0PricingLogin
AWS Security Academy · Lesson

Access Points and Object Ownership

Scope access cleanly and avoid risky cross-account ACLs.

Why ACLs Are Risky

Legacy ACLs (access control lists) let you grant object-level access, but they predate IAM and bucket policies and are hard to audit at scale.

The biggest danger is cross-account uploads: an object written by another account could be owned by that account, leaving the bucket owner unable to control it.

S3 Object Ownership

S3 Object Ownership settles who owns uploaded objects. Its recommended setting, Bucket owner enforced, disables ACLs entirely and makes the bucket owner own every object automatically.

With ACLs off, all access is governed cleanly by IAM and bucket policies — far easier to reason about and audit.

All lessons in this course

  1. Block Public Access and Bucket Policies
  2. Access Points and Object Ownership
  3. Finding Sensitive Data with Amazon Macie
  4. Data Lifecycle and Secure Deletion
← Back to AWS Security Academy