feat(aws-s3): add support for BucketOwnerEnforced to S3 ObjectOwnershipType (#17961)

closes #17926

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: JonBlauvelt

packages/@aws-cdk/aws-s3/README.md

@@ -417,7 +417,7 @@ bucket.virtualHostedUrlForObject('objectname', { regional: false }); // Virtual
 
 ## Object Ownership
 
-You can use the two following properties to specify the bucket [object Ownership].
+You can use one of following properties to specify the bucket [object Ownership].
 
 [object Ownership]: https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html
 
@@ -441,6 +441,16 @@ new s3.Bucket(this, 'MyBucket', {
 });
 ```
 
+### Bucket owner enforced (recommended)
+
+ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies to define access control.
+
+```ts
+new s3.Bucket(this, 'MyBucket', {
+  objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+});
+```
+
 ## Bucket deletion
 
 When a bucket is removed from a stack (or the stack is deleted), the S3
@@ -466,7 +476,7 @@ by deploying with CDK version `1.126.0` or later **before** switching this value
 
 ## Transfer Acceleration
 
-[Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html) can be configured to enable fast, easy, and secure transfers of files over long distances: 
+[Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html) can be configured to enable fast, easy, and secure transfers of files over long distances:
 
 ```ts
 const bucket = new s3.Bucket(this, 'MyBucket', {

packages/@aws-cdk/aws-s3/lib/bucket.ts

@@ -1206,6 +1206,13 @@ export interface Inventory {
    *
    */
 export enum ObjectOwnership {
+  /**
+   * ACLs are disabled, and the bucket owner automatically owns
+   * and has full control over every object in the bucket.
+   * ACLs no longer affect permissions to data in the S3 bucket.
+   * The bucket uses policies to define access control.
+   */
+  BUCKET_OWNER_ENFORCED = 'BucketOwnerEnforced',
   /**
    * Objects uploaded to the bucket change ownership to the bucket owner .
    */

packages/@aws-cdk/aws-s3/test/bucket.test.ts

@@ -2303,6 +2303,32 @@ describe('bucket', () => {
 
   });
 
+  test('Bucket with objectOwnership set to BUCKET_OWNER_ENFORCED', () => {
+    const stack = new cdk.Stack();
+    new s3.Bucket(stack, 'MyBucket', {
+      objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
+    });
+    expect(stack).toMatchTemplate({
+      'Resources': {
+        'MyBucketF68F3FF0': {
+          'Type': 'AWS::S3::Bucket',
+          'Properties': {
+            'OwnershipControls': {
+              'Rules': [
+                {
+                  'ObjectOwnership': 'BucketOwnerEnforced',
+                },
+              ],
+            },
+          },
+          'UpdateReplacePolicy': 'Retain',
+          'DeletionPolicy': 'Retain',
+        },
+      },
+    });
+
+  });
+
   test('Bucket with objectOwnership set to BUCKET_OWNER_PREFERRED', () => {
     const stack = new cdk.Stack();
     new s3.Bucket(stack, 'MyBucket', {