Amazon S3 buckets are evaluated for Object Ownership set to BucketOwnerEnforced, which disables bucket and object ACLs. Buckets using any other ownership setting indicate that ACLs remain enabled.
Risk
With ACLs enabled, access can bypass centralized policy controls, impacting confidentiality and integrity.
- Unintended public or cross-account reads/writes
- Object-writer ownership blocking bucket-owner governance
- Per-object grants hinder auditing, enabling data exfiltration or tampering
prowler aws --checks s3_bucket_acl_prohibited
Recommendation
Disable ACLs by setting Object Ownership to BucketOwnerEnforced and manage access with IAM and bucket policies under least privilege. Centralize authorization, review policies regularly, and use organizational guardrails to prevent re-enabling ACLs. Migrate ACL-based grants into policies before the change.
Remediation
aws s3api put-bucket-ownership-controls --bucket <bucket-name> --ownership-controls "Rules=[{ObjectOwnership=BucketOwnerEnforced}]"
- In the AWS Console, go to S3 > Buckets and select the target bucket
- Open the Permissions tab
- In Object Ownership, click Edit
- Select Bucket owner enforced (ACLs disabled)
- Click Save changes
Source Code
Resource Type
AwsS3Bucket