I recently ran into a "bug" where, even with S3FullAccess, I'd still get

An error occurred (403) when calling the HeadObject operation: Forbidden

when running aws s3api head-object --bucket cool-bucket --key my/key/to/file.png.

After some research, it turned out that my/key/to/file.png was uploaded anonymously and thus I, an authenticated user, was not the object's rightful owner, thus denying me the HEAD request.

The solutions to that seemed to be either ACLs or changing "Object Ownership" to "ACLs disabled (Bucket owner enforced)".

This was indeed the solution so I tried changing my CloudFormation template to set Object Ownership to "Bucket Owner Enforced", but the documentation lies.

Indeed, the doc only specifies that Allowed values: ObjectWriter | BucketOwnerPreferred, but when running aws s3api get-bucket-ownership-controls --bucket bucketname onto my manually tweaked bucket, I got the following JSON:

{
    "OwnershipControls": {
        "Rules": [
            {
                "ObjectOwnership": "BucketOwnerEnforced"
            }
        ]
    }
}

Clearly showing that BucketOwnerEnforced is a valid and allowed value for the CloudFormation property OwnershipControls.Rules.[].ObjectOwnership. Nowhere else in the doc did I see a property allowing me to set Object Ownership to "Bucket Owner Enforced" and thus disabled the ACLs.

Why isn't that documented ? I thought CloudFormation doc was automatically generated and could be incomplete/outdated.

There is a secretly allowed value to the property OwnershipControls.Rules.[].ObjectOwnership called BucketOwnerEnforced.

It can be used like this:

  MyCoolBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: MyCoolBucket
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced

I tested and deployed this template on 2021-12-02 and CloudFormation didn't complain about it not being an "Allowed value".