Why can't my S3 File Gateway access objects uploaded by cross-account users?

Issue:

A customer reported that the file share in Amazon S3 File Gateway could not access an object in an S3 bucket, despite having the necessary permissions granted to the file share's role.

Resources:

• Account A: S3 Bucket A
• Account B: S3 File Gateway B with a file share associated with S3 Bucket A
• Account C: User C who uploaded the object to S3 Bucket A

Investigation and Analysis:

Upon investigation, it was discovered that the Object Ownership setting for S3 Bucket A was set to "Object writer." The object in question was uploaded by User C from a different AWS account (Account C).

As a result, the object was owned by User C from Account C rather than by the bucket owner (Account A). This meant that the file share in Amazon S3 File Gateway could not access the object, despite it being in the bucket.

Resolution:

To resolve the issue, the Object Ownership setting for S3 Bucket A was changed to "Bucket owner enforced."

This setting ensures that all objects in the S3 bucket, regardless of whether the objects were uploaded by a cross-account user before or after the setting was applied, are owned by the bucket owner.

As a result, the file share in Amazon S3 File Gateway B was able to access all objects owned by the bucket owner (Account A), including the object uploaded by the cross-account user (User C).

Conclusion:

When troubleshooting issues with Amazon S3 File Gateway, it is important to carefully check the settings of the S3 buckets involved, particularly the Object Ownership settings, as that can impact the ability of file shares to access and work with objects.

References:

• Amazon S3 Object Ownership
• S3 File Gateway Settings