diff --git a/.github/workflows/system.yml b/.github/workflows/system.yml
index b36d45d1..3694d499 100644
--- a/.github/workflows/system.yml
+++ b/.github/workflows/system.yml
@@ -63,17 +63,17 @@ jobs:
             RECREATE_BUCKETS: "true"
             PORT: 7074
             BACKEND: "posix"
-          #- set: 6
-          #  LOCAL_FOLDER: /tmp/gw6
-          #  BUCKET_ONE_NAME: versity-gwtest-bucket-one-6
-          #  BUCKET_TWO_NAME: versity-gwtest-bucket-two-6
-          #  IAM_TYPE: folder
-          #  USERS_FOLDER: /tmp/iam6
-          #  AWS_ENDPOINT_URL: https://127.0.0.1:7075
-          #  RUN_SET: "aws"
-          #  RECREATE_BUCKETS: "false"
-          #  PORT: 7075
-          #  BACKEND: "posix"
+          - set: 6
+            LOCAL_FOLDER: /tmp/gw6
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-6
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-6
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam6
+            AWS_ENDPOINT_URL: https://127.0.0.1:7075
+            RUN_SET: "aws"
+            RECREATE_BUCKETS: "false"
+            PORT: 7075
+            BACKEND: "posix"
           - set: 7
             LOCAL_FOLDER: /tmp/gw7
             BUCKET_ONE_NAME: versity-gwtest-bucket-one-7
diff --git a/tests/commands/get_bucket_policy.sh b/tests/commands/get_bucket_policy.sh
index 23f3b9ba..574fe2b6 100644
--- a/tests/commands/get_bucket_policy.sh
+++ b/tests/commands/get_bucket_policy.sh
@@ -68,27 +68,34 @@ get_bucket_policy_with_user() {
 
 get_bucket_policy_s3cmd() {
   if [[ $# -ne 1 ]]; then
-    echo "s3cmd 'get bucket policy' command requires bucket"
+    log 2 "s3cmd 'get bucket policy' command requires bucket"
     return 1
   fi
 
-  info=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate info "s3://$1") || get_result=$?
-  if [[ $get_result -ne 0 ]]; then
-    echo "error getting bucket policy: $info"
+  if ! info=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate info "s3://$1" 2>&1); then
+    log 2 "error getting bucket policy: $info"
     return 1
   fi
 
+  log 5 "policy info: $info"
   bucket_policy=""
   policy_brackets=false
+  # NOTE:  versitygw sends policies back in multiple lines here, direct in single line
   while IFS= read -r line; do
     if [[ $policy_brackets == false ]]; then
       policy_line=$(echo "$line" | grep 'Policy: ')
       if [[ $policy_line != "" ]]; then
-        if [[ $policy_line != *'{' ]]; then
+        if [[ $policy_line != *'{'* ]]; then
           break
         fi
-        policy_brackets=true
-        bucket_policy+="{"
+        if [[ $policy_line == *'}'* ]]; then
+          log 5 "policy on single line"
+          bucket_policy=${policy_line//Policy:/}
+          break
+        else
+          policy_brackets=true
+          bucket_policy+="{"
+        fi
       fi
     else
       bucket_policy+=$line
@@ -97,6 +104,7 @@ get_bucket_policy_s3cmd() {
       fi
     fi
   done <<< "$info"
+  log 5 "bucket policy: $bucket_policy"
   export bucket_policy
   return 0
 }
diff --git a/tests/commands/put_bucket_ownership_controls.sh b/tests/commands/put_bucket_ownership_controls.sh
new file mode 100644
index 00000000..b9628c10
--- /dev/null
+++ b/tests/commands/put_bucket_ownership_controls.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+put_bucket_ownership_controls() {
+  if [[ $# -ne 2 ]]; then
+    log 2 "'put bucket ownership controls' command requires bucket name, control"
+    return 1
+  fi
+  if ! controls_error=$(aws --no-verify-ssl s3api put-bucket-ownership-controls --bucket "$1" \
+      --ownership-controls="Rules=[{ObjectOwnership=$2}]" 2>&1); then
+    log 2 "error putting bucket ownership controls: $controls_error"
+    return 1
+  fi
+  return 0
+}
\ No newline at end of file
diff --git a/tests/test_aws.sh b/tests/test_aws.sh
index 7aef6985..8bd886ef 100755
--- a/tests/test_aws.sh
+++ b/tests/test_aws.sh
@@ -247,17 +247,17 @@ export RUN_USERS=true
   [[ "$(cat "$test_file_folder/$bucket_file-range")" == "9" ]] || fail "byte range not copied properly"
 }
 
-#@test "test_get_object_invalid_range" {
-#  bucket_file="bucket_file"
-#
-#  create_test_files "$bucket_file" || local created=$?
-#  [[ $created -eq 0 ]] || fail "Error creating test files"
-#  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local setup_result=$?
-#  [[ $setup_result -eq 0 ]] || fail "error setting up bucket"
-#  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error putting object"
-#  get_object_with_range "$BUCKET_ONE_NAME" "$bucket_file" "bytes=0-0" "$test_file_folder/$bucket_file-range" || local get_result=$?
-#  [[ $get_result -ne 0 ]] || fail "Get object with zero range returned no error"
-#}
+@test "test_get_object_invalid_range" {
+  bucket_file="bucket_file"
+
+  create_test_files "$bucket_file" || local created=$?
+  [[ $created -eq 0 ]] || fail "Error creating test files"
+  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local setup_result=$?
+  [[ $setup_result -eq 0 ]] || fail "error setting up bucket"
+  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error putting object"
+  get_object_with_range "$BUCKET_ONE_NAME" "$bucket_file" "bytes=0-0" "$test_file_folder/$bucket_file-range" || local get_result=$?
+  [[ $get_result -ne 0 ]] || fail "Get object with zero range returned no error"
+}
 
 @test "test_put_object" {
   bucket_file="bucket_file"
@@ -342,9 +342,9 @@ export RUN_USERS=true
 #
 #  bucket_file="bucket_file"
 #  username="ABCDEFG"
-#  secret_key="HIJKLMN"
+#  password="HIJKLMN"
 #
-#  legal_hold_retention_setup "$username" "$secret_key" "$bucket_file"
+#  legal_hold_retention_setup "$username" "$password" "$bucket_file"
 #
 #  get_object_lock_configuration "$BUCKET_ONE_NAME" || fail "error getting lock configuration"
 #  # shellcheck disable=SC2154
@@ -356,21 +356,23 @@ export RUN_USERS=true
 #  get_object_legal_hold "$BUCKET_ONE_NAME" "$bucket_file" || fail "error getting object legal hold status"
 #  # shellcheck disable=SC2154
 #  log 5 "$legal_hold"
-#  hold_status=$(echo "$legal_hold" | grep -v "InsecureRequestWarning" | jq -r ".LegalHold.Status")
+#  hold_status=$(echo "$legal_hold" | grep -v "InsecureRequestWarning" | jq -r ".LegalHold.Status" 2>&1) || fail "error obtaining hold status: $hold_status"
 #  [[ $hold_status == "ON" ]] || fail "Status should be 'ON', is '$hold_status'"
 #
 #  echo "fdkljafajkfs" > "$test_file_folder/$bucket_file"
-#  put_object_with_user "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || local put_result=$?
-#  [[ $put_result -ne 0 ]] || fail "able to overwrite object with hold"
+#  if put_object_with_user "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$password"; then
+#    fail "able to overwrite object with hold"
+#  fi
 #  # shellcheck disable=SC2154
-#  [[ $put_object_error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $put_object_error"
+#  #[[ $put_object_error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $put_object_error"
 #
-#  delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || local delete_result=$?
-#  [[ $delete_result -ne 0 ]] || fail "able to delete object with hold"
+#  if delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$password"; then
+#    fail "able to delete object with hold"
+#  fi
 #  # shellcheck disable=SC2154
 #  [[ $delete_object_error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $delete_object_error"
 #  put_object_legal_hold "$BUCKET_ONE_NAME" "$bucket_file" "OFF" || fail "error removing legal hold on object"
-#  delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || fail "error deleting object after removing legal hold"
+#  delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$password" || fail "error deleting object after removing legal hold"
 #
 #  delete_bucket_recursive "s3api" "$BUCKET_ONE_NAME"
 #}
@@ -420,65 +422,26 @@ export RUN_USERS=true
 #}
 
 legal_hold_retention_setup() {
-  if [[ $# -ne 3 ]]; then
-    log 2 "legal hold or retention setup requires username, secret key, bucket file"
-    return 1
-  fi
+  [[ $# -eq 3 ]] || fail "legal hold or retention setup requires username, secret key, bucket file"
 
   delete_bucket_or_contents_if_exists "s3api" "$BUCKET_ONE_NAME" || fail "error deleting bucket, or checking for existence"
-  create_user_if_nonexistent "$1" "$2" "user" || fail "error creating user if nonexistent"
+  setup_user "$1" "$2" "user" || fail "error creating user if nonexistent"
   create_test_files "$3" || fail "error creating test files"
 
+  #create_bucket "s3api" "$BUCKET_ONE_NAME" || fail "error creating bucket"
   create_bucket_object_lock_enabled "$BUCKET_ONE_NAME" || fail "error creating bucket"
   change_bucket_owner "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" "$BUCKET_ONE_NAME" "$1" || fail "error changing bucket ownership"
-  put_object_with_user "s3api" "$test_file_folder/$3" "$BUCKET_ONE_NAME" "$3" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" || fail "failed to add object to bucket"
+  get_bucket_policy "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket policy"
+  log 5 "POLICY: $bucket_policy"
+  get_bucket_owner "$BUCKET_ONE_NAME"
+  log 5 "owner: $bucket_owner"
+  #put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred" || fail "error putting bucket ownership controls"
+  put_object_with_user "s3api" "$test_file_folder/$3" "$BUCKET_ONE_NAME" "$3" "$1" "$2" || fail "failed to add object to bucket"
 }
 
-#@test "test_put_bucket_acl" {
-#  test_common_put_bucket_acl "s3api"
-#}
-
-# test ability to retrieve object ACLs
-#@test "test_get_object_acl" {
-
-#  object_one="test-file-one"
-
-#  setup_bucket "$BUCKET_ONE_NAME" || local created=$?
-#  [[ $created -eq 0 ]] || fail "Error creating bucket"
-#  create_test_files "$object_one" || local created=$?
-#  [[ $created -eq 0 ]] || fail "Error creating test file"
-#  put_object "$test_file_folder"/$object_one "$BUCKET_ONE_NAME"/"$object_one"  || local result=$?
-#  [[ result -eq 0 ]] || fail "Error adding object one"
-
-#  get_object_acl "$BUCKET_ONE_NAME" "$object_one" || local result=$?
-#  [[ $result -eq 0 ]] || fail "Error retrieving acl"
-
-#  id=$(echo "$acl" | jq '.Owner.ID')
-#  [[ $id == '"'"$AWS_ACCESS_KEY_ID"'"' ]] || fail "Acl mismatch"
-
-#  delete_bucket_or_contents "$BUCKET_ONE_NAME"
-#}
-
-
-#@test "test_select_object_content" {
-#  bucket_file="bucket_file"
-#
-#  create_test_files "$bucket_file" || local created=$?
-#  [[ $created -eq 0 ]] || fail "Error creating test files"
-#
-#  printf "Field,Value\nSomething,Also Something" > "$test_file_folder/$bucket_file"
-#  cat "$test_file_folder/$bucket_file"
-#
-#  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local created=$?
-#  [[ $created -eq 0 ]] || fail "Error creating bucket"
-#  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || local copy_result=$?
-#  [[ $copy_result -eq 0 ]] || fail "Failed to add object to bucket"
-#  select_object_content "$BUCKET_ONE_NAME" "$bucket_file" "select * from s3object limit 1" "SQL" "{\"CSV\": {}}" "{\"CSV\": {}}" "output.csv"
-#}
-
-#@test "test_get_set_versioning" {
-#  test_common_get_set_versioning "s3api"
-#}
+@test "test_put_bucket_acl" {
+  test_common_put_bucket_acl "s3api"
+}
 
 # test v1 s3api list objects command
 @test "test-s3api-list-objects-v1" {
diff --git a/tests/test_common.sh b/tests/test_common.sh
index a12db34e..e247fb97 100644
--- a/tests/test_common.sh
+++ b/tests/test_common.sh
@@ -47,14 +47,11 @@ test_common_create_delete_bucket() {
     fail "create/delete bucket test requires command type"
   fi
 
-  setup_bucket "$1" "$BUCKET_ONE_NAME" || local create_result=$?
-  [[ $create_result -eq 0 ]] || fail "Failed to create bucket"
+  setup_bucket "$1" "$BUCKET_ONE_NAME" || fail "failed to create bucket"
 
-  bucket_exists "$1" "$BUCKET_ONE_NAME" || local exists_three=$?
-  [[ $exists_three -eq 0 ]] || fail "Failed bucket existence check"
+  bucket_exists "$1" "$BUCKET_ONE_NAME" || fail "failed bucket existence check"
 
-  delete_bucket_or_contents "$1" "$BUCKET_ONE_NAME" || local delete_result_two=$?
-  [[ $delete_result_two -eq 0 ]] || fail "Failed to delete bucket"
+  delete_bucket_or_contents "$1" "$BUCKET_ONE_NAME" || fail "failed to delete bucket"
 }
 
 test_common_copy_object() {
@@ -435,21 +432,18 @@ test_common_get_bucket_location() {
 
 test_common_put_bucket_acl() {
   [[ $# -eq 1 ]] || fail "test common put bucket acl missing command type"
-  setup_bucket "$1" "$BUCKET_ONE_NAME" || fail "error creating bucket"
+  setup_bucket  "$1" "$BUCKET_ONE_NAME" || fail "error creating bucket"
+  put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred" || fail "error putting bucket ownership controls"
 
-  if ! user_exists "ABCDEFG"; then
-    create_user "ABCDEFG" "HIJKLMN" user || fail "error creating user"
-  fi
+  setup_user "ABCDEFG" "HIJKLMN" "user" || fail "error creating user"
 
-  get_bucket_acl "$1" "$BUCKET_ONE_NAME" || local result=$?
-  [[ $result -eq 0 ]] || fail "Error retrieving acl"
+  get_bucket_acl "$1" "$BUCKET_ONE_NAME" || fail "error retrieving acl"
 
   log 5 "Initial ACLs: $acl"
-  id=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq '.Owner.ID')
+  id=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq '.Owner.ID' 2>&1) || fail "error getting ID: $id"
   if [[ $id != '"'"$AWS_ACCESS_KEY_ID"'"' ]]; then
-    # in some cases, ID is canonical user ID rather than AWS_ACCESS_KEY_ID
-    canonical_id=$(aws --no-verify-ssl s3api list-buckets --query 'Owner.ID') || local list_result=$?
-    [[ $list_result -eq 0 ]] || fail "error getting canonical ID: $canonical_id"
+    # for direct, ID is canonical user ID rather than AWS_ACCESS_KEY_ID
+    canonical_id=$(aws --no-verify-ssl s3api list-buckets --query 'Owner.ID' 2>&1) || fail "error getting caononical ID: $canonical_id"
     [[ $id == "$canonical_id" ]] || fail "acl ID doesn't match AWS key or canonical ID"
   fi
 
@@ -480,12 +474,11 @@ EOF
     put_bucket_acl "$1" "$BUCKET_ONE_NAME" "ABCDEFG" || fail "error putting first acl"
   fi
 
-  get_bucket_acl "$1" "$BUCKET_ONE_NAME" || local result=$?
-  [[ $result -eq 0 ]] || fail "Error retrieving second acl"
+  get_bucket_acl "$1" "$BUCKET_ONE_NAME" || fail "error retrieving second ACL"
 
   log 5 "Acls after 1st put: $acl"
-  public_grants=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq -r '.Grants[0]')
-  permission=$(echo "$public_grants" | jq -r '.Permission')
+  public_grants=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq -r '.Grants[1]' 2>&1) || fail "error getting public grants: $public_grants"
+  permission=$(echo "$public_grants" | jq -r '.Permission' 2>&1) || fail "error getting permission: $permission"
   [[ $permission == "READ" ]] || fail "incorrect permission ($permission)"
 
 cat <<EOF > "$test_file_folder"/"$acl_file"
@@ -505,17 +498,15 @@ cat <<EOF > "$test_file_folder"/"$acl_file"
   }
 EOF
 
-  put_bucket_acl "$1" "$BUCKET_ONE_NAME" "$test_file_folder"/"$acl_file" || local put_result=$?
-  [[ $put_result -eq 0 ]] || fail "Error putting second acl"
+  put_bucket_acl "$1" "$BUCKET_ONE_NAME" "$test_file_folder"/"$acl_file" || fail "error putting second acl"
 
-  get_bucket_acl "$1" "$BUCKET_ONE_NAME" || local result=$?
-  [[ $result -eq 0 ]] || fail "Error retrieving second acl"
+  get_bucket_acl "$1" "$BUCKET_ONE_NAME" || fail "error retrieving second ACL"
 
   log 5 "Acls after 2nd put: $acl"
-  public_grants=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq -r '.Grants')
-  public_grant_length=$(echo "$public_grants" | jq 'length')
-  [[ $public_grant_length -eq 1 ]] || fail "incorrect grant length for private ACL ($public_grant_length)"
-  permission=$(echo "$public_grants" | jq -r '.[0].Permission')
+  public_grants=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq -r '.Grants' 2>&1) || fail "error retrieving public grants: $public_grants"
+  public_grant_length=$(echo "$public_grants" | jq -r 'length' 2>&1) || fail "Error retrieving public grant length: $public_grant_length"
+  [[ $public_grant_length -eq 2 ]] || fail "incorrect grant length for private ACL ($public_grant_length)"
+  permission=$(echo "$public_grants" | jq -r '.[0].Permission' 2>&1) || fail "Error retrieving permission: $permission"
   [[ $permission == "FULL_CONTROL" ]] || fail "incorrect permission ($permission)"
 
   delete_bucket_or_contents "$1" "$BUCKET_ONE_NAME"
@@ -526,48 +517,55 @@ test_common_get_put_delete_bucket_policy() {
 
   policy_file="policy_file"
 
-  create_test_files "$policy_file" || local created=$?
-  [[ $created -eq 0 ]] || fail "Error creating policy file"
+  create_test_files "$policy_file" || fail "error creating policy file"
 
   effect="Allow"
-  principal="*"
+  #principal="*"
+  if [[ $DIRECT == "true" ]]; then
+    principal="{\"AWS\": \"arn:aws:iam::$DIRECT_AWS_USER_ID:user/s3user\"}"
+  else
+    principal="\"*\""
+  fi
   action="s3:GetObject"
   resource="arn:aws:s3:::$BUCKET_ONE_NAME/*"
 
   cat <<EOF > "$test_file_folder"/$policy_file
+{
+  "Version": "2012-10-17",
+  "Statement": [
     {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-           "Effect": "$effect",
-           "Principal": "$principal",
-           "Action": "$action",
-           "Resource": "$resource"
-        }
-      ]
+       "Effect": "$effect",
+       "Principal": $principal,
+       "Action": "$action",
+       "Resource": "$resource"
     }
+  ]
+}
 EOF
+  log 5 "POLICY: $(cat "$test_file_folder/$policy_file")"
 
-  setup_bucket "$1" "$BUCKET_ONE_NAME" || local setup_result=$?
-  [[ $setup_result -eq 0 ]] || fail "error setting up bucket"
+  setup_bucket "$1" "$BUCKET_ONE_NAME" || fail "error setting up bucket"
 
-  check_for_empty_policy "$1" "$BUCKET_ONE_NAME" || check_result=$?
-  [[ $get_result -eq 0 ]] || fail "policy not empty"
+  check_for_empty_policy "$1" "$BUCKET_ONE_NAME" || fail "policy not empty"
 
-  put_bucket_policy "$1" "$BUCKET_ONE_NAME" "$test_file_folder"/"$policy_file" || put_result=$?
-  [[ $put_result -eq 0 ]] || fail "error putting bucket"
+  put_bucket_policy "$1" "$BUCKET_ONE_NAME" "$test_file_folder"/"$policy_file" || fail "error putting bucket policy"
 
-  get_bucket_policy "$1" "$BUCKET_ONE_NAME" || local get_result=$?
-  [[ $get_result -eq 0 ]] || fail "error getting bucket policy after setting"
+  get_bucket_policy "$1" "$BUCKET_ONE_NAME" || fail "error getting bucket policy after setting"
 
-  log 5 "$bucket_policy"
-  returned_effect=$(echo "$bucket_policy" | jq -r '.Statement[0].Effect')
+  # shellcheck disable=SC2154
+  log 5 "POLICY:  $bucket_policy"
+  statement=$(echo "$bucket_policy" | jq -r '.Statement[0]' 2>&1) || fail "error getting statement value: $statement"
+  returned_effect=$(echo "$statement" | jq -r '.Effect' 2>&1) || fail "error getting effect: $returned_effect"
   [[ $effect == "$returned_effect" ]] || fail "effect mismatch ($effect, $returned_effect)"
-  returned_principal=$(echo "$bucket_policy" | jq -r '.Statement[0].Principal')
-  [[ $principal == "$returned_principal" ]] || fail "principal mismatch ($principal, $returned_principal)"
-  returned_action=$(echo "$bucket_policy" | jq -r '.Statement[0].Action')
+  returned_principal=$(echo "$statement" | jq -r '.Principal')
+  if [[ -n $DIRECT ]] && arn=$(echo "$returned_principal" | jq -r '.AWS' 2>&1); then
+    [[ $arn == "arn:aws:iam::$DIRECT_AWS_USER_ID:user/s3user" ]] || fail "arn mismatch"
+  else
+    [[ $principal == "\"$returned_principal\"" ]] || fail "principal mismatch ($principal, $returned_principal)"
+  fi
+  returned_action=$(echo "$statement" | jq -r '.Action')
   [[ $action == "$returned_action" ]] || fail "action mismatch ($action, $returned_action)"
-  returned_resource=$(echo "$bucket_policy" | jq -r '.Statement[0].Resource')
+  returned_resource=$(echo "$statement" | jq -r '.Resource')
   [[ $resource == "$returned_resource" ]] || fail "resource mismatch ($resource, $returned_resource)"
 
   delete_bucket_policy "$1" "$BUCKET_ONE_NAME" || delete_result=$?
diff --git a/tests/util.sh b/tests/util.sh
index 8c6e519e..4b1c8a6e 100644
--- a/tests/util.sh
+++ b/tests/util.sh
@@ -17,6 +17,7 @@ source ./tests/commands/head_bucket.sh
 source ./tests/commands/head_object.sh
 source ./tests/commands/list_objects.sh
 source ./tests/commands/put_bucket_acl.sh
+source ./tests/commands/put_bucket_ownership_controls.sh
 source ./tests/commands/upload_part_copy.sh
 
 # recursively delete an AWS bucket
@@ -215,8 +216,11 @@ setup_bucket() {
     log 2 "bucket creation function requires command type, bucket name"
     return 1
   fi
-  delete_bucket_or_contents_if_exists "$1" "$2" || local delete_bucket_result=$?
-  if [[ $delete_bucket_result -ne 0 ]]; then
+  if [[ $1 == "s3cmd" ]]; then
+    log 5 "putting bucket ownership controls"
+    put_bucket_ownership_controls "$2" "BucketOwnerPreferred"
+  fi
+  if ! delete_bucket_or_contents_if_exists "$1" "$2"; then
     log 2 "error deleting bucket, or checking for bucket existence"
     return 1
   fi
@@ -228,6 +232,10 @@ setup_bucket() {
       return 1
     fi
     log 5 "bucket creation success"
+    if [[ $1 == "s3cmd" ]]; then
+      log 5 "putting bucket ownership controls"
+      put_bucket_ownership_controls "$2" "BucketOwnerPreferred" || fail "putting bucket ownership controls failed"
+    fi
   else
     log 5 "skipping bucket re-creation"
   fi
diff --git a/tests/util_users.sh b/tests/util_users.sh
index b6480286..d79c6fc3 100644
--- a/tests/util_users.sh
+++ b/tests/util_users.sh
@@ -274,13 +274,38 @@ delete_user() {
 
 change_bucket_owner() {
   if [[ $# -ne 4 ]]; then
-      echo "change bucket owner command requires ID, key, bucket name, and new owner"
-      return 1
-    fi
-    error=$($VERSITY_EXE admin --allow-insecure --access "$1" --secret "$2" --endpoint-url "$AWS_ENDPOINT_URL" change-bucket-owner --bucket "$3" --owner "$4" 2>&1) || local change_result=$?
-    if [[ $change_result -ne 0 ]]; then
-      echo "error changing bucket owner: $error"
-      return 1
-    fi
-    return 0
+    echo "change bucket owner command requires ID, key, bucket name, and new owner"
+    return 1
+  fi
+  error=$($VERSITY_EXE admin --allow-insecure --access "$1" --secret "$2" --endpoint-url "$AWS_ENDPOINT_URL" change-bucket-owner --bucket "$3" --owner "$4" 2>&1) || local change_result=$?
+  if [[ $change_result -ne 0 ]]; then
+    echo "error changing bucket owner: $error"
+    return 1
+  fi
+  return 0
 }
+
+get_bucket_owner() {
+  if [[ $# -ne 1 ]]; then
+    log 2 "'get bucket owner' command requires bucket name"
+    return 1
+  fi
+  if ! buckets=$($VERSITY_EXE admin --allow-insecure --access "$AWS_ACCESS_KEY_ID" --secret "$AWS_SECRET_ACCESS_KEY" --endpoint-url "$AWS_ENDPOINT_URL" list-buckets 2>&1); then
+    log 2 "error listing buckets: $buckets"
+    return 1
+  fi
+  log 5 "BUCKET DATA:  $buckets"
+  bucket_vals=$(echo "$buckets" | awk 'NR > 2')
+  while IFS= read -r line; do
+    log 5 "bucket line: $line"
+    bucket=$(echo "$line" | awk '{print $1}')
+    if [[ $bucket == "$1" ]]; then
+      bucket_owner=$(echo "$line" | awk '{print $2}')
+      export bucket_owner
+      return 0
+    fi
+  done <<< "$bucket_vals"
+  log 3 "bucket owner for bucket '$1' not found"
+  bucket_owner=
+  return 0
+}
\ No newline at end of file