We are trying to copy/move s3 bucket files that were originally transferred to our bucket from another AWS account.

However, when we try to move these file contents with aws s3 cp command we get: fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

I think the problem is that someone copied this data over from another account without using --acl bucket-owner-full-control. Do you know if there is a way for us to go through and list file owners via the CLI or boto3? Maybe a recursive call to the bucket showing all object owners to each file? Or find anything that isn't owned by our account?

Current permissions of our bucket:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
            "AWS": [
               "arn:aws:iam::account-user-id:root"
            ]
         },
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::customers"
      },
      {
         "Effect": "Allow",
         "Principal": {
            "AWS": [
               "arn:aws:iam::account-user-id:root"
            ]
         },
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::customers/*"
      }
   ]
}

CodePudding user response：

A recent feature in Amazon S3 allows you to override the ownership settings:

If you configure the bucket with ACLs disabled, then you should immediately regain access to all of the objects.