Upload to AWS S3 bucket permissions

I am using the built-in step Upload to AWS S3 template.

The step requires setting a canned ACL.

However, AWS recommends disabling ACLs.

Starting in April 2023, Amazon S3 will change the default settings for S3 Block Public Access and Object Ownership (ACLs disabled) for all new S3 buckets. For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket. For more information, see Default settings for new S3 buckets FAQ and Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 in the AWS News Blog .

What options are available to turn off the canned ACL requirement for the built-in step?

Thanks,
Alvin

Hi Alvin,

Thank you for reaching out, and also for sharing the announcement from AWS on these upcoming S3 changes!

At first glance, I wasn’t sure how the step template would react to these changes, but in testing, it looks like things still work as expected -

My S3 bucket, with ACLs disabled:

My process, using a canned ACL of private:

image

This process completed successfully, and I could find the file in my S3 bucket as expected.

While this all seems to work still, I think there might be a slight disconnect in that whatever canned ACL is set in the step template is not used to determine access in S3 (as the bucket policy would be enforced when ACLs are disabled) - with that being the case, let me escalate your request to the team that manages this step template to get their thoughts/input as well.

Thank you again for bringing this to our attention, and I’ll let you know as soon as I have an update from the team.

Best regards,

Britton