Amazon S3 Bucket Object Ownership
In our Amazon S3 Quick Start Guide, we discuss how to configure WP Offload Media to create a new S3 bucket from the plugin interface. We also cover how you can enter the name of an existing bucket, or browse your available buckets.
If you do use an existing Amazon S3 bucket with WP Offload Media, you will see the following Security page when you save the bucket settings:
On that Security page you will see an Object Ownership panel that will show whether Object Ownership is currently enforced or not.
What is Object Ownership
Amazon S3 buckets have the ability to be set up so that no matter which Amazon AWS account is used to upload objects to it, the bucket can enforce that ACLs are disabled and the uploaded objects are always owned by the AWS account that owns the bucket.
Alternatively, Object Ownership might not be enforced by allowing ACLs to be set on objects, and objects uploaded to the bucket might always be owned by the AWS account that wrote them, or owned by the object writer unless the “bucket-owner-full-control” canned ACL is used to set the bucket owner as the prefered object owner.
WP Offload Media supports using an Amazon S3 bucket with ACLs disabled and Object Ownership enforced, as well as with ACLs enabled with Object Ownership not enforced.
As long as you have set up Amazon CloudFront as the Delivery Provider, you can enforce Object Ownership to improve security.
If you are not using CloudFront as the Delivery Provider, then you must enable ACLs on the bucket’s objects so that your site’s visitors can see the objects via either raw bucket URLs or a third party Delivery Provider such as Cloudflare or StackPath.
You can read more about Object Ownership in Amazon’s guide to Controlling ownership of objects and disabling ACLs for your bucket.
Updating Object Ownership via WP Offload Media
WP Offload Media is able to both check and update the Object Ownership settings for a bucket as long as the IAM User whose credentials are being used for access has both the
PutBucketOwnershipControls permissions. If this is not the case, please see the Enable ACLs via the AWS Console section.
Turn Off Object Ownership Enforcement
If you are seeing a warning in WP Offload Media’s Media tab that Object Ownership is Enforced, you should turn off Object Ownership enforcement via the Bucket Security page of WP Offload Media’s settings.
To get to the Security page, either use the turn off Object Ownership enforcement link seen in the warning notice, or use the Edit button to the right of the Storage Provider’s name (Amazon S3), and then select the Security sub-heading.
Use the toggle switch in the header section of the Object Ownership panel to turn off Object Ownership enforcement, then use the Update Bucket Security button to save the change.
If both Block All Public Access has been disabled, and Object Ownership is no longer enforced, you may now see an Update Object ACLs prompt.
It is recommended to respond Yes to this prompt so that WP Offload Media can ensure that the bucket objects can be accessed via raw bucket URLs or a third party Delivery Provider that is unable to be given the kind of direct access that CloudFront is allowed.
After clicking Yes, WP Offload Media will run a background process to update all the objects to ensure their ACL status is as expected. This is a relatively fast process as no files are transferred, just permissions set on objects through a number of background batch requests to the Amazon S3 API.
You do not need to stay on WP Offload Media’s settings page while the Update Object ACLs tool is running, WP Offload Media will display a WordPress admin dashboard notice when it has completed.
When returned to the Media settings page, you will no longer see the Object Ownership is Enforced warning notice.
Turn On Object Ownership Enforced
If you are using Amazon CloudFront as the Delivery Provider for an Amazon S3 bucket, and have ensured that the bucket has a policy that allows the CloudFront distribution’s assigned Origin Access Identity to have access, then you can enforce Object Ownership via the Security page of WP Offload Media’s settings.
To get to the Bucket Security page, click the Edit button to the right of “Amazon S3” in the Storage Settings panel’s header.
In the Storage sub page, skip to the “Security” page by clicking Security in the sub navigation.
Use the toggle switch in the header section of the Object Ownership panel to enforce Object Ownership.
You will then need to confirm that you have set up the required CloudFront Origin Access Identity and updated the bucket policy to give it access to the bucket.
You can then use the Update Bucket Security button to save the change, which also updates the bucket to enforce Object Ownership.
Enable ACLs via the AWS Console
If you are seeing issues with offloading media and are unable to change the Object Ownership for the bucket via the Security page, chances are that the IAM User whose credentials are being used with WP Offload Media does not have the
If you are unable to update the IAM User whose credentials are being used with WP Offload Media to give it both the
PutBucketOwnershipControls permissions, then WP Offload Media will not be able to check and update Object Ownership. You will need to manually update Object Ownership on the bucket via the AWS Console to enable ACLs.
Manually Update Object Ownership On A New Bucket
When creating a new S3 bucket, under the “Object Ownership” section, select the ACLs Enabled option and leave the “Object Ownership” selection below this with the default of Bucket owner preferred.
Manually Update Object Ownership On An Existing Bucket
If you have previously created a bucket, and you need to change the settings, start by clicking on the bucket name in your bucket list, then click on the Permissions tab.
Scroll down to the “Object Ownership” section and click the Edit button.
On the “Edit Object Ownership” screen, select the ACLs Enabled option and check the box to acknowledge the change. Leave the “Object Ownership” selection below this with the default of Bucket owner preferred.
After saving your changes using the orange Save changes button, your media should upload to the S3 bucket successfully with WP Offload Media.