1. Home
  2. Training Library
  3. Storage (SAP-C02)

Understanding Resource Ownership


Course Introduction
AWS Storage
Introduction to Amazon EFS
Amazon EC2
Amazon Elastic Block Store (EBS)
Optimizing Storage
AWS Backup
AWS Storage Gateway
Performance Factors Across AWS Storage Services

The course is part of this learning path

Understanding Resource Ownership
4h 13m

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core storage concepts and services relevant to the SAP-C02 exam. We start with an introduction to AWS storage services, understand the options available, and learn how to select and apply AWS storage services to meet specific requirements. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Obtain an in-depth understanding of Amazon S3 - Simple Storage Service
  • Learn how to improve your security posture in S3
  • Get both a theoretical and practical understanding of EFS
  • Learn how to create an EFS file system, manage EFS security, and import data in EFS
  • Learn about EC2 storage and Elastic Block Store
  • Learn about the different performance factors associated with AWS storage services

Hello, and welcome to this lecture where I shall be looking at the fundamental element of resource ownership in Amazon S3. Resources in S3 can be defined as buckets and objects. Let me start off by discussing the principle of resource ownership. By default when an Amazon bucket is created or an object is uploaded to Amazon S3 within an account, then that AWS account becomes the owner of that resource.

So for example, if I were logged into AWS using my IAM username of Stuart and I created a bucket called S3 deep dive, then that bucket would be owned by the account that the IAM Stuart resides in and not by the user Stuart. So resource ownership is managed at the account level.

Now you can, with the correct permissions applied, allow another AWS account to upload objects to one of your own buckets, and your account would be the resource owner of that bucket. However, when a different AWS account uploads an object within that same bucket, the AWS account that performs the upload of that resource becomes the resource owner of that object.

So the bucket owner does not become the resource owner of the object, and in addition to this, the bucket owner would not have access to these objects either that have been uploaded by another account. This behavior can be overridden by selecting the bucket and then selecting permissions. If you then scroll down to the object ownership section and select edit, here you can change the settings.

You can either accept the default option of the object writer, maintaining the object's ownership, alternatively select bucket owner preferred for the owner of the bucket to obtain ownership of any objects uploaded to the bucket. As you can see here highlighted in the information window, you must update the bucket policy to enforce all Amazon S3 put operations to include the bucket-owner-full-control canned ACL.

A canned ACL is a predefined grant that contains both grantees and permissions. The bucket-owner-full-control canned ACL applies to objects only. An example of a bucket policy to enforce this canned ACL would look as shown. This policy allows the user Lisa an account ending three, five, four, to put objects into the bucket S3 deep dive on the condition that the request has been uploaded with the canned ACL. When the user Lisa uses a put request to upload an object to this bucket, Lisa would have to do so using the x-amz-acl as the request header for the canned ACL.

The result of this action ensures that S3 adds the predefined grant of ensuring that the bucket owner has full control to the ACL of the resource, in this case the object being uploaded by Lisa. The benefits of enforcing the bucket owner to assume control over objects uploaded by another account allows the bucket owner to maintain a level of access control over all the objects within a bucket. This also helps to simplify the management of the objects residing in the bucket.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.