Documentation

Amazon S3 Bucket Object Ownership

In our Amazon S3 Quick Start Guide, we discuss how to configure WP Offload Media to create a new S3 bucket from the plugin interface. We also cover how you can enter the name of an existing bucket, or browse your available buckets.

If you do use an existing Amazon S3 bucket with WP Offload Media, you will see the following Security page when you save the bucket settings:

Screenshot of the Bucket Security page shown after selecting an existing Amazon S3 bucket

On that Security page you will see an Object Ownership panel that will show whether Object Ownership is currently enforced or not.

What is Object Ownership

Amazon S3 buckets have the ability to be set up so that no matter which Amazon AWS account is used to upload objects to it, the bucket can enforce that ACLs are disabled and the uploaded objects are always owned by the AWS account that owns the bucket.

Screenshot of S3 bucket’s Object Ownership setting with ACLs disabled

Alternatively, Object Ownership might not be enforced by allowing ACLs to be set on objects, and objects uploaded to the bucket might always be owned by the AWS account that wrote them, or owned by the object writer unless the “bucket-owner-full-control” canned ACL is used to set the bucket owner as the prefered object owner.

Screenshot of S3 bucket’s Object Ownership setting with ACLs enabled and bucket owner preferred selected

WP Offload Media supports using an Amazon S3 bucket with ACLs disabled and Object Ownership enforced, as well as with ACLs enabled with Object Ownership not enforced.

As long as you have set up Amazon CloudFront as the Delivery Provider, you can enforce Object Ownership to improve security.

If you are not using CloudFront as the Delivery Provider, then you must either create a bucket policy that allows public access or disable Object ownership enforced to enable ACLs on the bucket’s objects. That way your site’s visitors can see the objects via either raw bucket URLs or a third party Delivery Provider such as Cloudflare or StackPath.

You can read more about Object Ownership in Amazon’s guide to Controlling ownership of objects and disabling ACLs for your bucket.

Updating Object Ownership via WP Offload Media

WP Offload Media is able to both check and update the Object Ownership settings for a bucket as long as the IAM User whose credentials are being used for access has both the GetBucketOwnershipControls and PutBucketOwnershipControls permissions. If this is not the case, please see the Enable ACLs via the AWS Console section.

Turn Off Object Ownership Enforcement

If you are seeing a warning in WP Offload Media’s Media tab that Object Ownership is Enforced, you should turn off Object Ownership enforcement via the Bucket Security page of WP Offload Media’s settings.

Screenshot of Object Ownership is Enforced warning in WP Offload Media

To get to the Security page, either use the turn off Object Ownership enforcement link seen in the warning notice, or use the Edit button to the right of the Storage Provider’s name (Amazon S3), and then select the Security sub-heading.

Screenshot of the Bucket Security page with Object Ownership enforced warning that CloudFront is not in use

Use the toggle switch in the header section of the Object Ownership panel to turn off Object Ownership enforcement, then use the Update Bucket Security button to save the change.

Screenshot of the Bucket Security page with Object Ownership enforcement turned off ready for update

If both Block All Public Access has been disabled, and Object Ownership is no longer enforced, you may now see an Update Object ACLs prompt.

Screenshot of Update Object ACLs prompt after Block All Public Access disabled

It is recommended to respond Yes to this prompt so that WP Offload Media can ensure that the bucket objects can be accessed via raw bucket URLs or a third party Delivery Provider that is unable to be given the kind of direct access that CloudFront is allowed.

After clicking Yes, WP Offload Media will run a background process to update all the objects to ensure their ACL status is as expected. This is a relatively fast process as no files are transferred, just permissions set on objects through a number of background batch requests to the Amazon S3 API.

Screenshot of the Update Object ACLs background process progress displayed in the tools tab

You do not need to stay on WP Offload Media’s settings page while the Update Object ACLs tool is running, WP Offload Media will display a WordPress admin dashboard notice when it has completed.

When returned to the Media settings page, you will no longer see the Object Ownership is Enforced warning notice.

Turn On Object Ownership Enforced

If you are using Amazon CloudFront as the Delivery Provider for an Amazon S3 bucket, and have ensured that the bucket has a policy that allows the CloudFront distribution’s assigned Origin Access Identity to have access, then you can enforce Object Ownership via the Security page of WP Offload Media’s settings.

To get to the Bucket Security page, click the Edit button to the right of “Amazon S3” in the Storage Settings panel’s header.

Screenshot of WP Offload Media settings page showing Storage Settings panel

In the Storage sub page, skip to the “Security” page by clicking Security in the sub navigation.

Screenshot of the Bucket Security page with Object Ownership turned off and Delivery Provider is CloudFront

Use the toggle switch in the header section of the Object Ownership panel to enforce Object Ownership.

You will then need to confirm that you have set up the required CloudFront Origin Access Identity and updated the bucket policy to give it access to the bucket.

You can then use the Update Bucket Security button to save the change, which also updates the bucket to enforce Object Ownership.

Screenshot of bucket security page in WP Offload Media when CloudFront configured and Block All Public Access and Object Ownership Enforcement just turned on

Enable ACLs via the AWS Console

If you are seeing issues with offloading media and are unable to change the Object Ownership for the bucket via the Security page, chances are that the IAM User whose credentials are being used with WP Offload Media does not have the GetBucketOwnershipControls or PutBucketOwnershipControls permissions.

If you are unable to update the IAM User whose credentials are being used with WP Offload Media to give it both the GetBucketOwnershipControls and PutBucketOwnershipControls permissions, then WP Offload Media will not be able to check and update Object Ownership. You will need to manually update Object Ownership on the bucket via the AWS Console to enable ACLs.

Manually Update Object Ownership On A New Bucket

When creating a new S3 bucket, under the “Object Ownership” section, select the ACLs Enabled option and leave the “Object Ownership” selection below this with the default of Bucket owner preferred.

Screenshot of enabling ACLs while creating a new bucket in the AWS Console

Manually Update Object Ownership On An Existing Bucket

If you have previously created a bucket, and you need to change the settings, start by clicking on the bucket name in your bucket list, then click on the Permissions tab.

Scroll down to the “Object Ownership” section and click the Edit button.

Screenshot of initial Edit Object Ownership page for a bucket in AWS Console when ACLs disabled

On the “Edit Object Ownership” screen, select the ACLs Enabled option and check the box to acknowledge the change. Leave the “Object Ownership” selection below this with the default of Bucket owner preferred.

Screenshot of Edit Object Ownership page for a bucket in AWS Console when ACLs newly enabled

After saving your changes using the orange Save changes button, your media should upload to the S3 bucket successfully with WP Offload Media.