is always used.

When switching from ACLs disabled to ACLs enabled mode, VAST Cluster restores the ACLs that existed before the ACLs disabled mode was set.

To configure S3 object ownership for a bucket:

  • In VAST Web UI, open the Create View or Update View dialog (Element Store -> Views -> choose to create or edit a view) and under ACLs, set ACLs enabled  or ACLs disabled.

  • In VAST CLI, run the --view create or --view modify command with the --enable-acls or --disable-acls option specified.

  • Send a PutBucketOwnershipControls request containing the  ObjectWriter or BucketOwnerEnforced rule to the VAST REST API's /views/{id}/ endpoint.

Note

The s3:PutBucketOwnershipControls permission is required to be able to configure S3 object ownership.

To get information about the ownership rule set for the bucket:

  • In VAST Web UI, go to Element Store -> Views, right-click the view and choose View. In the dialog that opens, go to the ACLs pane.

  • Send a GetBucketOwnershipControls request to the VAST REST API's /views/{id}/ endpoint.

Note

The s3:SetBucketOwnershipControls permission is required to be able to get S3 object ownership configuration.

Related articles
  • S3 Object Ownership
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3 Client Features
  • S3 Object Ownership
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3 Client Features
  • S3 Object Ownership
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3 Client Features