Merge pull request #1491 from versity/ben/scoutfs-options

feat: add versioning dir option to scoutfs backend
Merge pull request #1492 from versity/sis/bucket-cors-allow-headers
2026-02-01 07:52:07 +00:00 · 2025-08-26 14:43:21 -07:00 · 2025-08-26 14:42:57 -07:00 · 2025-08-27 00:31:47 +04:00 · 2025-08-26 11:20:35 -07:00 · 2025-08-26 08:53:05 -07:00
203 changed files with 28654 additions and 10687 deletions
--- a/.github/workflows/system.yml
+++ b/.github/workflows/system.yml
@@ -21,15 +21,21 @@ jobs:
            RECREATE_BUCKETS: "true"
            DELETE_BUCKETS_AFTER_TEST: "true"
            BACKEND: "posix"
-          - set: "REST, posix, non-static, base|acl, folder IAM"
+          - set: "REST, posix, non-static, base|acl|multipart|put-object, folder IAM"
            IAM_TYPE: folder
-            RUN_SET: "rest-base,rest-acl"
+            RUN_SET: "rest-base,rest-acl,rest-multipart,rest-put-object"
            RECREATE_BUCKETS: "true"
            DELETE_BUCKETS_AFTER_TEST: "true"
            BACKEND: "posix"
          - set: "REST, posix, non-static, chunked|checksum|versioning|bucket, folder IAM"
            IAM_TYPE: folder
-            RUN_SET: "rest-chunked,rest-checksum,rest-versioning,rest-bucket"
+            RUN_SET: "rest-chunked,rest-checksum,rest-versioning,rest-bucket,rest-list-buckets,rest-create-bucket,rest-head-bucket"
+            RECREATE_BUCKETS: "true"
+            DELETE_BUCKETS_AFTER_TEST: "true"
+            BACKEND: "posix"
+          - set: "REST, posix, non-static, not implemented, folder IAM"
+            IAM_TYPE: folder
+            RUN_SET: "rest-not-implemented"
            RECREATE_BUCKETS: "true"
            DELETE_BUCKETS_AFTER_TEST: "true"
            BACKEND: "posix"
--- a/auth/access-control.go
+++ b/auth/access-control.go
@@ -0,0 +1,189 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/s3err"
+)
+
+func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error {
+	if opts.IsRoot {
+		return nil
+	}
+	if opts.Acc.Role == RoleAdmin {
+		return nil
+	}
+
+	// Verify destination bucket access
+	if err := VerifyAccess(ctx, be, opts); err != nil {
+		return err
+	}
+	// Verify source bucket access
+	srcBucket, srcObject, found := strings.Cut(copySource, "/")
+	if !found {
+		return s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
+	}
+
+	// Get source bucket ACL
+	srcBucketACLBytes, err := be.GetBucketAcl(ctx, &s3.GetBucketAclInput{Bucket: &srcBucket})
+	if err != nil {
+		return err
+	}
+
+	var srcBucketAcl ACL
+	if err := json.Unmarshal(srcBucketACLBytes, &srcBucketAcl); err != nil {
+		return err
+	}
+
+	if err := VerifyAccess(ctx, be, AccessOptions{
+		Acl:           srcBucketAcl,
+		AclPermission: PermissionRead,
+		IsRoot:        opts.IsRoot,
+		Acc:           opts.Acc,
+		Bucket:        srcBucket,
+		Object:        srcObject,
+		Action:        GetObjectAction,
+	}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+type AccessOptions struct {
+	Acl            ACL
+	AclPermission  Permission
+	IsRoot         bool
+	Acc            Account
+	Bucket         string
+	Object         string
+	Action         Action
+	Readonly       bool
+	IsBucketPublic bool
+}
+
+func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error {
+	// Skip the access check for public buckets
+	if opts.IsBucketPublic {
+		return nil
+	}
+	if opts.Readonly {
+		if opts.AclPermission == PermissionWrite || opts.AclPermission == PermissionWriteAcp {
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		}
+	}
+	if opts.IsRoot {
+		return nil
+	}
+	if opts.Acc.Role == RoleAdmin {
+		return nil
+	}
+
+	policy, policyErr := be.GetBucketPolicy(ctx, opts.Bucket)
+	if policyErr != nil {
+		if !errors.Is(policyErr, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
+			return policyErr
+		}
+	} else {
+		return VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action)
+	}
+
+	if err := verifyACL(opts.Acl, opts.Acc.Access, opts.AclPermission); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Detects if the action is policy related
+// e.g.
+// 'GetBucketPolicy', 'PutBucketPolicy'
+func isPolicyAction(action Action) bool {
+	return action == GetBucketPolicyAction || action == PutBucketPolicyAction
+}
+
+// VerifyPublicAccess checks if the bucket is publically accessible by ACL or Policy
+func VerifyPublicAccess(ctx context.Context, be backend.Backend, action Action, permission Permission, bucket, object string) error {
+	// ACL disabled
+	policy, err := be.GetBucketPolicy(ctx, bucket)
+	if err != nil && !errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
+		return err
+	}
+	if err == nil {
+		err = VerifyPublicBucketPolicy(policy, bucket, object, action)
+		if err == nil {
+			// if ACLs are disabled, and the bucket grants public access,
+			// policy actions should return 'MethodNotAllowed'
+			if isPolicyAction(action) {
+				return s3err.GetAPIError(s3err.ErrMethodNotAllowed)
+			}
+
+			return nil
+		}
+	}
+
+	// if the action is not in the ACL whitelist the access is denied
+	_, ok := publicACLAllowedActions[action]
+	if !ok {
+		return s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	err = VerifyPublicBucketACL(ctx, be, bucket, action, permission)
+	if err != nil {
+		return s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	return nil
+}
+
+func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error {
+	// Owner check
+	if acct.Access == acl.Owner {
+		return nil
+	}
+
+	// Root user has access over almost everything
+	if isRoot {
+		return nil
+	}
+
+	// Admin user case
+	if acct.Role == RoleAdmin {
+		return nil
+	}
+
+	// Return access denied in all other cases
+	return s3err.GetAPIError(s3err.ErrAccessDenied)
+}
+
+type PublicACLAllowedActions map[Action]struct{}
+
+var publicACLAllowedActions PublicACLAllowedActions = PublicACLAllowedActions{
+	ListBucketAction:                 struct{}{},
+	PutObjectAction:                  struct{}{},
+	ListBucketMultipartUploadsAction: struct{}{},
+	DeleteObjectAction:               struct{}{},
+	ListBucketVersionsAction:         struct{}{},
+	GetObjectAction:                  struct{}{},
+	GetObjectAttributesAction:        struct{}{},
+	GetObjectAclAction:               struct{}{},
+}
--- a/auth/acl.go
+++ b/auth/acl.go
@@ -33,6 +33,17 @@ type ACL struct {
 	Grantees []Grantee
 }

+// IsPublic specifies if the acl grants public read access
+func (acl *ACL) IsPublic(permission Permission) bool {
+	for _, grt := range acl.Grantees {
+		if grt.Permission == permission && grt.Type == types.TypeGroup && grt.Access == "all-users" {
+			return true
+		}
+	}
+
+	return false
+}
+
 type Grantee struct {
 	Permission Permission
 	Access     string
@@ -374,7 +385,7 @@ func CheckIfAccountsExist(accs []string, iam IAMService) ([]string, error) {
 	for _, acc := range accs {
 		_, err := iam.GetUserAccount(acc)
 		if err != nil {
-			if err == ErrNoSuchUser {
+			if err == ErrNoSuchUser || err == s3err.GetAPIError(s3err.ErrAdminUserNotFound) {
 				result = append(result, acc)
 				continue
 			}
@@ -435,118 +446,50 @@ func verifyACL(acl ACL, access string, permission Permission) error {
 	return s3err.GetAPIError(s3err.ErrAccessDenied)
 }

-func MayCreateBucket(acct Account, isRoot bool) error {
-	if isRoot {
-		return nil
-	}
-
-	if acct.Role == RoleUser {
-		return s3err.GetAPIError(s3err.ErrAccessDenied)
-	}
-
-	return nil
-}
-
-func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error {
-	// Owner check
-	if acct.Access == acl.Owner {
-		return nil
-	}
-
-	// Root user has access over almost everything
-	if isRoot {
-		return nil
-	}
-
-	// Admin user case
-	if acct.Role == RoleAdmin {
-		return nil
-	}
-
-	// Return access denied in all other cases
-	return s3err.GetAPIError(s3err.ErrAccessDenied)
-}
-
-type AccessOptions struct {
-	Acl           ACL
-	AclPermission Permission
-	IsRoot        bool
-	Acc           Account
-	Bucket        string
-	Object        string
-	Action        Action
-	Readonly      bool
-}
-
-func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error {
-	if opts.Readonly {
-		if opts.AclPermission == PermissionWrite || opts.AclPermission == PermissionWriteAcp {
-			return s3err.GetAPIError(s3err.ErrAccessDenied)
-		}
-	}
-	if opts.IsRoot {
-		return nil
-	}
-	if opts.Acc.Role == RoleAdmin {
-		return nil
-	}
-
-	policy, policyErr := be.GetBucketPolicy(ctx, opts.Bucket)
-	if policyErr != nil {
-		if !errors.Is(policyErr, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
-			return policyErr
-		}
-	} else {
-		return VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action)
-	}
-
-	if err := verifyACL(opts.Acl, opts.Acc.Access, opts.AclPermission); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error {
-	if opts.IsRoot {
-		return nil
-	}
-	if opts.Acc.Role == RoleAdmin {
-		return nil
-	}
-
-	// Verify destination bucket access
-	if err := VerifyAccess(ctx, be, opts); err != nil {
-		return err
-	}
-	// Verify source bucket access
-	srcBucket, srcObject, found := strings.Cut(copySource, "/")
-	if !found {
-		return s3err.GetAPIError(s3err.ErrInvalidCopySource)
-	}
-
-	// Get source bucket ACL
-	srcBucketACLBytes, err := be.GetBucketAcl(ctx, &s3.GetBucketAclInput{Bucket: &srcBucket})
+// Verifies if the bucket acl grants public access
+func VerifyPublicBucketACL(ctx context.Context, be backend.Backend, bucket string, action Action, permission Permission) error {
+	aclBytes, err := be.GetBucketAcl(ctx, &s3.GetBucketAclInput{
+		Bucket: &bucket,
+	})
 	if err != nil {
 		return err
 	}

-	var srcBucketAcl ACL
-	if err := json.Unmarshal(srcBucketACLBytes, &srcBucketAcl); err != nil {
+	acl, err := ParseACL(aclBytes)
+	if err != nil {
 		return err
 	}

-	if err := VerifyAccess(ctx, be, AccessOptions{
-		Acl:           srcBucketAcl,
-		AclPermission: PermissionRead,
-		IsRoot:        opts.IsRoot,
-		Acc:           opts.Acc,
-		Bucket:        srcBucket,
-		Object:        srcObject,
-		Action:        GetObjectAction,
-	}); err != nil {
-		return err
+	if !acl.IsPublic(permission) {
+		return ErrAccessDenied
 	}

 	return nil
 }
+
+// UpdateBucketACLOwner sets default ACL with new owner and removes
+// any previous bucket policy that was in place
+func UpdateBucketACLOwner(ctx context.Context, be backend.Backend, bucket, newOwner string) error {
+	acl := ACL{
+		Owner: newOwner,
+		Grantees: []Grantee{
+			{
+				Permission: PermissionFullControl,
+				Access:     newOwner,
+				Type:       types.TypeCanonicalUser,
+			},
+		},
+	}
+
+	result, err := json.Marshal(acl)
+	if err != nil {
+		return fmt.Errorf("marshal ACL: %w", err)
+	}
+
+	err = be.PutBucketAcl(ctx, bucket, result)
+	if err != nil {
+		return err
+	}
+
+	return be.DeleteBucketPolicy(ctx, bucket)
+}
--- a/auth/bucket_cors.go
+++ b/auth/bucket_cors.go
@@ -0,0 +1,338 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"encoding/xml"
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3err"
+)
+
+// headerRegex is the regexp to validate http header names
+var headerRegex = regexp.MustCompile(`^[!#$%&'*+\-.^_` + "`" + `|~0-9A-Za-z]+$`)
+
+type CORSHeader string
+type CORSHTTPMethod string
+
+// IsValid validates the CORS http header
+// the rules are based on http RFC
+// https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
+//
+// Empty values are considered as valid
+func (ch CORSHeader) IsValid() bool {
+	return ch == "" || headerRegex.MatchString(ch.String())
+}
+
+// String converts the header value to 'string'
+func (ch CORSHeader) String() string {
+	return string(ch)
+}
+
+// ToLower converts the header to lower case
+func (ch CORSHeader) ToLower() string {
+	return strings.ToLower(string(ch))
+}
+
+// IsValid validates the cors http request method:
+// the methods are case sensitive
+func (cm CORSHTTPMethod) IsValid() bool {
+	return cm.IsEmpty() || cm == http.MethodGet || cm == http.MethodHead || cm == http.MethodPut ||
+		cm == http.MethodPost || cm == http.MethodDelete
+}
+
+// IsEmpty checks if the cors method is an empty string
+func (cm CORSHTTPMethod) IsEmpty() bool {
+	return cm == ""
+}
+
+// String converts the method value to 'string'
+func (cm CORSHTTPMethod) String() string {
+	return string(cm)
+}
+
+type CORSConfiguration struct {
+	Rules []CORSRule `xml:"CORSRule"`
+}
+
+// Validate validates the cors configuration rules
+func (cc *CORSConfiguration) Validate() error {
+	if cc == nil || cc.Rules == nil {
+		debuglogger.Logf("invalid CORS configuration")
+		return s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if len(cc.Rules) == 0 {
+		debuglogger.Logf("empty CORS config rules")
+		return s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	// validate each CORS rule
+	for _, rule := range cc.Rules {
+		if err := rule.Validate(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+type CORSAllowanceConfig struct {
+	Origin           string
+	Methods          string
+	ExposedHeaders   string
+	AllowCredentials string
+	AllowHeaders     string
+	MaxAge           *int32
+}
+
+// IsAllowed walks through the CORS rules and finds the first one allowing access.
+// If no rule grants access, returns 'AccessForbidden'
+func (cc *CORSConfiguration) IsAllowed(origin string, method CORSHTTPMethod, headers []CORSHeader) (*CORSAllowanceConfig, error) {
+	// if method is empty, anyways cors is forbidden
+	// skip, without going through the rules
+	if method.IsEmpty() {
+		debuglogger.Logf("empty Access-Control-Request-Method")
+		return nil, s3err.GetAPIError(s3err.ErrCORSForbidden)
+	}
+	for _, rule := range cc.Rules {
+		// find the first rule granting access
+		if isAllowed, wilcardOrigin := rule.Match(origin, method, headers); isAllowed {
+			o := origin
+			allowCredentials := "true"
+			if wilcardOrigin {
+				o = "*"
+				allowCredentials = "false"
+			}
+
+			return &CORSAllowanceConfig{
+				Origin:           o,
+				AllowCredentials: allowCredentials,
+				Methods:          rule.GetAllowedMethods(),
+				ExposedHeaders:   rule.GetExposeHeaders(),
+				AllowHeaders:     buildAllowedHeaders(headers),
+				MaxAge:           rule.MaxAgeSeconds,
+			}, nil
+		}
+	}
+
+	// if no matching rule is found, return AccessForbidden
+	return nil, s3err.GetAPIError(s3err.ErrCORSForbidden)
+}
+
+type CORSRule struct {
+	AllowedMethods []CORSHTTPMethod `xml:"AllowedMethod"`
+	AllowedHeaders []CORSHeader     `xml:"AllowedHeader"`
+	ExposeHeaders  []CORSHeader     `xml:"ExposeHeader"`
+	AllowedOrigins []string         `xml:"AllowedOrigin"`
+	ID             *string
+	MaxAgeSeconds  *int32
+}
+
+// Validate validates and returns error if CORS configuration has invalid rule
+func (cr *CORSRule) Validate() error {
+	// validate CORS allowed headers
+	for _, header := range cr.AllowedHeaders {
+		if !header.IsValid() {
+			debuglogger.Logf("invalid CORS allowed header: %s", header)
+			return s3err.GetInvalidCORSHeaderErr(header.String())
+		}
+	}
+	// validate CORS allowed methods
+	for _, method := range cr.AllowedMethods {
+		if !method.IsValid() {
+			debuglogger.Logf("invalid CORS allowed method: %s", method)
+			return s3err.GetUnsopportedCORSMethodErr(method.String())
+		}
+	}
+	// validate CORS expose headers
+	for _, header := range cr.ExposeHeaders {
+		if !header.IsValid() {
+			debuglogger.Logf("invalid CORS exposed header: %s", header)
+			return s3err.GetInvalidCORSHeaderErr(header.String())
+		}
+	}
+
+	return nil
+}
+
+// Match matches the provided origin, method and headers with the
+// CORS configuration rule
+// if the matching origin is "*", it returns true as the first argument
+func (cr *CORSRule) Match(origin string, method CORSHTTPMethod, headers []CORSHeader) (bool, bool) {
+	wildcardOrigin := false
+	originFound := false
+
+	// check if the provided origin exists in CORS AllowedOrigins
+	for _, or := range cr.AllowedOrigins {
+		if wildcardMatch(or, origin) {
+			originFound = true
+			if or == "*" {
+				// mark wildcardOrigin as true, if "*" is found in AllowedOrigins
+				wildcardOrigin = true
+			}
+			break
+		}
+	}
+
+	if !originFound {
+		return false, false
+	}
+
+	// cache the CORS AllowedMethods in a map
+	allowedMethods := cacheCORSMethods(cr.AllowedMethods)
+	// check if the provided method exists in CORS AllowedMethods
+	if _, ok := allowedMethods[method]; !ok {
+		return false, false
+	}
+
+	// check is CORS rule allowed headers match
+	// with the requested allowed headers
+	for _, reqHeader := range headers {
+		match := false
+		for _, header := range cr.AllowedHeaders {
+			if wildcardMatch(header.ToLower(), reqHeader.ToLower()) {
+				match = true
+				break
+			}
+		}
+
+		if !match {
+			return false, false
+		}
+	}
+
+	return true, wildcardOrigin
+}
+
+// GetExposeHeaders returns comma separated CORS expose headers
+func (cr *CORSRule) GetExposeHeaders() string {
+	var result strings.Builder
+
+	for i, h := range cr.ExposeHeaders {
+		if i > 0 {
+			result.WriteString(", ")
+		}
+		result.WriteString(h.String())
+	}
+
+	return result.String()
+}
+
+// buildAllowedHeaders builds a comma separated string from []CORSHeader
+func buildAllowedHeaders(headers []CORSHeader) string {
+	var result strings.Builder
+
+	for i, h := range headers {
+		if i > 0 {
+			result.WriteString(", ")
+		}
+		result.WriteString(h.ToLower())
+	}
+
+	return result.String()
+}
+
+// GetAllowedMethods returns comma separated CORS allowed methods
+func (cr *CORSRule) GetAllowedMethods() string {
+	var result strings.Builder
+
+	for i, m := range cr.AllowedMethods {
+		if i > 0 {
+			result.WriteString(", ")
+		}
+		result.WriteString(m.String())
+	}
+
+	return result.String()
+}
+
+// ParseCORSOutput parses raw bytes to 'CORSConfiguration'
+func ParseCORSOutput(data []byte) (*CORSConfiguration, error) {
+	var config CORSConfiguration
+	err := xml.Unmarshal(data, &config)
+	if err != nil {
+		debuglogger.Logf("unmarshal cors output: %v", err)
+		return nil, fmt.Errorf("failed to parse cors config: %w", err)
+	}
+
+	return &config, nil
+}
+
+func cacheCORSMethods(input []CORSHTTPMethod) map[CORSHTTPMethod]struct{} {
+	result := make(map[CORSHTTPMethod]struct{}, len(input))
+	for _, el := range input {
+		result[el] = struct{}{}
+	}
+
+	return result
+}
+
+// ParseCORSHeaders parses/validates Access-Control-Request-Headers
+// and returns []CORSHeaders
+func ParseCORSHeaders(headers string) ([]CORSHeader, error) {
+	result := []CORSHeader{}
+	if headers == "" {
+		return result, nil
+	}
+
+	headersSplitted := strings.Split(headers, ",")
+	for _, h := range headersSplitted {
+		corsHeader := CORSHeader(strings.TrimSpace(h))
+		if corsHeader == "" || !corsHeader.IsValid() {
+			debuglogger.Logf("invalid access control header: %s", h)
+			return nil, s3err.GetInvalidCORSRequestHeaderErr(h)
+		}
+		result = append(result, corsHeader)
+	}
+
+	return result, nil
+}
+
+func wildcardMatch(pattern, input string) bool {
+	pIdx, sIdx := 0, 0
+	starIdx, matchIdx := -1, 0
+
+	for sIdx < len(input) {
+		if pIdx < len(pattern) && pattern[pIdx] == input[sIdx] {
+			// exact match of current char
+			sIdx++
+			pIdx++
+		} else if pIdx < len(pattern) && pattern[pIdx] == '*' {
+			// remember star position
+			starIdx = pIdx
+			matchIdx = sIdx
+			pIdx++
+		} else if starIdx != -1 {
+			// backtrack: try to match more characters with '*'
+			pIdx = starIdx + 1
+			matchIdx++
+			sIdx = matchIdx
+		} else {
+			return false
+		}
+	}
+
+	// skip trailing stars
+	for pIdx < len(pattern) && pattern[pIdx] == '*' {
+		pIdx++
+	}
+
+	return pIdx == len(pattern)
+}
--- a/auth/bucket_cors_test.go
+++ b/auth/bucket_cors_test.go
@@ -0,0 +1,736 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestCORSHeader_IsValid(t *testing.T) {
+	tests := []struct {
+		name   string
+		header CORSHeader
+		want   bool
+	}{
+		{"empty", "", true},
+		{"valid", "X-Custom-Header", true},
+		{"invalid_1", "Invalid Header", false},
+		{"invalid_2", "invalid/header", false},
+		{"invalid_3", "Invalid\tHeader", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.header.IsValid(); got != tt.want {
+				t.Errorf("IsValid() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCORSHTTPMethod_IsValid(t *testing.T) {
+	tests := []struct {
+		name   string
+		method CORSHTTPMethod
+		want   bool
+	}{
+		{"empty valid", "", true},
+		{"GET valid", http.MethodGet, true},
+		{"HEAD valid", http.MethodHead, true},
+		{"PUT valid", http.MethodPut, true},
+		{"POST valid", http.MethodPost, true},
+		{"DELETE valid", http.MethodDelete, true},
+		{"get valid", "get", false},
+		{"put valid", "put", false},
+		{"post valid", "post", false},
+		{"head valid", "head", false},
+		{"invalid", "FOO", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.method.IsValid(); got != tt.want {
+				t.Errorf("IsValid() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCORSHeader_ToLower(t *testing.T) {
+	tests := []struct {
+		name   string
+		header CORSHeader
+		want   string
+	}{
+		{
+			name:   "already lowercase",
+			header: CORSHeader("content-type"),
+			want:   "content-type",
+		},
+		{
+			name:   "mixed case",
+			header: CORSHeader("X-CuStOm-HeAdEr"),
+			want:   "x-custom-header",
+		},
+		{
+			name:   "uppercase",
+			header: CORSHeader("AUTHORIZATION"),
+			want:   "authorization",
+		},
+		{
+			name:   "empty string",
+			header: CORSHeader(""),
+			want:   "",
+		},
+		{
+			name:   "numeric and symbols",
+			header: CORSHeader("X-123-HEADER"),
+			want:   "x-123-header",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.header.ToLower()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCORSHTTPMethod_IsEmpty(t *testing.T) {
+	tests := []struct {
+		name   string
+		method CORSHTTPMethod
+		want   bool
+	}{
+		{
+			name:   "empty string is empty",
+			method: CORSHTTPMethod(""),
+			want:   true,
+		},
+		{
+			name:   "GET method is not empty",
+			method: CORSHTTPMethod("GET"),
+			want:   false,
+		},
+		{
+			name:   "random string is not empty",
+			method: CORSHTTPMethod("FOO"),
+			want:   false,
+		},
+		{
+			name:   "lowercase get is not empty (case sensitive)",
+			method: CORSHTTPMethod("get"),
+			want:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.method.IsEmpty()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCORSConfiguration_Validate(t *testing.T) {
+	tests := []struct {
+		name string
+		cfg  *CORSConfiguration
+		want error
+	}{
+		{"nil config", nil, s3err.GetAPIError(s3err.ErrMalformedXML)},
+		{"nil rules", &CORSConfiguration{}, s3err.GetAPIError(s3err.ErrMalformedXML)},
+		{"empty rules", &CORSConfiguration{Rules: []CORSRule{}}, s3err.GetAPIError(s3err.ErrMalformedXML)},
+		{"invalid rule", &CORSConfiguration{Rules: []CORSRule{{AllowedHeaders: []CORSHeader{"Invalid Header"}}}}, s3err.GetInvalidCORSHeaderErr("Invalid Header")},
+		{"valid rule", &CORSConfiguration{Rules: []CORSRule{{
+			AllowedOrigins: []string{"origin"},
+			AllowedHeaders: []CORSHeader{"X-Test"},
+			AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+			ExposeHeaders:  []CORSHeader{"X-Expose"},
+		}}}, nil},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.cfg.Validate()
+			assert.EqualValues(t, tt.want, err)
+		})
+	}
+}
+
+func TestCORSConfiguration_IsAllowed(t *testing.T) {
+	type input struct {
+		cfg     *CORSConfiguration
+		origin  string
+		method  CORSHTTPMethod
+		headers []CORSHeader
+	}
+	type output struct {
+		result *CORSAllowanceConfig
+		err    error
+	}
+	tests := []struct {
+		name   string
+		input  input
+		output output
+	}{
+		{
+			name: "allowed exact origin",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{
+				result: &CORSAllowanceConfig{
+					Origin:           "http://allowed.com",
+					AllowCredentials: "true",
+					Methods:          http.MethodGet,
+					AllowHeaders:     "x-test",
+					ExposedHeaders:   "",
+					MaxAge:           nil,
+				},
+				err: nil,
+			},
+		},
+		{
+			name: "allowed wildcard origin",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"*"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "anything",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{
+				result: &CORSAllowanceConfig{
+					Origin:           "*",
+					AllowCredentials: "false",
+					AllowHeaders:     "x-test",
+					Methods:          http.MethodGet,
+					ExposedHeaders:   "",
+					MaxAge:           nil,
+				},
+				err: nil,
+			},
+		},
+		{
+			name: "forbidden no matching origin",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://nope.com"},
+				}}},
+				origin: "http://not-allowed.com",
+				method: http.MethodGet,
+			},
+			output: output{
+				result: nil,
+				err:    s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+		{
+			name: "forbidden method not allowed",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{
+				result: nil,
+				err:    s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+		{
+			name: "forbidden header not allowed",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Nope"},
+			},
+			output: output{
+				result: nil,
+				err:    s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.input.cfg.IsAllowed(tt.input.origin, tt.input.method, tt.input.headers)
+			assert.EqualValues(t, tt.output.err, err)
+			assert.EqualValues(t, tt.output.result, got)
+		})
+	}
+}
+
+func TestCORSRule_Validate(t *testing.T) {
+	tests := []struct {
+		name string
+		rule CORSRule
+		want error
+	}{
+		{
+			name: "valid rule",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+				AllowedHeaders: []CORSHeader{"X-Test"},
+			},
+			want: nil,
+		},
+		{
+			name: "invalid allowed methods",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{"invalid_method"},
+				AllowedHeaders: []CORSHeader{"X-Test"},
+			},
+			want: s3err.GetUnsopportedCORSMethodErr("invalid_method"),
+		},
+		{
+			name: "invalid allowed header",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+				AllowedHeaders: []CORSHeader{"Invalid Header"},
+			},
+			want: s3err.GetInvalidCORSHeaderErr("Invalid Header"),
+		},
+		{
+			name: "invalid allowed header",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+				AllowedHeaders: []CORSHeader{"Content-Length"},
+				ExposeHeaders:  []CORSHeader{"Content-Encoding", "invalid header"},
+			},
+			want: s3err.GetInvalidCORSHeaderErr("invalid header"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.rule.Validate()
+			assert.EqualValues(t, tt.want, err)
+		})
+	}
+}
+
+func TestCORSRule_Match(t *testing.T) {
+	type input struct {
+		rule    CORSRule
+		origin  string
+		method  CORSHTTPMethod
+		headers []CORSHeader
+	}
+	type output struct {
+		isAllowed  bool
+		isWildcard bool
+	}
+	tests := []struct {
+		name   string
+		input  input
+		output output
+	}{
+		{
+			name: "exact origin and method match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: true, isWildcard: false},
+		},
+		{
+			name: "wildcard origin match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"*"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://random.com",
+				method:  http.MethodPost,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: true, isWildcard: true},
+		},
+		{
+			name: "wildcard containing origin match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://random*"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://random.com",
+				method:  http.MethodPost,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: true, isWildcard: false},
+		},
+		{
+			name: "wildcard allowed headers match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://something.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-*"},
+				},
+				origin:  "http://something.com",
+				method:  http.MethodPost,
+				headers: []CORSHeader{"X-Test", "X-Something", "X-Anyting"},
+			},
+			output: output{isAllowed: true, isWildcard: false},
+		},
+		{
+			name: "origin mismatch",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://notallowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: false, isWildcard: false},
+		},
+		{
+			name: "method mismatch",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: false, isWildcard: false},
+		},
+		{
+			name: "header mismatch",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Other"},
+			},
+			output: output{isAllowed: false, isWildcard: false},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			isAllowed, wild := tt.input.rule.Match(tt.input.origin, tt.input.method, tt.input.headers)
+			assert.Equal(t, tt.output.isAllowed, isAllowed)
+			assert.Equal(t, tt.output.isWildcard, wild)
+		})
+	}
+}
+
+func TestGetExposeHeaders(t *testing.T) {
+	tests := []struct {
+		name string
+		rule CORSRule
+		want string
+	}{
+		{"multiple headers", CORSRule{ExposeHeaders: []CORSHeader{"Content-Length", "Content-Type", "Content-Encoding"}}, "Content-Length, Content-Type, Content-Encoding"},
+		{"single header", CORSRule{ExposeHeaders: []CORSHeader{"Authorization"}}, "Authorization"},
+		{"no headers", CORSRule{}, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.rule.GetExposeHeaders()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestBuildAllowedHeaders(t *testing.T) {
+	tests := []struct {
+		name    string
+		headers []CORSHeader
+		want    string
+	}{
+		{
+			name:    "empty slice returns empty string",
+			headers: []CORSHeader{},
+			want:    "",
+		},
+		{
+			name:    "single header lowercase",
+			headers: []CORSHeader{"Content-Type"},
+			want:    "content-type",
+		},
+		{
+			name:    "multiple headers lowercased with commas",
+			headers: []CORSHeader{"Content-Type", "X-Custom-Header", "Authorization"},
+			want:    "content-type, x-custom-header, authorization",
+		},
+		{
+			name:    "already lowercase header",
+			headers: []CORSHeader{"accept"},
+			want:    "accept",
+		},
+		{
+			name:    "mixed case headers",
+			headers: []CORSHeader{"ACCEPT", "x-Powered-By"},
+			want:    "accept, x-powered-by",
+		},
+		{
+			name:    "empty header value",
+			headers: []CORSHeader{""},
+			want:    "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := buildAllowedHeaders(tt.headers)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestGetAllowedMethods(t *testing.T) {
+	tests := []struct {
+		name string
+		rule CORSRule
+		want string
+	}{
+		{"multiple methods", CORSRule{AllowedMethods: []CORSHTTPMethod{http.MethodGet, http.MethodPost, http.MethodPut}}, "GET, POST, PUT"},
+		{"single method", CORSRule{AllowedMethods: []CORSHTTPMethod{http.MethodGet}}, "GET"},
+		{"no methods", CORSRule{}, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.rule.GetAllowedMethods()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestParseCORSOutput(t *testing.T) {
+	tests := []struct {
+		name string
+		data string
+		want bool
+	}{
+		{"valid", `<CORSConfiguration><CORSRule></CORSRule></CORSConfiguration>`, true},
+		{"invalid xml", `<CORSConfiguration><CORSRule>`, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg, err := ParseCORSOutput([]byte(tt.data))
+			if (err == nil) != tt.want {
+				t.Errorf("ParseCORSOutput() err = %v, want success=%v", err, tt.want)
+			}
+			if tt.want && cfg == nil {
+				t.Errorf("Expected non-nil config")
+			}
+		})
+	}
+}
+
+func TestCacheCORSProps(t *testing.T) {
+	tests := []struct {
+		name string
+		in   []CORSHTTPMethod
+		want map[string]struct{}
+	}{
+		{
+			name: "empty CORSHTTPMethod slice",
+			in:   []CORSHTTPMethod{},
+			want: map[string]struct{}{},
+		},
+		{
+			name: "single CORSHTTPMethod",
+			in:   []CORSHTTPMethod{http.MethodGet},
+			want: map[string]struct{}{http.MethodGet: {}},
+		},
+		{
+			name: "multiple CORSHTTPMethods",
+			in:   []CORSHTTPMethod{http.MethodGet, http.MethodPost, http.MethodPut},
+			want: map[string]struct{}{
+				http.MethodGet:  {},
+				http.MethodPost: {},
+				http.MethodPut:  {},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := cacheCORSMethods(tt.in)
+			assert.Equal(t, len(tt.want), len(got))
+			for key := range tt.want {
+				_, ok := got[CORSHTTPMethod(key)]
+				assert.True(t, ok)
+			}
+		})
+	}
+}
+
+func TestParseCORSHeaders(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want []CORSHeader
+		err  error
+	}{
+		{
+			name: "empty string",
+			in:   "",
+			want: []CORSHeader{},
+			err:  nil,
+		},
+		{
+			name: "single valid header",
+			in:   "X-Test",
+			want: []CORSHeader{"X-Test"},
+			err:  nil,
+		},
+		{
+			name: "multiple valid headers with spaces",
+			in:   "X-Test, Content-Type, Authorization",
+			want: []CORSHeader{"X-Test", "Content-Type", "Authorization"},
+			err:  nil,
+		},
+		{
+			name: "header with leading/trailing spaces",
+			in:   "   X-Test   ",
+			want: []CORSHeader{"X-Test"},
+			err:  nil,
+		},
+		{
+			name: "contains invalid header",
+			in:   "X-Test, Invalid Header, Content-Type",
+			want: nil,
+			err:  s3err.GetInvalidCORSRequestHeaderErr(" Invalid Header"),
+		},
+		{
+			name: "only invalid header",
+			in:   "Invalid Header",
+			want: nil,
+			err:  s3err.GetInvalidCORSRequestHeaderErr("Invalid Header"),
+		},
+		{
+			name: "multiple commas in a row",
+			in:   "X-Test,,Content-Type",
+			want: nil,
+			err:  s3err.GetInvalidCORSRequestHeaderErr(""),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseCORSHeaders(tt.in)
+			assert.EqualValues(t, tt.err, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestWildcardMatch(t *testing.T) {
+	tests := []struct {
+		name    string
+		pattern string
+		input   string
+		want    bool
+	}{
+		// Exact match, no wildcards
+		{"exact match", "hello", "hello", true},
+		{"exact mismatch", "hello", "hell", false},
+		// Single '*' matching zero chars
+		{"star matches zero chars", "he*lo", "helo", true},
+		// Single '*' matching multiple chars
+		{"star matches multiple chars", "he*o", "heyyyyyo", true},
+		// '*' at start
+		{"star at start", "*world", "hello world", true},
+		// '*' at end
+		{"star at end", "hello*", "hello there", true},
+		// '*' matches whole string
+		{"only star", "*", "anything", true},
+		{"only star empty", "*", "", true},
+		// Multiple '*'s
+		{"multiple stars", "a*b*c", "axxxbzzzzyc", true},
+		{"multiple stars no match", "a*b*c", "axxxbzzzzy", false},
+		// Backtracking needed
+		{"backtracking required", "a*b*c", "ab123c", true},
+		// No match with star present
+		{"star but mismatch", "he*world", "hey there", false},
+		// Trailing stars in pattern
+		{"trailing stars match", "abc**", "abc", true},
+		{"trailing stars match longer", "abc**", "abccc", true},
+		// Empty pattern cases
+		{"empty pattern and empty input", "", "", true},
+		{"empty pattern non-empty input", "", "a", false},
+		{"only stars pattern with empty input", "***", "", true},
+		// Pattern longer than input
+		{"pattern longer no star", "abcd", "abc", false},
+		// Input longer but no star
+		{"input longer no star", "abc", "abcd", false},
+		// Complex interleaved match
+		{"complex interleaved", "*a*b*cd*", "xxaYYbZZcd123", true},
+		// Star match at the end after mismatch
+		{"mismatch then star match", "ab*xyz", "abzzzxyz", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := wildcardMatch(tt.pattern, tt.input)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/auth/bucket_policy.go
+++ b/auth/bucket_policy.go
@@ -17,11 +17,14 @@ package auth
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"

 	"github.com/versity/versitygw/s3err"
 )

+var ErrAccessDenied = errors.New("access denied")
+
 type policyErr string

 func (p policyErr) Error() string {
@@ -89,6 +92,36 @@ func (bp *BucketPolicy) isAllowed(principal string, action Action, resource stri
 	return isAllowed
 }

+// IsPublicFor checks if the bucket policy statements contain
+// an entity granting public access to the given resource and action
+func (bp *BucketPolicy) isPublicFor(resource string, action Action) bool {
+	var isAllowed bool
+	for _, statement := range bp.Statement {
+		if statement.isPublicFor(resource, action) {
+			switch statement.Effect {
+			case BucketPolicyAccessTypeAllow:
+				isAllowed = true
+			case BucketPolicyAccessTypeDeny:
+				return false
+			}
+		}
+	}
+
+	return isAllowed
+}
+
+// IsPublic checks if one of bucket policy statments grant
+// public access to ALL users
+func (bp *BucketPolicy) IsPublic() bool {
+	for _, statement := range bp.Statement {
+		if statement.isPublic() {
+			return true
+		}
+	}
+
+	return false
+}
+
 type BucketPolicyItem struct {
 	Effect     BucketPolicyAccessType `json:"Effect"`
 	Principals Principals             `json:"Principal"`
@@ -134,6 +167,18 @@ func (bpi *BucketPolicyItem) findMatch(principal string, action Action, resource
 	return false
 }

+// isPublicFor checks if the bucket policy statemant grants public access
+// for given resource and action
+func (bpi *BucketPolicyItem) isPublicFor(resource string, action Action) bool {
+	return bpi.Principals.isPublic() && bpi.Actions.FindMatch(action) && bpi.Resources.FindMatch(resource)
+}
+
+// isPublic checks if the statement grants public access
+// to ALL users
+func (bpi *BucketPolicyItem) isPublic() bool {
+	return bpi.Principals.isPublic()
+}
+
 func getMalformedPolicyError(err error) error {
 	return s3err.APIError{
 		Code:           "MalformedPolicy",
@@ -142,17 +187,27 @@ func getMalformedPolicyError(err error) error {
 	}
 }

+// ParsePolicyDocument parses raw bytes to 'BucketPolicy'
+func ParsePolicyDocument(data []byte) (*BucketPolicy, error) {
+	var policy BucketPolicy
+	if err := json.Unmarshal(data, &policy); err != nil {
+		var pe policyErr
+		if errors.As(err, &pe) {
+			return nil, getMalformedPolicyError(err)
+		}
+		return nil, getMalformedPolicyError(policyErrInvalidPolicy)
+	}
+
+	return &policy, nil
+}
+
 func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) error {
 	if len(policyBin) == 0 || policyBin[0] != '{' {
 		return getMalformedPolicyError(policyErrInvalidFirstChar)
 	}
-	var policy BucketPolicy
-	if err := json.Unmarshal(policyBin, &policy); err != nil {
-		var pe policyErr
-		if errors.As(err, &pe) {
-			return getMalformedPolicyError(err)
-		}
-		return getMalformedPolicyError(policyErrInvalidPolicy)
+	policy, err := ParsePolicyDocument(policyBin)
+	if err != nil {
+		return err
 	}

 	if len(policy.Statement) == 0 {
@@ -169,7 +224,7 @@ func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) err
 func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Action) error {
 	var bucketPolicy BucketPolicy
 	if err := json.Unmarshal(policy, &bucketPolicy); err != nil {
-		return err
+		return fmt.Errorf("failed to parse the bucket policy: %w", err)
 	}

 	resource := bucket
@@ -183,3 +238,22 @@ func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Act

 	return nil
 }
+
+// Checks if the bucket policy grants public access
+func VerifyPublicBucketPolicy(policy []byte, bucket, object string, action Action) error {
+	var bucketPolicy BucketPolicy
+	if err := json.Unmarshal(policy, &bucketPolicy); err != nil {
+		return err
+	}
+
+	resource := bucket
+	if object != "" {
+		resource += "/" + object
+	}
+
+	if !bucketPolicy.isPublicFor(resource, action) {
+		return ErrAccessDenied
+	}
+
+	return nil
+}
--- a/auth/bucket_policy_actions.go
+++ b/auth/bucket_policy_actions.go
@@ -22,86 +22,142 @@ import (
 type Action string

 const (
-	GetBucketAclAction                     Action = "s3:GetBucketAcl"
-	CreateBucketAction                     Action = "s3:CreateBucket"
-	PutBucketAclAction                     Action = "s3:PutBucketAcl"
-	DeleteBucketAction                     Action = "s3:DeleteBucket"
-	PutBucketVersioningAction              Action = "s3:PutBucketVersioning"
-	GetBucketVersioningAction              Action = "s3:GetBucketVersioning"
-	PutBucketPolicyAction                  Action = "s3:PutBucketPolicy"
-	GetBucketPolicyAction                  Action = "s3:GetBucketPolicy"
-	DeleteBucketPolicyAction               Action = "s3:DeleteBucketPolicy"
-	AbortMultipartUploadAction             Action = "s3:AbortMultipartUpload"
-	ListMultipartUploadPartsAction         Action = "s3:ListMultipartUploadParts"
-	ListBucketMultipartUploadsAction       Action = "s3:ListBucketMultipartUploads"
-	PutObjectAction                        Action = "s3:PutObject"
-	GetObjectAction                        Action = "s3:GetObject"
-	GetObjectVersionAction                 Action = "s3:GetObjectVersion"
-	DeleteObjectAction                     Action = "s3:DeleteObject"
-	GetObjectAclAction                     Action = "s3:GetObjectAcl"
-	GetObjectAttributesAction              Action = "s3:GetObjectAttributes"
-	PutObjectAclAction                     Action = "s3:PutObjectAcl"
-	RestoreObjectAction                    Action = "s3:RestoreObject"
-	GetBucketTaggingAction                 Action = "s3:GetBucketTagging"
-	PutBucketTaggingAction                 Action = "s3:PutBucketTagging"
-	GetObjectTaggingAction                 Action = "s3:GetObjectTagging"
-	PutObjectTaggingAction                 Action = "s3:PutObjectTagging"
-	DeleteObjectTaggingAction              Action = "s3:DeleteObjectTagging"
-	ListBucketVersionsAction               Action = "s3:ListBucketVersions"
-	ListBucketAction                       Action = "s3:ListBucket"
-	GetBucketObjectLockConfigurationAction Action = "s3:GetBucketObjectLockConfiguration"
-	PutBucketObjectLockConfigurationAction Action = "s3:PutBucketObjectLockConfiguration"
-	GetObjectLegalHoldAction               Action = "s3:GetObjectLegalHold"
-	PutObjectLegalHoldAction               Action = "s3:PutObjectLegalHold"
-	GetObjectRetentionAction               Action = "s3:GetObjectRetention"
-	PutObjectRetentionAction               Action = "s3:PutObjectRetention"
-	BypassGovernanceRetentionAction        Action = "s3:BypassGovernanceRetention"
-	PutBucketOwnershipControlsAction       Action = "s3:PutBucketOwnershipControls"
-	GetBucketOwnershipControlsAction       Action = "s3:GetBucketOwnershipControls"
-	PutBucketCorsAction                    Action = "s3:PutBucketCORS"
-	GetBucketCorsAction                    Action = "s3:GetBucketCORS"
-	AllActions                             Action = "s3:*"
+	GetBucketAclAction                       Action = "s3:GetBucketAcl"
+	CreateBucketAction                       Action = "s3:CreateBucket"
+	PutBucketAclAction                       Action = "s3:PutBucketAcl"
+	DeleteBucketAction                       Action = "s3:DeleteBucket"
+	PutBucketVersioningAction                Action = "s3:PutBucketVersioning"
+	GetBucketVersioningAction                Action = "s3:GetBucketVersioning"
+	PutBucketPolicyAction                    Action = "s3:PutBucketPolicy"
+	GetBucketPolicyAction                    Action = "s3:GetBucketPolicy"
+	DeleteBucketPolicyAction                 Action = "s3:DeleteBucketPolicy"
+	AbortMultipartUploadAction               Action = "s3:AbortMultipartUpload"
+	ListMultipartUploadPartsAction           Action = "s3:ListMultipartUploadParts"
+	ListBucketMultipartUploadsAction         Action = "s3:ListBucketMultipartUploads"
+	PutObjectAction                          Action = "s3:PutObject"
+	GetObjectAction                          Action = "s3:GetObject"
+	GetObjectVersionAction                   Action = "s3:GetObjectVersion"
+	DeleteObjectAction                       Action = "s3:DeleteObject"
+	GetObjectAclAction                       Action = "s3:GetObjectAcl"
+	GetObjectAttributesAction                Action = "s3:GetObjectAttributes"
+	PutObjectAclAction                       Action = "s3:PutObjectAcl"
+	RestoreObjectAction                      Action = "s3:RestoreObject"
+	GetBucketTaggingAction                   Action = "s3:GetBucketTagging"
+	PutBucketTaggingAction                   Action = "s3:PutBucketTagging"
+	GetObjectTaggingAction                   Action = "s3:GetObjectTagging"
+	PutObjectTaggingAction                   Action = "s3:PutObjectTagging"
+	DeleteObjectTaggingAction                Action = "s3:DeleteObjectTagging"
+	ListBucketVersionsAction                 Action = "s3:ListBucketVersions"
+	ListBucketAction                         Action = "s3:ListBucket"
+	GetBucketObjectLockConfigurationAction   Action = "s3:GetBucketObjectLockConfiguration"
+	PutBucketObjectLockConfigurationAction   Action = "s3:PutBucketObjectLockConfiguration"
+	GetObjectLegalHoldAction                 Action = "s3:GetObjectLegalHold"
+	PutObjectLegalHoldAction                 Action = "s3:PutObjectLegalHold"
+	GetObjectRetentionAction                 Action = "s3:GetObjectRetention"
+	PutObjectRetentionAction                 Action = "s3:PutObjectRetention"
+	BypassGovernanceRetentionAction          Action = "s3:BypassGovernanceRetention"
+	PutBucketOwnershipControlsAction         Action = "s3:PutBucketOwnershipControls"
+	GetBucketOwnershipControlsAction         Action = "s3:GetBucketOwnershipControls"
+	PutBucketCorsAction                      Action = "s3:PutBucketCORS"
+	GetBucketCorsAction                      Action = "s3:GetBucketCORS"
+	PutAnalyticsConfigurationAction          Action = "s3:PutAnalyticsConfiguration"
+	GetAnalyticsConfigurationAction          Action = "s3:GetAnalyticsConfiguration"
+	PutEncryptionConfigurationAction         Action = "s3:PutEncryptionConfiguration"
+	GetEncryptionConfigurationAction         Action = "s3:GetEncryptionConfiguration"
+	PutIntelligentTieringConfigurationAction Action = "s3:PutIntelligentTieringConfiguration"
+	GetIntelligentTieringConfigurationAction Action = "s3:GetIntelligentTieringConfiguration"
+	PutInventoryConfigurationAction          Action = "s3:PutInventoryConfiguration"
+	GetInventoryConfigurationAction          Action = "s3:GetInventoryConfiguration"
+	PutLifecycleConfigurationAction          Action = "s3:PutLifecycleConfiguration"
+	GetLifecycleConfigurationAction          Action = "s3:GetLifecycleConfiguration"
+	PutBucketLoggingAction                   Action = "s3:PutBucketLogging"
+	GetBucketLoggingAction                   Action = "s3:GetBucketLogging"
+	PutBucketRequestPaymentAction            Action = "s3:PutBucketRequestPayment"
+	GetBucketRequestPaymentAction            Action = "s3:GetBucketRequestPayment"
+	PutMetricsConfigurationAction            Action = "s3:PutMetricsConfiguration"
+	GetMetricsConfigurationAction            Action = "s3:GetMetricsConfiguration"
+	PutReplicationConfigurationAction        Action = "s3:PutReplicationConfiguration"
+	GetReplicationConfigurationAction        Action = "s3:GetReplicationConfiguration"
+	PutBucketPublicAccessBlockAction         Action = "s3:PutBucketPublicAccessBlock"
+	GetBucketPublicAccessBlockAction         Action = "s3:GetBucketPublicAccessBlock"
+	PutBucketNotificationAction              Action = "s3:PutBucketNotification"
+	GetBucketNotificationAction              Action = "s3:GetBucketNotification"
+	PutAccelerateConfigurationAction         Action = "s3:PutAccelerateConfiguration"
+	GetAccelerateConfigurationAction         Action = "s3:GetAccelerateConfiguration"
+	PutBucketWebsiteAction                   Action = "s3:PutBucketWebsite"
+	GetBucketWebsiteAction                   Action = "s3:GetBucketWebsite"
+	GetBucketPolicyStatusAction              Action = "s3:GetBucketPolicyStatus"
+
+	AllActions Action = "s3:*"
 )

 var supportedActionList = map[Action]struct{}{
-	GetBucketAclAction:                     {},
-	CreateBucketAction:                     {},
-	PutBucketAclAction:                     {},
-	DeleteBucketAction:                     {},
-	PutBucketVersioningAction:              {},
-	GetBucketVersioningAction:              {},
-	PutBucketPolicyAction:                  {},
-	GetBucketPolicyAction:                  {},
-	DeleteBucketPolicyAction:               {},
-	AbortMultipartUploadAction:             {},
-	ListMultipartUploadPartsAction:         {},
-	ListBucketMultipartUploadsAction:       {},
-	PutObjectAction:                        {},
-	GetObjectAction:                        {},
-	GetObjectVersionAction:                 {},
-	DeleteObjectAction:                     {},
-	GetObjectAclAction:                     {},
-	GetObjectAttributesAction:              {},
-	PutObjectAclAction:                     {},
-	RestoreObjectAction:                    {},
-	GetBucketTaggingAction:                 {},
-	PutBucketTaggingAction:                 {},
-	GetObjectTaggingAction:                 {},
-	PutObjectTaggingAction:                 {},
-	DeleteObjectTaggingAction:              {},
-	ListBucketVersionsAction:               {},
-	ListBucketAction:                       {},
-	PutBucketObjectLockConfigurationAction: {},
-	GetObjectLegalHoldAction:               {},
-	PutObjectLegalHoldAction:               {},
-	GetObjectRetentionAction:               {},
-	PutObjectRetentionAction:               {},
-	BypassGovernanceRetentionAction:        {},
-	PutBucketOwnershipControlsAction:       {},
-	GetBucketOwnershipControlsAction:       {},
-	PutBucketCorsAction:                    {},
-	GetBucketCorsAction:                    {},
-	AllActions:                             {},
+	GetBucketAclAction:                       {},
+	CreateBucketAction:                       {},
+	PutBucketAclAction:                       {},
+	DeleteBucketAction:                       {},
+	PutBucketVersioningAction:                {},
+	GetBucketVersioningAction:                {},
+	PutBucketPolicyAction:                    {},
+	GetBucketPolicyAction:                    {},
+	DeleteBucketPolicyAction:                 {},
+	AbortMultipartUploadAction:               {},
+	ListMultipartUploadPartsAction:           {},
+	ListBucketMultipartUploadsAction:         {},
+	PutObjectAction:                          {},
+	GetObjectAction:                          {},
+	GetObjectVersionAction:                   {},
+	DeleteObjectAction:                       {},
+	GetObjectAclAction:                       {},
+	GetObjectAttributesAction:                {},
+	PutObjectAclAction:                       {},
+	RestoreObjectAction:                      {},
+	GetBucketTaggingAction:                   {},
+	PutBucketTaggingAction:                   {},
+	GetObjectTaggingAction:                   {},
+	PutObjectTaggingAction:                   {},
+	DeleteObjectTaggingAction:                {},
+	ListBucketVersionsAction:                 {},
+	ListBucketAction:                         {},
+	GetBucketObjectLockConfigurationAction:   {},
+	PutBucketObjectLockConfigurationAction:   {},
+	GetObjectLegalHoldAction:                 {},
+	PutObjectLegalHoldAction:                 {},
+	GetObjectRetentionAction:                 {},
+	PutObjectRetentionAction:                 {},
+	BypassGovernanceRetentionAction:          {},
+	PutBucketOwnershipControlsAction:         {},
+	GetBucketOwnershipControlsAction:         {},
+	PutBucketCorsAction:                      {},
+	GetBucketCorsAction:                      {},
+	PutAnalyticsConfigurationAction:          {},
+	GetAnalyticsConfigurationAction:          {},
+	PutEncryptionConfigurationAction:         {},
+	GetEncryptionConfigurationAction:         {},
+	PutIntelligentTieringConfigurationAction: {},
+	GetIntelligentTieringConfigurationAction: {},
+	PutInventoryConfigurationAction:          {},
+	GetInventoryConfigurationAction:          {},
+	PutLifecycleConfigurationAction:          {},
+	GetLifecycleConfigurationAction:          {},
+	PutBucketLoggingAction:                   {},
+	GetBucketLoggingAction:                   {},
+	PutBucketRequestPaymentAction:            {},
+	GetBucketRequestPaymentAction:            {},
+	PutMetricsConfigurationAction:            {},
+	GetMetricsConfigurationAction:            {},
+	PutReplicationConfigurationAction:        {},
+	GetReplicationConfigurationAction:        {},
+	PutBucketPublicAccessBlockAction:         {},
+	GetBucketPublicAccessBlockAction:         {},
+	PutBucketNotificationAction:              {},
+	GetBucketNotificationAction:              {},
+	PutAccelerateConfigurationAction:         {},
+	GetAccelerateConfigurationAction:         {},
+	PutBucketWebsiteAction:                   {},
+	GetBucketWebsiteAction:                   {},
+	GetBucketPolicyStatusAction:              {},
+	AllActions:                               {},
 }

 var supportedObjectActionList = map[Action]struct{}{
--- a/auth/bucket_policy_principals.go
+++ b/auth/bucket_policy_principals.go
@@ -121,3 +121,10 @@ func (p Principals) Contains(userAccess string) bool {
 	_, found := p[userAccess]
 	return found
 }
+
+// Bucket policy grants public access, if it contains
+// a wildcard match to all the users
+func (p Principals) isPublic() bool {
+	_, ok := p["*"]
+	return ok
+}
--- a/auth/iam.go
+++ b/auth/iam.go
@@ -121,6 +121,7 @@ type Opts struct {
 	LDAPGroupIdAtr         string
 	VaultEndpointURL       string
 	VaultSecretStoragePath string
+	VaultAuthMethod        string
 	VaultMountPath         string
 	VaultRootToken         string
 	VaultRoleId            string
@@ -166,7 +167,7 @@ func New(o *Opts) (IAMService, error) {
 			o.S3Endpoint, o.S3Bucket)
 	case o.VaultEndpointURL != "":
 		svc, err = NewVaultIAMService(o.RootAccount, o.VaultEndpointURL, o.VaultSecretStoragePath,
-			o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
+			o.VaultAuthMethod, o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
 			o.VaultServerCert, o.VaultClientCert, o.VaultClientCertKey)
 		fmt.Printf("initializing Vault IAM with %q\n", o.VaultEndpointURL)
 	case o.IpaHost != "":
--- a/auth/iam_ipa.go
+++ b/auth/iam_ipa.go
@@ -27,12 +27,15 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
 	"slices"
 	"strconv"
 	"strings"
+	"syscall"
+	"time"
 )

 const IpaVersion = "2.254"
@@ -221,6 +224,8 @@ func (ipa *IpaIAMService) Shutdown() error {

 // Implementation

+const requestRetries = 3
+
 func (ipa *IpaIAMService) login() error {
 	form := url.Values{}
 	form.Set("user", ipa.username)
@@ -237,17 +242,33 @@ func (ipa *IpaIAMService) login() error {
 	req.Header.Set("referer", fmt.Sprintf("%s/ipa", ipa.host))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

-	resp, err := ipa.client.Do(req)
-	if err != nil {
-		return err
+	var resp *http.Response
+	for i := range requestRetries {
+		resp, err = ipa.client.Do(req)
+		if err == nil {
+			break
+		}
+		// Check for transient network errors
+		if isRetryable(err) {
+			time.Sleep(time.Second * time.Duration(i+1))
+			continue
+		}
+		return fmt.Errorf("login POST to %s failed: %w", req.URL, err)
 	}
+	if err != nil {
+		return fmt.Errorf("login POST to %s failed after retries: %w",
+			req.URL, err)
+	}
+
+	defer resp.Body.Close()

 	if resp.StatusCode == 401 {
 		return errors.New("cannot login to FreeIPA: invalid credentials")
 	}

 	if resp.StatusCode != 200 {
-		return fmt.Errorf("cannot login to FreeIPA: status code %d", resp.StatusCode)
+		return fmt.Errorf("cannot login to FreeIPA: status code %d",
+			resp.StatusCode)
 	}

 	return nil
@@ -294,10 +315,27 @@ func (ipa *IpaIAMService) rpcInternal(req rpcRequest) (rpcResponse, error) {
 	httpReq.Header.Set("referer", fmt.Sprintf("%s/ipa", ipa.host))
 	httpReq.Header.Set("Content-Type", "application/json")

-	httpResp, err := ipa.client.Do(httpReq)
-	if err != nil {
-		return rpcResponse{}, err
+	var httpResp *http.Response
+	for i := range requestRetries {
+		httpResp, err = ipa.client.Do(httpReq)
+		if err == nil {
+			break
+		}
+		// Check for transient network errors
+		if isRetryable(err) {
+			time.Sleep(time.Second * time.Duration(i+1))
+			continue
+		}
+		return rpcResponse{}, fmt.Errorf("ipa request to %s failed: %w",
+			httpReq.URL, err)
 	}
+	if err != nil {
+		return rpcResponse{},
+			fmt.Errorf("ipa request to %s failed after retries: %w",
+				httpReq.URL, err)
+	}
+
+	defer httpResp.Body.Close()

 	bytes, err := io.ReadAll(httpResp.Body)
 	ipa.log(string(bytes))
@@ -333,6 +371,30 @@ func (ipa *IpaIAMService) rpcInternal(req rpcRequest) (rpcResponse, error) {
 	}, nil
 }

+func isRetryable(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	if errors.Is(err, io.EOF) {
+		return true
+	}
+
+	if err, ok := err.(net.Error); ok && err.Timeout() {
+		return true
+	}
+
+	if opErr, ok := err.(*net.OpError); ok {
+		if sysErr, ok := opErr.Err.(*syscall.Errno); ok {
+			if *sysErr == syscall.ECONNRESET {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 func (ipa *IpaIAMService) newRequest(method string, args []string, dict map[string]any) (rpcRequest, error) {

 	id := ipa.id
--- a/auth/iam_ldap.go
+++ b/auth/iam_ldap.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"sync"

 	"github.com/go-ldap/ldap/v3"
 )
@@ -32,6 +33,10 @@ type LdapIAMService struct {
 	groupIdAtr string
 	userIdAtr  string
 	rootAcc    Account
+	url        string
+	bindDN     string
+	pass       string
+	mu         sync.Mutex
 }

 var _ IAMService = &LdapIAMService{}
@@ -60,9 +65,45 @@ func NewLDAPService(rootAcc Account, url, bindDN, pass, queryBase, accAtr, secAt
 		userIdAtr:  userIdAtr,
 		groupIdAtr: groupIdAtr,
 		rootAcc:    rootAcc,
+		url:        url,
+		bindDN:     bindDN,
+		pass:       pass,
 	}, nil
 }

+func (ld *LdapIAMService) reconnect() error {
+	ld.conn.Close()
+
+	conn, err := ldap.DialURL(ld.url)
+	if err != nil {
+		return fmt.Errorf("failed to reconnect to LDAP server: %w", err)
+	}
+
+	err = conn.Bind(ld.bindDN, ld.pass)
+	if err != nil {
+		conn.Close()
+		return fmt.Errorf("failed to bind to LDAP server on reconnect: %w", err)
+	}
+	ld.conn = conn
+	return nil
+}
+
+func (ld *LdapIAMService) execute(f func(*ldap.Conn) error) error {
+	ld.mu.Lock()
+	defer ld.mu.Unlock()
+
+	err := f(ld.conn)
+	if err != nil {
+		if e, ok := err.(*ldap.Error); ok && e.ResultCode == ldap.ErrorNetwork {
+			if reconnErr := ld.reconnect(); reconnErr != nil {
+				return reconnErr
+			}
+			return f(ld.conn)
+		}
+	}
+	return err
+}
+
 func (ld *LdapIAMService) CreateAccount(account Account) error {
 	if ld.rootAcc.Access == account.Access {
 		return ErrUserExists
@@ -75,7 +116,9 @@ func (ld *LdapIAMService) CreateAccount(account Account) error {
 	userEntry.Attribute(ld.groupIdAtr, []string{fmt.Sprint(account.GroupID)})
 	userEntry.Attribute(ld.userIdAtr, []string{fmt.Sprint(account.UserID)})

-	err := ld.conn.Add(userEntry)
+	err := ld.execute(func(c *ldap.Conn) error {
+		return c.Add(userEntry)
+	})
 	if err != nil {
 		return fmt.Errorf("error adding an entry: %w", err)
 	}
@@ -87,6 +130,7 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 	if access == ld.rootAcc.Access {
 		return ld.rootAcc, nil
 	}
+	var result *ldap.SearchResult
 	searchRequest := ldap.NewSearchRequest(
 		ld.queryBase,
 		ldap.ScopeWholeSubtree,
@@ -99,7 +143,11 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 		nil,
 	)

-	result, err := ld.conn.Search(searchRequest)
+	err := ld.execute(func(c *ldap.Conn) error {
+		var err error
+		result, err = c.Search(searchRequest)
+		return err
+	})
 	if err != nil {
 		return Account{}, err
 	}
@@ -143,7 +191,9 @@ func (ld *LdapIAMService) UpdateUserAccount(access string, props MutableProps) e
 		req.Replace(ld.roleAtr, []string{string(props.Role)})
 	}

-	err := ld.conn.Modify(req)
+	err := ld.execute(func(c *ldap.Conn) error {
+		return c.Modify(req)
+	})
 	//TODO: Handle non existing user case
 	if err != nil {
 		return err
@@ -154,7 +204,9 @@ func (ld *LdapIAMService) UpdateUserAccount(access string, props MutableProps) e
 func (ld *LdapIAMService) DeleteUserAccount(access string) error {
 	delReq := ldap.NewDelRequest(fmt.Sprintf("%v=%v, %v", ld.accessAtr, access, ld.queryBase), nil)

-	err := ld.conn.Del(delReq)
+	err := ld.execute(func(c *ldap.Conn) error {
+		return c.Del(delReq)
+	})
 	if err != nil {
 		return err
 	}
@@ -167,6 +219,7 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 	for _, el := range ld.objClasses {
 		searchFilter += fmt.Sprintf("(objectClass=%v)", el)
 	}
+	var resp *ldap.SearchResult
 	searchRequest := ldap.NewSearchRequest(
 		ld.queryBase,
 		ldap.ScopeWholeSubtree,
@@ -179,7 +232,11 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 		nil,
 	)

-	resp, err := ld.conn.Search(searchRequest)
+	err := ld.execute(func(c *ldap.Conn) error {
+		var err error
+		resp, err = c.Search(searchRequest)
+		return err
+	})
 	if err != nil {
 		return nil, err
 	}
@@ -210,5 +267,7 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {

 // Shutdown graceful termination of service
 func (ld *LdapIAMService) Shutdown() error {
+	ld.mu.Lock()
+	defer ld.mu.Unlock()
 	return ld.conn.Close()
 }
--- a/auth/iam_vault.go
+++ b/auth/iam_vault.go
@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"

@@ -26,20 +27,25 @@ import (
 	"github.com/hashicorp/vault-client-go/schema"
 )

+const requestTimeout = 10 * time.Second
+
 type VaultIAMService struct {
 	client            *vault.Client
-	reqOpts           []vault.RequestOption
+	authReqOpts       []vault.RequestOption
+	kvReqOpts         []vault.RequestOption
 	secretStoragePath string
 	rootAcc           Account
+	creds             schema.AppRoleLoginRequest
 }

 var _ IAMService = &VaultIAMService{}

-func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) {
+func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath,
+	authMethod, mountPath, rootToken, roleID, roleSecret, serverCert,
+	clientCert, clientCertKey string) (IAMService, error) {
 	opts := []vault.ClientOption{
 		vault.WithAddress(endpoint),
-		// set request timeout to 10 secs
-		vault.WithRequestTimeout(10 * time.Second),
+		vault.WithRequestTimeout(requestTimeout),
 	}
 	if serverCert != "" {
 		tls := vault.TLSConfiguration{}
@@ -62,10 +68,21 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 		return nil, fmt.Errorf("init vault client: %w", err)
 	}

-	reqOpts := []vault.RequestOption{}
-	// if mount path is not specified, it defaults to "approle"
+	authReqOpts := []vault.RequestOption{}
+	// if auth method path is not specified, it defaults to "approle"
+	if authMethod != "" {
+		authReqOpts = append(authReqOpts, vault.WithMountPath(authMethod))
+	}
+
+	kvReqOpts := []vault.RequestOption{}
+	// if mount path is not specified, it defaults to "kv-v2"
 	if mountPath != "" {
-		reqOpts = append(reqOpts, vault.WithMountPath(mountPath))
+		kvReqOpts = append(kvReqOpts, vault.WithMountPath(mountPath))
+	}
+
+	creds := schema.AppRoleLoginRequest{
+		RoleId:   roleID,
+		SecretId: roleSecret,
 	}

 	// Authentication
@@ -80,12 +97,8 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 			return nil, fmt.Errorf("role id and role secret must both be specified")
 		}

-		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-		resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{
-			RoleId:   roleID,
-			SecretId: roleSecret,
-		}, reqOpts...)
-		cancel()
+		resp, err := client.Auth.AppRoleLogin(context.Background(),
+			creds, authReqOpts...)
 		if err != nil {
 			return nil, fmt.Errorf("approle authentication failure: %w", err)
 		}
@@ -99,33 +112,77 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,

 	return &VaultIAMService{
 		client:            client,
-		reqOpts:           reqOpts,
+		authReqOpts:       authReqOpts,
+		kvReqOpts:         kvReqOpts,
 		secretStoragePath: secretStoragePath,
 		rootAcc:           rootAcc,
+		creds:             creds,
 	}, nil
 }

+func (vt *VaultIAMService) reAuthIfNeeded(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	// Vault returns 403 for expired/revoked tokens
+	// pass all other errors back unchanged
+	if !vault.IsErrorStatus(err, http.StatusForbidden) {
+		return err
+	}
+
+	resp, authErr := vt.client.Auth.AppRoleLogin(context.Background(),
+		vt.creds, vt.authReqOpts...)
+	if authErr != nil {
+		return fmt.Errorf("vault re-authentication failure: %w", authErr)
+	}
+	if err := vt.client.SetToken(resp.Auth.ClientToken); err != nil {
+		return fmt.Errorf("vault re-authentication set token failure: %w", err)
+	}
+
+	return nil
+}
+
 func (vt *VaultIAMService) CreateAccount(account Account) error {
 	if vt.rootAcc.Access == account.Access {
 		return ErrUserExists
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	_, err := vt.client.Secrets.KvV2Write(ctx, vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
-		Data: map[string]any{
-			account.Access: account,
-		},
-		Options: map[string]interface{}{
-			"cas": 0,
-		},
-	}, vt.reqOpts...)
-	cancel()
+	_, err := vt.client.Secrets.KvV2Write(context.Background(),
+		vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
+			Data: map[string]any{
+				account.Access: account,
+			},
+			Options: map[string]any{
+				"cas": 0,
+			},
+		}, vt.kvReqOpts...)
 	if err != nil {
 		if strings.Contains(err.Error(), "check-and-set") {
 			return ErrUserExists
 		}
-		return err
-	}

+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			return reauthErr
+		}
+		// retry once after re-auth
+		_, err = vt.client.Secrets.KvV2Write(context.Background(),
+			vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
+				Data: map[string]any{
+					account.Access: account,
+				},
+				Options: map[string]any{
+					"cas": 0,
+				},
+			}, vt.kvReqOpts...)
+		if err != nil {
+			if strings.Contains(err.Error(), "check-and-set") {
+				return ErrUserExists
+			}
+			return err
+		}
+		return nil
+	}
 	return nil
 }

@@ -133,66 +190,84 @@ func (vt *VaultIAMService) GetUserAccount(access string) (Account, error) {
 	if vt.rootAcc.Access == access {
 		return vt.rootAcc, nil
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
-	cancel()
+	resp, err := vt.client.Secrets.KvV2Read(context.Background(),
+		vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
 	if err != nil {
-		return Account{}, err
+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			return Account{}, reauthErr
+		}
+		// retry once after re-auth
+		resp, err = vt.client.Secrets.KvV2Read(context.Background(),
+			vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
+		if err != nil {
+			return Account{}, err
+		}
 	}
-
 	acc, err := parseVaultUserAccount(resp.Data.Data, access)
 	if err != nil {
 		return Account{}, err
 	}
-
 	return acc, nil
 }

 func (vt *VaultIAMService) UpdateUserAccount(access string, props MutableProps) error {
-	//TODO: We need something like a transaction here ?
 	acc, err := vt.GetUserAccount(access)
 	if err != nil {
 		return err
 	}
-
 	updateAcc(&acc, props)
-
 	err = vt.DeleteUserAccount(access)
 	if err != nil {
 		return err
 	}
-
 	err = vt.CreateAccount(acc)
 	if err != nil {
 		return err
 	}
-
 	return nil
 }

 func (vt *VaultIAMService) DeleteUserAccount(access string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
-	cancel()
+	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(context.Background(),
+		vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
 	if err != nil {
-		return err
+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			return reauthErr
+		}
+		// retry once after re-auth
+		_, err = vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(context.Background(),
+			vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }

 func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.reqOpts...)
-	cancel()
+	resp, err := vt.client.Secrets.KvV2List(context.Background(),
+		vt.secretStoragePath, vt.kvReqOpts...)
 	if err != nil {
-		if vault.IsErrorStatus(err, 404) {
-			return []Account{}, nil
+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			if vault.IsErrorStatus(err, http.StatusNotFound) {
+				return []Account{}, nil
+			}
+			return nil, reauthErr
+		}
+		// retry once after re-auth
+		resp, err = vt.client.Secrets.KvV2List(context.Background(),
+			vt.secretStoragePath, vt.kvReqOpts...)
+		if err != nil {
+			if vault.IsErrorStatus(err, http.StatusNotFound) {
+				return []Account{}, nil
+			}
+			return nil, err
 		}
-		return nil, err
 	}
-
 	accs := []Account{}
-
 	for _, acss := range resp.Data.Keys {
 		acc, err := vt.GetUserAccount(acss)
 		if err != nil {
@@ -200,7 +275,6 @@ func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
 		}
 		accs = append(accs, acc)
 	}
-
 	return accs, nil
 }

@@ -211,8 +285,8 @@ func (vt *VaultIAMService) Shutdown() error {

 var errInvalidUser error = errors.New("invalid user account entry in secrets engine")

-func parseVaultUserAccount(data map[string]interface{}, access string) (acc Account, err error) {
-	usrAcc, ok := data[access].(map[string]interface{})
+func parseVaultUserAccount(data map[string]any, access string) (acc Account, err error) {
+	usrAcc, ok := data[access].(map[string]any)
 	if !ok {
 		return acc, errInvalidUser
 	}
--- a/auth/object_lock.go
+++ b/auth/object_lock.go
@@ -136,7 +136,7 @@ func ParseObjectLegalHoldOutput(status *bool) *s3response.GetObjectLegalHoldResu
 	}
 }

-func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []types.ObjectIdentifier, bypass bool, be backend.Backend) error {
+func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []types.ObjectIdentifier, bypass, isBucketPublic bool, be backend.Backend) error {
 	data, err := be.GetObjectLockConfiguration(ctx, bucket)
 	if err != nil {
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound)) {
@@ -211,7 +211,11 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 							if err != nil {
 								return err
 							}
-							err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+							if isBucketPublic {
+								err = VerifyPublicBucketPolicy(policy, bucket, key, BypassGovernanceRetentionAction)
+							} else {
+								err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+							}
 							if err != nil {
 								return s3err.GetAPIError(s3err.ErrObjectLocked)
 							}
@@ -254,7 +258,11 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 					if err != nil {
 						return err
 					}
-					err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+					if isBucketPublic {
+						err = VerifyPublicBucketPolicy(policy, bucket, key, BypassGovernanceRetentionAction)
+					} else {
+						err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+					}
 					if err != nil {
 						return s3err.GetAPIError(s3err.ErrObjectLocked)
 					}
--- a/backend/azure/azure.go
+++ b/backend/azure/azure.go
@@ -60,6 +60,7 @@ const (
 	keyOwnership           key = "Ownership"
 	keyTags                key = "Tags"
 	keyPolicy              key = "Policy"
+	keyCors                key = "Cors"
 	keyBucketLock          key = "Bucketlock"
 	keyObjRetention        key = "Objectretention"
 	keyObjLegalHold        key = "Objectlegalhold"
@@ -67,6 +68,8 @@ const (
 	onameAttr              key = "Objname"
 	onameAttrLower         key = "objname"
 	metaTmpMultipartPrefix key = ".sgwtmp" + "/multipart"
+
+	defaultListingMaxKeys = 1000
 )

 func (key) Table() map[string]struct{} {
@@ -363,7 +366,7 @@ func (az *Azure) PutObject(ctx context.Context, po s3response.PutObjectInput) (s
 	}

 	return s3response.PutObjectOutput{
-		ETag: string(*uploadResp.ETag),
+		ETag: convertAzureEtag(uploadResp.ETag),
 	}, nil
 }

@@ -453,7 +456,7 @@ func (az *Azure) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.G
 		ContentLanguage:    blobDownloadResponse.ContentLanguage,
 		CacheControl:       blobDownloadResponse.CacheControl,
 		ExpiresString:      blobDownloadResponse.Metadata[string(keyExpires)],
-		ETag:               (*string)(blobDownloadResponse.ETag),
+		ETag:               backend.GetPtrFromString(convertAzureEtag(blobDownloadResponse.ETag)),
 		LastModified:       blobDownloadResponse.LastModified,
 		Metadata:           parseAndFilterAzMetadata(blobDownloadResponse.Metadata),
 		TagCount:           &tagcount,
@@ -531,7 +534,7 @@ func (az *Azure) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3
 		ContentDisposition: resp.ContentDisposition,
 		CacheControl:       resp.CacheControl,
 		ExpiresString:      resp.Metadata[string(keyExpires)],
-		ETag:               (*string)(resp.ETag),
+		ETag:               backend.GetPtrFromString(convertAzureEtag(resp.ETag)),
 		LastModified:       resp.LastModified,
 		Metadata:           parseAndFilterAzMetadata(resp.Metadata),
 		StorageClass:       types.StorageClassStandard,
@@ -568,7 +571,7 @@ func (az *Azure) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAtt
 	}

 	return s3response.GetObjectAttributesResponse{
-		ETag:         backend.TrimEtag(data.ETag),
+		ETag:         data.ETag,
 		ObjectSize:   data.ContentLength,
 		StorageClass: data.StorageClass,
 		LastModified: data.LastModified,
@@ -578,26 +581,6 @@ func (az *Azure) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAtt
 }

 func (az *Azure) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3response.ListObjectsResult, error) {
-	client, err := az.getContainerClient(*input.Bucket)
-	if err != nil {
-		return s3response.ListObjectsResult{}, nil
-	}
-	pager := client.NewListBlobsHierarchyPager(*input.Delimiter, &container.ListBlobsHierarchyOptions{
-		Marker:     input.Marker,
-		MaxResults: input.MaxKeys,
-		Prefix:     input.Prefix,
-	})
-
-	var objects []s3response.Object
-	var cPrefixes []types.CommonPrefix
-	var nextMarker *string
-	var isTruncated bool
-	var maxKeys int32 = math.MaxInt32
-
-	if input.MaxKeys != nil {
-		maxKeys = *input.MaxKeys
-	}
-
 	// Retrieve the bucket acl to get the bucket owner
 	// All the objects in the bucket are owner by the bucket owner
 	aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
@@ -610,20 +593,50 @@ func (az *Azure) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s
 		return s3response.ListObjectsResult{}, err
 	}

-Pager:
-	for pager.More() {
+	client, err := az.getContainerClient(*input.Bucket)
+	if err != nil {
+		return s3response.ListObjectsResult{}, nil
+	}
+
+	var maxKeys int32 = defaultListingMaxKeys
+	if input.MaxKeys != nil {
+		maxKeys = *input.MaxKeys
+	}
+
+	pager := client.NewListBlobsHierarchyPager(*input.Delimiter, &container.ListBlobsHierarchyOptions{
+		MaxResults: &maxKeys,
+		Prefix:     input.Prefix,
+	})
+
+	var objects []s3response.Object
+	var cPrefixes []types.CommonPrefix
+	var nextMarker *string
+	var isTruncated bool
+
+	// Convert marker to filter criteria
+	var markerFilter string
+	if input.Marker != nil && *input.Marker != "" {
+		markerFilter = *input.Marker
+	}
+
+	// Loop through pages until we have enough objects or no more pages
+	objectsFound := int32(0)
+	for pager.More() && objectsFound < maxKeys {
 		resp, err := pager.NextPage(ctx)
 		if err != nil {
 			return s3response.ListObjectsResult{}, azureErrToS3Err(err)
 		}
+
+		// Process objects from this page
+		var pageObjects []s3response.Object
 		for _, v := range resp.Segment.BlobItems {
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = objects[len(objects)-1].Key
-				isTruncated = true
-				break Pager
+			// Skip objects that come before or equal to marker
+			if markerFilter != "" && *v.Name <= markerFilter {
+				continue
 			}
-			objects = append(objects, s3response.Object{
-				ETag:         backend.GetPtrFromString(fmt.Sprintf("%q", *v.Properties.ETag)),
+
+			pageObjects = append(pageObjects, s3response.Object{
+				ETag:         backend.GetPtrFromString(convertAzureEtag(v.Properties.ETag)),
 				Key:          v.Name,
 				LastModified: v.Properties.LastModified,
 				Size:         v.Properties.ContentLength,
@@ -632,20 +645,22 @@ Pager:
 					ID: &acl.Owner,
 				},
 			})
-		}
-		for _, v := range resp.Segment.BlobPrefixes {
-			if *v.Name <= *input.Marker {
-				continue
-			}
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = cPrefixes[len(cPrefixes)-1].Prefix
-				isTruncated = true
-				break Pager
-			}

-			marker := getString(input.Marker)
-			pfx := strings.TrimSuffix(*v.Name, getString(input.Delimiter))
-			if marker != "" && strings.HasPrefix(marker, pfx) {
+			objectsFound++
+			if objectsFound >= maxKeys {
+				// Set next marker to the current object name for pagination
+				nextMarker = v.Name
+				isTruncated = true
+				break
+			}
+		}
+
+		objects = append(objects, pageObjects...)
+
+		// Process common prefixes from this page
+		for _, v := range resp.Segment.BlobPrefixes {
+			// Skip prefixes that come before or equal to marker
+			if markerFilter != "" && *v.Name <= markerFilter {
 				continue
 			}

@@ -653,6 +668,16 @@ Pager:
 				Prefix: v.Name,
 			})
 		}
+
+		// If we've reached maxKeys, break
+		if objectsFound >= maxKeys {
+			break
+		}
+
+		// If Azure indicates more pages but we need to continue for more objects
+		if resp.NextMarker != nil && *resp.NextMarker != "" && objectsFound < maxKeys {
+			continue
+		}
 	}

 	return s3response.ListObjectsResult{
@@ -669,98 +694,104 @@ Pager:
 }

 func (az *Azure) ListObjectsV2(ctx context.Context, input *s3.ListObjectsV2Input) (s3response.ListObjectsV2Result, error) {
-	marker := ""
-	if *input.ContinuationToken > *input.StartAfter {
-		marker = *input.ContinuationToken
-	} else {
-		marker = *input.StartAfter
+	// Retrieve the bucket acl to get the bucket owner
+	// All the objects in the bucket are owner by the bucket owner
+	aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
+	if err != nil {
+		return s3response.ListObjectsV2Result{}, azureErrToS3Err(err)
 	}
+
+	acl, err := auth.ParseACL(aclBytes)
+	if err != nil {
+		return s3response.ListObjectsV2Result{}, err
+	}
+
 	client, err := az.getContainerClient(*input.Bucket)
 	if err != nil {
 		return s3response.ListObjectsV2Result{}, nil
 	}
+
+	var maxKeys int32 = defaultListingMaxKeys
+	if input.MaxKeys != nil {
+		maxKeys = *input.MaxKeys
+	}
+
 	pager := client.NewListBlobsHierarchyPager(*input.Delimiter, &container.ListBlobsHierarchyOptions{
-		Marker:     &marker,
-		MaxResults: input.MaxKeys,
+		Marker:     input.ContinuationToken,
+		MaxResults: &maxKeys,
 		Prefix:     input.Prefix,
 	})

 	var objects []s3response.Object
-	var cPrefixes []types.CommonPrefix
-	var nextMarker *string
-	var isTruncated bool
-	var maxKeys int32 = math.MaxInt32
-	var fetchOwner bool
+	var resp container.ListBlobsHierarchyResponse

-	if input.MaxKeys != nil {
-		maxKeys = *input.MaxKeys
-	}
-	if input.FetchOwner != nil {
-		fetchOwner = *input.FetchOwner
-	}
-
-	// Retrieve the bucket acl to get the bucket owner, if "fetchOwner" is true
-	// All the objects in the bucket are owner by the bucket owner
-	var acl auth.ACL
-	if fetchOwner {
-		aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
+	// Loop through pages until we find objects or no more pages
+	for {
+		resp, err = pager.NextPage(ctx)
 		if err != nil {
 			return s3response.ListObjectsV2Result{}, azureErrToS3Err(err)
 		}

-		acl, err = auth.ParseACL(aclBytes)
-		if err != nil {
-			return s3response.ListObjectsV2Result{}, err
-		}
-	}
-
-Pager:
-	for pager.More() {
-		resp, err := pager.NextPage(ctx)
-		if err != nil {
-			return s3response.ListObjectsV2Result{}, azureErrToS3Err(err)
-		}
+		// Convert Azure objects to S3 objects
+		var pageObjects []s3response.Object
 		for _, v := range resp.Segment.BlobItems {
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = objects[len(objects)-1].Key
-				isTruncated = true
-				break Pager
-			}
-
-			obj := s3response.Object{
-				ETag:         backend.GetPtrFromString(fmt.Sprintf("%q", *v.Properties.ETag)),
+			pageObjects = append(pageObjects, s3response.Object{
+				ETag:         backend.GetPtrFromString(convertAzureEtag(v.Properties.ETag)),
 				Key:          v.Name,
 				LastModified: v.Properties.LastModified,
 				Size:         v.Properties.ContentLength,
 				StorageClass: types.ObjectStorageClassStandard,
-			}
-			if fetchOwner {
-				obj.Owner = &types.Owner{
+				Owner: &types.Owner{
 					ID: &acl.Owner,
-				}
-			}
-			objects = append(objects, obj)
-		}
-		for _, v := range resp.Segment.BlobPrefixes {
-			if *v.Name <= marker {
-				continue
-			}
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = cPrefixes[len(cPrefixes)-1].Prefix
-				isTruncated = true
-				break Pager
-			}
-
-			marker := getString(input.ContinuationToken)
-			pfx := strings.TrimSuffix(*v.Name, getString(input.Delimiter))
-			if marker != "" && strings.HasPrefix(marker, pfx) {
-				continue
-			}
-
-			cPrefixes = append(cPrefixes, types.CommonPrefix{
-				Prefix: v.Name,
+				},
 			})
 		}
+
+		// If StartAfter is specified, filter objects
+		if input.StartAfter != nil && *input.StartAfter != "" {
+			startAfter := *input.StartAfter
+			startIndex := -1
+			for i, obj := range pageObjects {
+				if *obj.Key > startAfter {
+					startIndex = i
+					break
+				}
+			}
+
+			if startIndex != -1 {
+				// Found objects after StartAfter in this page
+				objects = append(objects, pageObjects[startIndex:]...)
+				break
+			} else {
+				// No objects after StartAfter in this page
+				// Check if there are more pages to examine
+				if resp.NextMarker == nil || *resp.NextMarker == "" {
+					// No more pages, so no objects after StartAfter
+					break
+				}
+				// Continue to next page without adding any objects
+				continue
+			}
+		} else {
+			// No StartAfter specified, add all objects from this page
+			objects = append(objects, pageObjects...)
+			break
+		}
+	}
+
+	var cPrefixes []types.CommonPrefix
+	for _, v := range resp.Segment.BlobPrefixes {
+		cPrefixes = append(cPrefixes, types.CommonPrefix{
+			Prefix: v.Name,
+		})
+	}
+
+	var isTruncated bool
+	var nextMarker *string
+	// If Azure returned a NextMarker, set it for the next request
+	if resp.NextMarker != nil && *resp.NextMarker != "" {
+		nextMarker = resp.NextMarker
+		isTruncated = true
 	}

 	return s3response.ListObjectsV2Result{
@@ -900,7 +931,7 @@ func (az *Azure) CopyObject(ctx context.Context, input s3response.CopyObjectInpu
 		return s3response.CopyObjectOutput{
 			CopyObjectResult: &s3response.CopyObjectResult{
 				LastModified: res.LastModified,
-				ETag:         (*string)(res.ETag),
+				ETag:         backend.GetPtrFromString(convertAzureEtag(res.ETag)),
 			},
 		}, nil
 	}
@@ -1471,7 +1502,7 @@ func (az *Azure) CompleteMultipartUpload(ctx context.Context, input *s3.Complete
 	return s3response.CompleteMultipartUploadResult{
 		Bucket: input.Bucket,
 		Key:    input.Key,
-		ETag:   (*string)(resp.ETag),
+		ETag:   backend.GetPtrFromString(convertAzureEtag(resp.ETag)),
 	}, "", nil
 }

@@ -1506,6 +1537,29 @@ func (az *Azure) DeleteBucketPolicy(ctx context.Context, bucket string) error {
 	return az.PutBucketPolicy(ctx, bucket, nil)
 }

+func (az *Azure) PutBucketCors(ctx context.Context, bucket string, cors []byte) error {
+	if cors == nil {
+		return az.deleteContainerMetaData(ctx, bucket, string(keyCors))
+	}
+
+	return az.setContainerMetaData(ctx, bucket, string(keyCors), cors)
+}
+
+func (az *Azure) GetBucketCors(ctx context.Context, bucket string) ([]byte, error) {
+	p, err := az.getContainerMetaData(ctx, bucket, string(keyCors))
+	if err != nil {
+		return nil, err
+	}
+	if len(p) == 0 {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)
+	}
+	return p, nil
+}
+
+func (az *Azure) DeleteBucketCors(ctx context.Context, bucket string) error {
+	return az.PutBucketCors(ctx, bucket, nil)
+}
+
 func (az *Azure) PutObjectLockConfiguration(ctx context.Context, bucket string, config []byte) error {
 	cfg, err := az.getContainerMetaData(ctx, bucket, string(keyBucketLock))
 	if err != nil {
@@ -1683,8 +1737,8 @@ func (az *Azure) GetObjectLegalHold(ctx context.Context, bucket, object, version
 	return &status, nil
 }

-func (az *Azure) ChangeBucketOwner(ctx context.Context, bucket string, acl []byte) error {
-	return az.PutBucketAcl(ctx, bucket, acl)
+func (az *Azure) ChangeBucketOwner(ctx context.Context, bucket, owner string) error {
+	return auth.UpdateBucketACLOwner(ctx, az, bucket, owner)
 }

 // The action actually returns the containers owned by the user, who initialized the gateway
@@ -2002,3 +2056,11 @@ func (az *Azure) checkIfMpExists(ctx context.Context, bucket, obj, uploadId stri

 	return nil
 }
+
+func convertAzureEtag(etag *azcore.ETag) string {
+	// Azure ETag values are not S3 compatible,
+	// so append "-1" to avoid client SDK ETag validation issues.
+	str := (*string)(etag)
+
+	return *backend.TrimEtag(str) + "-1"
+}
--- a/backend/backend.go
+++ b/backend/backend.go
@@ -46,7 +46,7 @@ type Backend interface {
 	PutBucketOwnershipControls(_ context.Context, bucket string, ownership types.ObjectOwnership) error
 	GetBucketOwnershipControls(_ context.Context, bucket string) (types.ObjectOwnership, error)
 	DeleteBucketOwnershipControls(_ context.Context, bucket string) error
-	PutBucketCors(context.Context, []byte) error
+	PutBucketCors(_ context.Context, bucket string, cors []byte) error
 	GetBucketCors(_ context.Context, bucket string) ([]byte, error)
 	DeleteBucketCors(_ context.Context, bucket string) error

@@ -96,7 +96,7 @@ type Backend interface {
 	GetObjectLegalHold(_ context.Context, bucket, object, versionId string) (*bool, error)

 	// non AWS actions
-	ChangeBucketOwner(_ context.Context, bucket string, acl []byte) error
+	ChangeBucketOwner(_ context.Context, bucket, owner string) error
 	ListBucketsAndOwners(context.Context) ([]s3response.Bucket, error)
 }

@@ -153,7 +153,7 @@ func (BackendUnsupported) GetBucketOwnershipControls(_ context.Context, bucket s
 func (BackendUnsupported) DeleteBucketOwnershipControls(_ context.Context, bucket string) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
-func (BackendUnsupported) PutBucketCors(context.Context, []byte) error {
+func (BackendUnsupported) PutBucketCors(context.Context, string, []byte) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
 func (BackendUnsupported) GetBucketCors(_ context.Context, bucket string) ([]byte, error) {
@@ -280,7 +280,7 @@ func (BackendUnsupported) GetObjectLegalHold(_ context.Context, bucket, object,
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }

-func (BackendUnsupported) ChangeBucketOwner(_ context.Context, bucket string, acl []byte) error {
+func (BackendUnsupported) ChangeBucketOwner(_ context.Context, bucket, owner string) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
 func (BackendUnsupported) ListBucketsAndOwners(context.Context) ([]s3response.Bucket, error) {
--- a/backend/common.go
+++ b/backend/common.go
@@ -22,6 +22,7 @@ import (
 	"hash"
 	"io"
 	"io/fs"
+	"math"
 	"net/url"
 	"os"
 	"regexp"
@@ -94,63 +95,81 @@ var (
 // for invalid inputs, it returns no error, but isValid=false
 // `InvalidRange` error is returnd, only if startoffset is greater than the object size
 func ParseObjectRange(size int64, acceptRange string) (int64, int64, bool, error) {
+	// Return full object (invalid range, no error) if header empty
 	if acceptRange == "" {
 		return 0, size, false, nil
 	}

 	rangeKv := strings.Split(acceptRange, "=")
-
 	if len(rangeKv) != 2 {
 		return 0, size, false, nil
 	}
-
-	if rangeKv[0] != "bytes" {
+	if rangeKv[0] != "bytes" { // unsupported unit -> ignore
 		return 0, size, false, nil
 	}

 	bRange := strings.Split(rangeKv[1], "-")
-	if len(bRange) != 2 {
+	if len(bRange) != 2 { // malformed / multi-range
 		return 0, size, false, nil
 	}

-	startOffset, err := strconv.ParseInt(bRange[0], 10, 64)
-	if err != nil && bRange[0] != "" {
+	// Parse start; empty start indicates a suffix-byte-range-spec (e.g. bytes=-100)
+	startOffset, err := strconv.ParseInt(bRange[0], 10, strconv.IntSize)
+	if startOffset > int64(math.MaxInt) || startOffset < int64(math.MinInt) {
+		return 0, size, false, errInvalidRange
+	}
+	if err != nil && bRange[0] != "" { // invalid numeric start (non-empty) -> ignore range
 		return 0, size, false, nil
 	}

+	// If end part missing (e.g. bytes=100-)
 	if bRange[1] == "" {
-		if bRange[0] == "" {
+		if bRange[0] == "" { // bytes=- (meaningless) -> ignore
 			return 0, size, false, nil
 		}
+		// start beyond or at size is unsatisfiable -> error (RequestedRangeNotSatisfiable)
 		if startOffset >= size {
 			return 0, 0, false, errInvalidRange
 		}
+		// bytes=100- => from start to end
 		return startOffset, size - startOffset, true, nil
 	}

-	endOffset, err := strconv.ParseInt(bRange[1], 10, 64)
-	if err != nil {
+	endOffset, err := strconv.ParseInt(bRange[1], 10, strconv.IntSize)
+	if endOffset > int64(math.MaxInt) {
+		return 0, size, false, errInvalidRange
+	}
+	if err != nil { // invalid numeric end -> ignore range
 		return 0, size, false, nil
 	}

-	if startOffset > endOffset {
-		return 0, size, false, nil
-	}
-
-	// for ranges like 'bytes=-100' return the last bytes specified with 'endOffset'
+	// Suffix range handling (bRange[0] == "")
 	if bRange[0] == "" {
+		// Disallow -0 (always unsatisfiable)
+		if endOffset == 0 {
+			return 0, 0, false, errInvalidRange
+		}
+		// For zero-sized objects any positive suffix is treated as invalid (ignored, no error)
+		if size == 0 {
+			return 0, size, false, nil
+		}
+		// Clamp to object size (request more bytes than exist -> entire object)
 		endOffset = min(endOffset, size)
 		return size - endOffset, endOffset, true, nil
 	}

+	// Normal range (start-end)
+	if startOffset > endOffset { // start > end -> ignore
+		return 0, size, false, nil
+	}
+	// Start beyond or at end of object -> error
 	if startOffset >= size {
 		return 0, 0, false, errInvalidRange
 	}
-
+	// Adjust end beyond object size (trim)
 	if endOffset >= size {
 		endOffset = size - 1
 	}
-
 	return startOffset, endOffset - startOffset + 1, true, nil
 }

@@ -223,7 +242,7 @@ func ParseCopySource(copySourceHeader string) (string, string, string, error) {

 	srcBucket, srcObject, ok := strings.Cut(copySource, "/")
 	if !ok {
-		return "", "", "", s3err.GetAPIError(s3err.ErrInvalidCopySource)
+		return "", "", "", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
 	}

 	return srcBucket, srcObject, versionId, nil
--- a/backend/posix/posix.go
+++ b/backend/posix/posix.go
@@ -39,6 +39,7 @@ import (
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
 	"github.com/versity/versitygw/backend/meta"
+	"github.com/versity/versitygw/s3api/debuglogger"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3response"
@@ -82,8 +83,8 @@ type Posix struct {
 var _ backend.Backend = &Posix{}

 const (
-	metaTmpDir          = ".sgwtmp"
-	metaTmpMultipartDir = metaTmpDir + "/multipart"
+	MetaTmpDir          = ".sgwtmp"
+	MetaTmpMultipartDir = MetaTmpDir + "/multipart"
 	onameAttr           = "objname"
 	tagHdr              = "X-Amz-Tagging"
 	metaHdr             = "X-Amz-Meta"
@@ -102,6 +103,7 @@ const (
 	bucketLockKey       = "bucket-lock"
 	objectRetentionKey  = "object-retention"
 	objectLegalHoldKey  = "object-legal-hold"
+	corskey             = "cors"
 	versioningKey       = "versioning"
 	deleteMarkerKey     = "delete-marker"
 	versionIdKey        = "version-id"
@@ -334,10 +336,6 @@ func (p *Posix) ListBuckets(_ context.Context, input s3response.ListBucketsInput
 }

 func (p *Posix) HeadBucket(_ context.Context, input *s3.HeadBucketInput) (*s3.HeadBucketOutput, error) {
-	if input.Bucket == nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
-
 	_, err := os.Lstat(*input.Bucket)
 	if errors.Is(err, fs.ErrNotExist) {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucket)
@@ -350,10 +348,6 @@ func (p *Posix) HeadBucket(_ context.Context, input *s3.HeadBucketInput) (*s3.He
 }

 func (p *Posix) CreateBucket(ctx context.Context, input *s3.CreateBucketInput, acl []byte) error {
-	if input.Bucket == nil {
-		return s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
-
 	acct, ok := ctx.Value("account").(auth.Account)
 	if !ok {
 		acct = auth.Account{}
@@ -440,7 +434,7 @@ func (p *Posix) isBucketEmpty(bucket string) error {
 			return fmt.Errorf("readdir bucket: %w", err)
 		}
 		if err == nil {
-			if len(ents) == 1 && ents[0].Name() != metaTmpDir {
+			if len(ents) == 1 && ents[0].Name() != MetaTmpDir {
 				return s3err.GetAPIError(s3err.ErrVersionedBucketNotEmpty)
 			} else if len(ents) > 1 {
 				return s3err.GetAPIError(s3err.ErrVersionedBucketNotEmpty)
@@ -455,7 +449,7 @@ func (p *Posix) isBucketEmpty(bucket string) error {
 	if errors.Is(err, fs.ErrNotExist) {
 		return s3err.GetAPIError(s3err.ErrNoSuchBucket)
 	}
-	if len(ents) == 1 && ents[0].Name() != metaTmpDir {
+	if len(ents) == 1 && ents[0].Name() != MetaTmpDir {
 		return s3err.GetAPIError(s3err.ErrBucketNotEmpty)
 	} else if len(ents) > 1 {
 		return s3err.GetAPIError(s3err.ErrBucketNotEmpty)
@@ -465,10 +459,6 @@ func (p *Posix) isBucketEmpty(bucket string) error {
 }

 func (p *Posix) DeleteBucket(_ context.Context, bucket string) error {
-	if bucket == "" {
-		return s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
-
 	// Check if the bucket is empty
 	err := p.isBucketEmpty(bucket)
 	if err != nil {
@@ -705,7 +695,7 @@ func (p *Posix) createObjVersion(bucket, key string, size int64, acc auth.Accoun

 	versionBucketPath := filepath.Join(p.versioningDir, bucket)
 	versioningKey := filepath.Join(genObjVersionKey(key), versionId)
-	versionTmpPath := filepath.Join(versionBucketPath, metaTmpDir)
+	versionTmpPath := filepath.Join(versionBucketPath, MetaTmpDir)
 	f, err := p.openTmpFile(versionTmpPath, versionBucketPath, versioningKey,
 		size, acc, doFalloc, p.forceNoTmpFile)
 	if err != nil {
@@ -776,7 +766,7 @@ func (p *Posix) ListObjectVersions(ctx context.Context, input *s3.ListObjectVers

 	fileSystem := os.DirFS(bucket)
 	results, err := backend.WalkVersions(ctx, fileSystem, prefix, delim, keyMarker, versionIdMarker, max,
-		p.fileToObjVersions(bucket), []string{metaTmpDir})
+		p.fileToObjVersions(bucket), []string{MetaTmpDir})
 	if err != nil {
 		return s3response.ListVersionsResult{}, fmt.Errorf("walk %v: %w", bucket, err)
 	}
@@ -1189,9 +1179,6 @@ func (p *Posix) fileToObjVersions(bucket string) backend.GetVersionsFunc {
 }

 func (p *Posix) CreateMultipartUpload(ctx context.Context, mpu s3response.CreateMultipartUploadInput) (s3response.InitiateMultipartUploadResult, error) {
-	if mpu.Bucket == nil {
-		return s3response.InitiateMultipartUploadResult{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if mpu.Key == nil {
 		return s3response.InitiateMultipartUploadResult{}, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -1225,7 +1212,7 @@ func (p *Posix) CreateMultipartUpload(ctx context.Context, mpu s3response.Create
 	objNameSum := sha256.Sum256([]byte(*mpu.Key))
 	// multiple uploads for same object name allowed,
 	// they will all go into the same hashed name directory
-	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", objNameSum))
+	objdir := filepath.Join(MetaTmpMultipartDir, fmt.Sprintf("%x", objNameSum))
 	tmppath := filepath.Join(bucket, objdir)
 	// the unique upload id is a directory for all of the parts
 	// associated with this specific multipart upload
@@ -1367,12 +1354,18 @@ func getPartChecksum(algo types.ChecksumAlgorithm, part types.CompletedPart) str
 		return backend.GetStringFromPtr(part.ChecksumSHA1)
 	case types.ChecksumAlgorithmSha256:
 		return backend.GetStringFromPtr(part.ChecksumSHA256)
+	case types.ChecksumAlgorithmCrc64nvme:
+		return backend.GetStringFromPtr(part.ChecksumCRC64NVME)
 	default:
 		return ""
 	}
 }

 func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
+	return p.CompleteMultipartUploadWithCopy(ctx, input, nil)
+}
+
+func (p *Posix) CompleteMultipartUploadWithCopy(ctx context.Context, input *s3.CompleteMultipartUploadInput, customMove func(from *os.File, to *os.File) error) (s3response.CompleteMultipartUploadResult, string, error) {
 	acct, ok := ctx.Value("account").(auth.Account)
 	if !ok {
 		acct = auth.Account{}
@@ -1380,9 +1373,6 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM

 	var res s3response.CompleteMultipartUploadResult

-	if input.Bucket == nil {
-		return res, "", s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return res, "", s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -1411,7 +1401,7 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 		return res, "", err
 	}

-	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(MetaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	checksums, err := p.retrieveChecksums(nil, bucket, filepath.Join(objdir, uploadID))
 	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
@@ -1436,6 +1426,12 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	last := len(parts) - 1
 	var totalsize int64

+	var composableCRC bool
+	switch checksums.Type {
+	case types.ChecksumTypeFullObject:
+		composableCRC = utils.IsChecksumComposable(checksumAlgorithm)
+	}
+
 	// The initialie values is the lower limit of partNumber: 0
 	var partNumber int32
 	for i, part := range parts {
@@ -1459,7 +1455,7 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 		}

 		totalsize += fi.Size()
-		// all parts except the last need to be greater, thena
+		// all parts except the last need to be greater, than or equal to
 		// the minimum allowed size (5 Mib)
 		if i < last && fi.Size() < backend.MinPartSize {
 			return res, "", s3err.GetAPIError(s3err.ErrEntityTooSmall)
@@ -1494,9 +1490,11 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	var compositeChecksumRdr *utils.CompositeChecksumReader
 	switch checksums.Type {
 	case types.ChecksumTypeFullObject:
-		hashRdr, err = utils.NewHashReader(nil, "", utils.HashType(strings.ToLower(string(checksumAlgorithm))))
-		if err != nil {
-			return res, "", fmt.Errorf("initialize hash reader: %w", err)
+		if !composableCRC {
+			hashRdr, err = utils.NewHashReader(nil, "", utils.HashType(strings.ToLower(string(checksumAlgorithm))))
+			if err != nil {
+				return res, "", fmt.Errorf("initialize hash reader: %w", err)
+			}
 		}
 	case types.ChecksumTypeComposite:
 		compositeChecksumRdr, err = utils.NewCompositeChecksumReader(utils.HashType(strings.ToLower(string(checksumAlgorithm))))
@@ -1505,7 +1503,7 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 		}
 	}

-	f, err := p.openTmpFile(filepath.Join(bucket, metaTmpDir), bucket, object,
+	f, err := p.openTmpFile(filepath.Join(bucket, MetaTmpDir), bucket, object,
 		totalsize, acct, skipFalloc, p.forceNoTmpFile)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
@@ -1515,26 +1513,59 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	}
 	defer f.cleanup()

-	for _, part := range parts {
+	var composableCsum string
+	for i, part := range parts {
 		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
 		fullPartPath := filepath.Join(bucket, partObjPath)
 		pf, err := os.Open(fullPartPath)
 		if err != nil {
 			return res, "", fmt.Errorf("open part %v: %v", *part.PartNumber, err)
 		}
+		pfi, err := pf.Stat()
+		if err != nil {
+			pf.Close()
+			return res, "", fmt.Errorf("stat part %v: %v", *part.PartNumber, err)
+		}

 		var rdr io.Reader = pf
-		if checksums.Type == types.ChecksumTypeFullObject {
+		switch checksums.Type {
+		case types.ChecksumTypeFullObject:
+			if composableCRC {
+				if i == 0 {
+					composableCsum = getPartChecksum(checksumAlgorithm, part)
+					break
+				}
+				composableCsum, err = utils.AddCRCChecksum(checksumAlgorithm,
+					composableCsum, getPartChecksum(checksumAlgorithm, part),
+					pfi.Size())
+				if err != nil {
+					pf.Close()
+					return res, "", fmt.Errorf("add part %v checksum: %w",
+						*part.PartNumber, err)
+				}
+				break
+			}
 			hashRdr.SetReader(rdr)
 			rdr = hashRdr
-		} else if checksums.Type == types.ChecksumTypeComposite {
+		case types.ChecksumTypeComposite:
 			err := compositeChecksumRdr.Process(getPartChecksum(checksumAlgorithm, part))
 			if err != nil {
-				return res, "", fmt.Errorf("process %v part checksum: %w", *part.PartNumber, err)
+				pf.Close()
+				return res, "", fmt.Errorf("process %v part checksum: %w",
+					*part.PartNumber, err)
 			}
 		}

-		_, err = io.Copy(f.File(), rdr)
+		if customMove != nil {
+			err = customMove(pf, f.File())
+			if err != nil {
+				// Fail back to standard copy
+				debuglogger.Logf("Custom data block move failed (%w), failing back to io.Copy()", err)
+				_, err = io.Copy(f.File(), rdr)
+			}
+		} else {
+			_, err = io.Copy(f.File(), rdr)
+		}
 		pf.Close()
 		if err != nil {
 			if errors.Is(err, syscall.EDQUOT) {
@@ -1547,7 +1578,7 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	upiddir := filepath.Join(objdir, uploadID)

 	userMetaData := make(map[string]string)
-	objMeta := p.loadObjectMetaData(bucket, upiddir, nil, userMetaData)
+	objMeta := p.loadObjectMetaData(nil, bucket, upiddir, nil, userMetaData)
 	err = p.storeObjectMetadata(f.File(), bucket, object, objMeta)
 	if err != nil {
 		return res, "", err
@@ -1639,7 +1670,11 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 		case types.ChecksumTypeComposite:
 			sum = compositeChecksumRdr.Sum()
 		case types.ChecksumTypeFullObject:
-			sum = hashRdr.Sum()
+			if !composableCRC {
+				sum = hashRdr.Sum()
+			} else {
+				sum = composableCsum
+			}
 		}

 		switch checksumAlgorithm {
@@ -1804,7 +1839,7 @@ func numberOfChecksums(part types.CompletedPart) int {

 func (p *Posix) checkUploadIDExists(bucket, object, uploadID string) ([32]byte, error) {
 	sum := sha256.Sum256([]byte(object))
-	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(bucket, MetaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	_, err := os.Stat(filepath.Join(objdir, uploadID))
 	if errors.Is(err, fs.ErrNotExist) {
@@ -1818,7 +1853,7 @@ func (p *Posix) checkUploadIDExists(bucket, object, uploadID string) ([32]byte,

 func (p *Posix) retrieveUploadId(bucket, object string) (string, [32]byte, error) {
 	sum := sha256.Sum256([]byte(object))
-	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(bucket, MetaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	entries, err := os.ReadDir(objdir)
 	if err != nil || len(entries) == 0 {
@@ -1839,7 +1874,7 @@ type objectMetadata struct {

 // fill out the user metadata map with the metadata for the object
 // and return object meta properties as `ObjectMetadata`
-func (p *Posix) loadObjectMetaData(bucket, object string, fi *os.FileInfo, m map[string]string) objectMetadata {
+func (p *Posix) loadObjectMetaData(f *os.File, bucket, object string, fi *os.FileInfo, m map[string]string) objectMetadata {
 	ents, err := p.meta.ListAttributes(bucket, object)
 	if err != nil || len(ents) == 0 {
 		return objectMetadata{}
@@ -1850,7 +1885,7 @@ func (p *Posix) loadObjectMetaData(bucket, object string, fi *os.FileInfo, m map
 			if !isValidMeta(e) {
 				continue
 			}
-			b, err := p.meta.RetrieveAttribute(nil, bucket, object, e)
+			b, err := p.meta.RetrieveAttribute(f, bucket, object, e)
 			if err != nil {
 				continue
 			}
@@ -1864,7 +1899,7 @@ func (p *Posix) loadObjectMetaData(bucket, object string, fi *os.FileInfo, m map

 	var result objectMetadata

-	b, err := p.meta.RetrieveAttribute(nil, bucket, object, contentTypeHdr)
+	b, err := p.meta.RetrieveAttribute(f, bucket, object, contentTypeHdr)
 	if err == nil {
 		result.ContentType = backend.GetPtrFromString(string(b))
 	}
@@ -1876,27 +1911,27 @@ func (p *Posix) loadObjectMetaData(bucket, object string, fi *os.FileInfo, m map
 		}
 	}

-	b, err = p.meta.RetrieveAttribute(nil, bucket, object, contentEncHdr)
+	b, err = p.meta.RetrieveAttribute(f, bucket, object, contentEncHdr)
 	if err == nil {
 		result.ContentEncoding = backend.GetPtrFromString(string(b))
 	}

-	b, err = p.meta.RetrieveAttribute(nil, bucket, object, contentDispHdr)
+	b, err = p.meta.RetrieveAttribute(f, bucket, object, contentDispHdr)
 	if err == nil {
 		result.ContentDisposition = backend.GetPtrFromString(string(b))
 	}

-	b, err = p.meta.RetrieveAttribute(nil, bucket, object, contentLangHdr)
+	b, err = p.meta.RetrieveAttribute(f, bucket, object, contentLangHdr)
 	if err == nil {
 		result.ContentLanguage = backend.GetPtrFromString(string(b))
 	}

-	b, err = p.meta.RetrieveAttribute(nil, bucket, object, cacheCtrlHdr)
+	b, err = p.meta.RetrieveAttribute(f, bucket, object, cacheCtrlHdr)
 	if err == nil {
 		result.CacheControl = backend.GetPtrFromString(string(b))
 	}

-	b, err = p.meta.RetrieveAttribute(nil, bucket, object, expiresHdr)
+	b, err = p.meta.RetrieveAttribute(f, bucket, object, expiresHdr)
 	if err == nil {
 		result.Expires = backend.GetPtrFromString(string(b))
 	}
@@ -1950,9 +1985,6 @@ func isValidMeta(val string) bool {
 }

 func (p *Posix) AbortMultipartUpload(_ context.Context, mpu *s3.AbortMultipartUploadInput) error {
-	if mpu.Bucket == nil {
-		return s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if mpu.Key == nil {
 		return s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -1973,7 +2005,7 @@ func (p *Posix) AbortMultipartUpload(_ context.Context, mpu *s3.AbortMultipartUp
 	}

 	sum := sha256.Sum256([]byte(object))
-	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(bucket, MetaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	_, err = os.Stat(filepath.Join(objdir, uploadID))
 	if err != nil {
@@ -1992,10 +2024,6 @@ func (p *Posix) AbortMultipartUpload(_ context.Context, mpu *s3.AbortMultipartUp
 func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUploadsInput) (s3response.ListMultipartUploadsResult, error) {
 	var lmu s3response.ListMultipartUploadsResult

-	if mpu.Bucket == nil {
-		return lmu, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
-
 	bucket := *mpu.Bucket
 	var delimiter string
 	if mpu.Delimiter != nil {
@@ -2015,7 +2043,7 @@ func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUpl
 	}

 	// ignore readdir error and use the empty list returned
-	objs, _ := os.ReadDir(filepath.Join(bucket, metaTmpMultipartDir))
+	objs, _ := os.ReadDir(filepath.Join(bucket, MetaTmpMultipartDir))

 	var uploads []s3response.Upload
 	var resultUpds []s3response.Upload
@@ -2035,7 +2063,7 @@ func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUpl
 			continue
 		}

-		b, err := p.meta.RetrieveAttribute(nil, bucket, filepath.Join(metaTmpMultipartDir, obj.Name()), onameAttr)
+		b, err := p.meta.RetrieveAttribute(nil, bucket, filepath.Join(MetaTmpMultipartDir, obj.Name()), onameAttr)
 		if err != nil {
 			continue
 		}
@@ -2044,7 +2072,7 @@ func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUpl
 			continue
 		}

-		upids, err := os.ReadDir(filepath.Join(bucket, metaTmpMultipartDir, obj.Name()))
+		upids, err := os.ReadDir(filepath.Join(bucket, MetaTmpMultipartDir, obj.Name()))
 		if err != nil {
 			continue
 		}
@@ -2071,7 +2099,7 @@ func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUpl
 				keyMarkerInd = len(uploads)
 			}

-			checksum, err := p.retrieveChecksums(nil, bucket, filepath.Join(metaTmpMultipartDir, obj.Name(), uploadID))
+			checksum, err := p.retrieveChecksums(nil, bucket, filepath.Join(MetaTmpMultipartDir, obj.Name(), uploadID))
 			if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
 				return lmu, fmt.Errorf("get mp checksum: %w", err)
 			}
@@ -2104,28 +2132,33 @@ func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUpl
 		return uploads[i].Key < uploads[j].Key
 	})

-	for i := keyMarkerInd + 1; i < len(uploads); i++ {
-		if maxUploads == 0 {
-			break
+	start := 0
+	if keyMarker != "" {
+		for i, up := range uploads {
+			if up.Key == keyMarker && (uploadIDMarker == "" ||
+				up.UploadID == uploadIDMarker) {
+				// Start after the marker
+				start = i + 1
+				break
+			}
 		}
-		if keyMarker != "" && uploadIDMarker != "" && uploads[i].UploadID < uploadIDMarker {
-			continue
-		}
-		if i != len(uploads)-1 && len(resultUpds) == maxUploads {
+	}
+
+	for i := start; i < len(uploads); i++ {
+		if len(resultUpds) == maxUploads {
 			return s3response.ListMultipartUploadsResult{
 				Bucket:             bucket,
 				Delimiter:          delimiter,
 				KeyMarker:          keyMarker,
 				MaxUploads:         maxUploads,
-				NextKeyMarker:      resultUpds[i-1].Key,
-				NextUploadIDMarker: resultUpds[i-1].UploadID,
+				NextKeyMarker:      resultUpds[len(resultUpds)-1].Key,
+				NextUploadIDMarker: resultUpds[len(resultUpds)-1].UploadID,
 				IsTruncated:        true,
 				Prefix:             prefix,
 				UploadIDMarker:     uploadIDMarker,
 				Uploads:            resultUpds,
 			}, nil
 		}
-
 		resultUpds = append(resultUpds, uploads[i])
 	}

@@ -2143,9 +2176,6 @@ func (p *Posix) ListMultipartUploads(_ context.Context, mpu *s3.ListMultipartUpl
 func (p *Posix) ListParts(ctx context.Context, input *s3.ListPartsInput) (s3response.ListPartsResult, error) {
 	var lpr s3response.ListPartsResult

-	if input.Bucket == nil {
-		return lpr, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return lpr, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -2185,7 +2215,7 @@ func (p *Posix) ListParts(ctx context.Context, input *s3.ListPartsInput) (s3resp
 		return lpr, err
 	}

-	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(MetaTmpMultipartDir, fmt.Sprintf("%x", sum))
 	tmpdir := filepath.Join(bucket, objdir)

 	ents, err := os.ReadDir(filepath.Join(tmpdir, uploadID))
@@ -2271,7 +2301,7 @@ func (p *Posix) ListParts(ctx context.Context, input *s3.ListPartsInput) (s3resp

 	userMetaData := make(map[string]string)
 	upiddir := filepath.Join(objdir, uploadID)
-	p.loadObjectMetaData(bucket, upiddir, nil, userMetaData)
+	p.loadObjectMetaData(nil, bucket, upiddir, nil, userMetaData)

 	return s3response.ListPartsResult{
 		Bucket:               bucket,
@@ -2299,9 +2329,6 @@ func (p *Posix) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3.
 		acct = auth.Account{}
 	}

-	if input.Bucket == nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -2325,7 +2352,7 @@ func (p *Posix) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3.
 	}

 	sum := sha256.Sum256([]byte(object))
-	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(MetaTmpMultipartDir, fmt.Sprintf("%x", sum))
 	mpPath := filepath.Join(objdir, uploadID)

 	_, err = os.Stat(filepath.Join(bucket, mpPath))
@@ -2389,7 +2416,8 @@ func (p *Posix) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3.

 	// If checksum isn't provided for the part,
 	// but it has been provided on mp initalization
-	if hashRdr == nil && chErr == nil && checksums.Algorithm != "" {
+	// and checksum type is 'COMPOSITE', return mismatch error
+	if hashRdr == nil && chErr == nil && checksums.Type == types.ChecksumTypeComposite {
 		return nil, s3err.GetChecksumTypeMismatchErr(checksums.Algorithm, "null")
 	}

@@ -2402,11 +2430,27 @@ func (p *Posix) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3.
 		}
 	}

+	// if no checksum algorithm or precalculated checksum is
+	// provided, but one has been on multipart upload initialization,
+	// anyways calculate and store the uploaded part checksum
+	if hashRdr == nil && checksums.Algorithm != "" {
+		hashRdr, err = utils.NewHashReader(tr, "", utils.HashType(strings.ToLower(string(checksums.Algorithm))))
+		if err != nil {
+			return nil, fmt.Errorf("initialize hash reader: %w", err)
+		}
+
+		tr = hashRdr
+	}
+
 	_, err = io.Copy(f, tr)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
 			return nil, s3err.GetAPIError(s3err.ErrQuotaExceeded)
 		}
+		// Return the error itself, if it's an 's3err.APIError'
+		if _, ok := err.(s3err.APIError); ok {
+			return nil, err
+		}
 		return nil, fmt.Errorf("write part data: %w", err)
 	}

@@ -2469,9 +2513,6 @@ func (p *Posix) UploadPartCopy(ctx context.Context, upi *s3.UploadPartCopyInput)
 		acct = auth.Account{}
 	}

-	if upi.Bucket == nil {
-		return s3response.CopyPartResult{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if upi.Key == nil {
 		return s3response.CopyPartResult{}, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -2485,7 +2526,7 @@ func (p *Posix) UploadPartCopy(ctx context.Context, upi *s3.UploadPartCopyInput)
 	}

 	sum := sha256.Sum256([]byte(*upi.Key))
-	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(MetaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	_, err = os.Stat(filepath.Join(*upi.Bucket, objdir, *upi.UploadId))
 	if errors.Is(err, fs.ErrNotExist) {
@@ -2683,9 +2724,6 @@ func (p *Posix) PutObject(ctx context.Context, po s3response.PutObjectInput) (s3
 		acct = auth.Account{}
 	}

-	if po.Bucket == nil {
-		return s3response.PutObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if po.Key == nil {
 		return s3response.PutObjectOutput{}, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -2798,7 +2836,7 @@ func (p *Posix) PutObject(ctx context.Context, po s3response.PutObjectInput) (s3
 		return s3response.PutObjectOutput{}, fmt.Errorf("stat object: %w", err)
 	}

-	f, err := p.openTmpFile(filepath.Join(*po.Bucket, metaTmpDir),
+	f, err := p.openTmpFile(filepath.Join(*po.Bucket, MetaTmpDir),
 		*po.Bucket, *po.Key, contentLength, acct, doFalloc, p.forceNoTmpFile)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
@@ -2847,6 +2885,10 @@ func (p *Posix) PutObject(ctx context.Context, po s3response.PutObjectInput) (s3
 		if errors.Is(err, syscall.EDQUOT) {
 			return s3response.PutObjectOutput{}, s3err.GetAPIError(s3err.ErrQuotaExceeded)
 		}
+		// Return the error itself, if it's an 's3err.APIError'
+		if _, ok := err.(s3err.APIError); ok {
+			return s3response.PutObjectOutput{}, err
+		}
 		return s3response.PutObjectOutput{}, fmt.Errorf("write object data: %w", err)
 	}

@@ -3003,9 +3045,6 @@ func (p *Posix) PutObject(ctx context.Context, po s3response.PutObjectInput) (s3
 }

 func (p *Posix) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error) {
-	if input.Bucket == nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -3151,7 +3190,7 @@ func (p *Posix) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput) (
 					acct = auth.Account{}
 				}

-				f, err := p.openTmpFile(filepath.Join(bucket, metaTmpDir),
+				f, err := p.openTmpFile(filepath.Join(bucket, MetaTmpDir),
 					bucket, object, srcObjVersion.Size(), acct, doFalloc,
 					p.forceNoTmpFile)
 				if err != nil {
@@ -3361,9 +3400,6 @@ func (p *Posix) DeleteObjects(ctx context.Context, input *s3.DeleteObjectsInput)
 }

 func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetObjectOutput, error) {
-	if input.Bucket == nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -3407,7 +3443,7 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO

 	objPath := filepath.Join(bucket, object)

-	fi, err := os.Stat(objPath)
+	fid, err := os.Stat(objPath)
 	if errors.Is(err, fs.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) {
 		if versionId != "" {
 			return nil, s3err.GetAPIError(s3err.ErrInvalidVersionId)
@@ -3421,10 +3457,10 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 		return nil, fmt.Errorf("stat object: %w", err)
 	}

-	if strings.HasSuffix(object, "/") && !fi.IsDir() {
+	if strings.HasSuffix(object, "/") && !fid.IsDir() {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
-	if !strings.HasSuffix(object, "/") && fi.IsDir() {
+	if !strings.HasSuffix(object, "/") && fid.IsDir() {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}

@@ -3443,33 +3479,20 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 			}
 			return &s3.GetObjectOutput{
 				DeleteMarker: getBoolPtr(true),
-				LastModified: backend.GetTimePtr(fi.ModTime()),
+				LastModified: backend.GetTimePtr(fid.ModTime()),
 			}, err
 		}
 	}

-	objSize := fi.Size()
-	startOffset, length, isValid, err := backend.ParseObjectRange(objSize, *input.Range)
-	if err != nil {
-		return nil, err
-	}
+	if fid.IsDir() {
+		_, _, _, err := backend.ParseObjectRange(0, *input.Range)
+		if err != nil {
+			return nil, err
+		}

-	if fi.IsDir() {
-		// directory objects are always 0 len
-		objSize = 0
-		length = 0
-	}
-
-	var contentRange string
-	if isValid {
-		contentRange = fmt.Sprintf("bytes %v-%v/%v",
-			startOffset, startOffset+length-1, objSize)
-	}
-
-	if fi.IsDir() {
 		userMetaData := make(map[string]string)

-		objMeta := p.loadObjectMetaData(bucket, object, &fi, userMetaData)
+		objMeta := p.loadObjectMetaData(nil, bucket, object, &fid, userMetaData)
 		b, err := p.meta.RetrieveAttribute(nil, bucket, object, etagkey)
 		etag := string(b)
 		if err != nil {
@@ -3486,6 +3509,7 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 			tagCount = &tgCount
 		}

+		var length int64 = 0
 		return &s3.GetObjectOutput{
 			AcceptRanges:       backend.GetPtrFromString("bytes"),
 			ContentLength:      &length,
@@ -3496,10 +3520,10 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 			CacheControl:       objMeta.CacheControl,
 			ExpiresString:      objMeta.Expires,
 			ETag:               &etag,
-			LastModified:       backend.GetTimePtr(fi.ModTime()),
+			LastModified:       backend.GetTimePtr(fid.ModTime()),
 			Metadata:           userMetaData,
 			TagCount:           tagCount,
-			ContentRange:       &contentRange,
+			ContentRange:       nil,
 			StorageClass:       types.StorageClassStandard,
 			VersionId:          &versionId,
 		}, nil
@@ -3517,11 +3541,45 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 		versionId = string(vId)
 	}

+	f, err := os.Open(objPath)
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("open object: %w", err)
+	}
+
+	fi, err := f.Stat()
+	if errors.Is(err, fs.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) {
+		if versionId != "" {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidVersionId)
+		}
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+	if errors.Is(err, syscall.ENAMETOOLONG) {
+		return nil, s3err.GetAPIError(s3err.ErrKeyTooLong)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("stat object: %w", err)
+	}
+
+	objSize := fi.Size()
+	startOffset, length, isValid, err := backend.ParseObjectRange(objSize, *input.Range)
+	if err != nil {
+		return nil, err
+	}
+
+	var contentRange string
+	if isValid {
+		contentRange = fmt.Sprintf("bytes %v-%v/%v",
+			startOffset, startOffset+length-1, objSize)
+	}
+
 	userMetaData := make(map[string]string)

-	objMeta := p.loadObjectMetaData(bucket, object, &fi, userMetaData)
+	objMeta := p.loadObjectMetaData(f, bucket, object, &fi, userMetaData)

-	b, err := p.meta.RetrieveAttribute(nil, bucket, object, etagkey)
+	b, err := p.meta.RetrieveAttribute(f, bucket, object, etagkey)
 	etag := string(b)
 	if err != nil {
 		etag = ""
@@ -3537,14 +3595,6 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 		tagCount = &tgCount
 	}

-	f, err := os.Open(objPath)
-	if errors.Is(err, fs.ErrNotExist) {
-		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("open object: %w", err)
-	}
-
 	var checksums s3response.Checksum
 	var cType types.ChecksumType
 	// Skip the checksums retreival if object isn't requested fully
@@ -3592,9 +3642,6 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput) (*s3.GetO
 }

 func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
-	if input.Bucket == nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
@@ -3614,7 +3661,7 @@ func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.
 			return nil, err
 		}

-		ents, err := os.ReadDir(filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId))
+		ents, err := os.ReadDir(filepath.Join(bucket, MetaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId))
 		if errors.Is(err, fs.ErrNotExist) {
 			return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
 		}
@@ -3622,7 +3669,7 @@ func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.
 			return nil, fmt.Errorf("read parts: %w", err)
 		}

-		partPath := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId, fmt.Sprintf("%v", *input.PartNumber))
+		partPath := filepath.Join(MetaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId, fmt.Sprintf("%v", *input.PartNumber))

 		part, err := os.Stat(filepath.Join(bucket, partPath))
 		if errors.Is(err, fs.ErrNotExist) {
@@ -3744,7 +3791,7 @@ func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.
 	}

 	userMetaData := make(map[string]string)
-	objMeta := p.loadObjectMetaData(bucket, object, &fi, userMetaData)
+	objMeta := p.loadObjectMetaData(nil, bucket, object, &fi, userMetaData)

 	b, err := p.meta.RetrieveAttribute(nil, bucket, object, etagkey)
 	etag := string(b)
@@ -3753,6 +3800,9 @@ func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.
 	}

 	size := fi.Size()
+	if fi.IsDir() {
+		size = 0
+	}

 	startOffset, length, isValid, err := backend.ParseObjectRange(size, getString(input.Range))
 	if err != nil {
@@ -3862,14 +3912,11 @@ func (p *Posix) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAttr
 }

 func (p *Posix) CopyObject(ctx context.Context, input s3response.CopyObjectInput) (s3response.CopyObjectOutput, error) {
-	if input.Bucket == nil {
-		return s3response.CopyObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	if input.Key == nil {
 		return s3response.CopyObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidCopyDest)
 	}
 	if input.CopySource == nil {
-		return s3response.CopyObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidCopySource)
+		return s3response.CopyObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
 	}
 	if input.ExpectedBucketOwner == nil {
 		return s3response.CopyObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidRequest)
@@ -3950,7 +3997,7 @@ func (p *Posix) CopyObject(ctx context.Context, input s3response.CopyObjectInput
 	}

 	mdmap := make(map[string]string)
-	p.loadObjectMetaData(srcBucket, srcObject, &fi, mdmap)
+	p.loadObjectMetaData(nil, srcBucket, srcObject, &fi, mdmap)

 	var etag string
 	var version *string
@@ -4110,7 +4157,7 @@ func (p *Posix) CopyObject(ctx context.Context, input s3response.CopyObjectInput

 		// load and pass the source object meta properties, if metadata directive is "COPY"
 		if input.MetadataDirective != types.MetadataDirectiveReplace {
-			metaProps := p.loadObjectMetaData(srcBucket, srcObject, &fi, nil)
+			metaProps := p.loadObjectMetaData(nil, srcBucket, srcObject, &fi, nil)
 			putObjectInput.ContentEncoding = metaProps.ContentEncoding
 			putObjectInput.ContentDisposition = metaProps.ContentDisposition
 			putObjectInput.ContentLanguage = metaProps.ContentLanguage
@@ -4177,9 +4224,10 @@ func (p *Posix) CopyObject(ctx context.Context, input s3response.CopyObjectInput
 }

 func (p *Posix) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3response.ListObjectsResult, error) {
-	if input.Bucket == nil {
-		return s3response.ListObjectsResult{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
+	return p.ListObjectsParametrized(ctx, input, p.FileToObj)
+}
+
+func (p *Posix) ListObjectsParametrized(ctx context.Context, input *s3.ListObjectsInput, customFileToObj func(string, bool) backend.GetObjFunc) (s3response.ListObjectsResult, error) {
 	bucket := *input.Bucket
 	prefix := ""
 	if input.Prefix != nil {
@@ -4208,7 +4256,7 @@ func (p *Posix) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3

 	fileSystem := os.DirFS(bucket)
 	results, err := backend.Walk(ctx, fileSystem, prefix, delim, marker, maxkeys,
-		p.fileToObj(bucket, true), []string{metaTmpDir})
+		customFileToObj(bucket, true), []string{MetaTmpDir})
 	if err != nil {
 		return s3response.ListObjectsResult{}, fmt.Errorf("walk %v: %w", bucket, err)
 	}
@@ -4226,7 +4274,7 @@ func (p *Posix) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3
 	}, nil
 }

-func (p *Posix) fileToObj(bucket string, fetchOwner bool) backend.GetObjFunc {
+func (p *Posix) FileToObj(bucket string, fetchOwner bool) backend.GetObjFunc {
 	return func(path string, d fs.DirEntry) (s3response.Object, error) {
 		var owner *types.Owner
 		// Retreive the object owner data from bucket ACL, if fetchOwner is true
@@ -4329,9 +4377,10 @@ func (p *Posix) fileToObj(bucket string, fetchOwner bool) backend.GetObjFunc {
 }

 func (p *Posix) ListObjectsV2(ctx context.Context, input *s3.ListObjectsV2Input) (s3response.ListObjectsV2Result, error) {
-	if input.Bucket == nil {
-		return s3response.ListObjectsV2Result{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
+	return p.ListObjectsV2Parametrized(ctx, input, p.FileToObj)
+}
+
+func (p *Posix) ListObjectsV2Parametrized(ctx context.Context, input *s3.ListObjectsV2Input, customFileToObj func(string, bool) backend.GetObjFunc) (s3response.ListObjectsV2Result, error) {
 	bucket := *input.Bucket
 	prefix := ""
 	if input.Prefix != nil {
@@ -4368,7 +4417,7 @@ func (p *Posix) ListObjectsV2(ctx context.Context, input *s3.ListObjectsV2Input)

 	fileSystem := os.DirFS(bucket)
 	results, err := backend.Walk(ctx, fileSystem, prefix, delim, marker, maxkeys,
-		p.fileToObj(bucket, fetchOwner), []string{metaTmpDir})
+		customFileToObj(bucket, fetchOwner), []string{MetaTmpDir})
 	if err != nil {
 		return s3response.ListObjectsV2Result{}, fmt.Errorf("walk %v: %w", bucket, err)
 	}
@@ -4408,9 +4457,6 @@ func (p *Posix) PutBucketAcl(_ context.Context, bucket string, data []byte) erro
 }

 func (p *Posix) GetBucketAcl(_ context.Context, input *s3.GetBucketAclInput) ([]byte, error) {
-	if input.Bucket == nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
 	_, err := os.Stat(*input.Bucket)
 	if errors.Is(err, fs.ErrNotExist) {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucket)
@@ -4614,6 +4660,56 @@ func (p *Posix) DeleteBucketPolicy(ctx context.Context, bucket string) error {
 	return p.PutBucketPolicy(ctx, bucket, nil)
 }

+func (p *Posix) PutBucketCors(_ context.Context, bucket string, cors []byte) error {
+	_, err := os.Stat(bucket)
+	if errors.Is(err, fs.ErrNotExist) {
+		return s3err.GetAPIError(s3err.ErrNoSuchBucket)
+	}
+	if err != nil {
+		return fmt.Errorf("stat bucket: %w", err)
+	}
+
+	if cors == nil {
+		err = p.meta.DeleteAttribute(bucket, "", corskey)
+		if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+			return fmt.Errorf("remove cors: %w", err)
+		}
+
+		return nil
+	}
+
+	err = p.meta.StoreAttribute(nil, bucket, "", corskey, cors)
+	if err != nil {
+		return fmt.Errorf("set cors: %w", err)
+	}
+
+	return nil
+}
+
+func (p *Posix) GetBucketCors(_ context.Context, bucket string) ([]byte, error) {
+	_, err := os.Stat(bucket)
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucket)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("stat bucket: %w", err)
+	}
+
+	cors, err := p.meta.RetrieveAttribute(nil, bucket, "", corskey)
+	if errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return cors, nil
+}
+
+func (p *Posix) DeleteBucketCors(ctx context.Context, bucket string) error {
+	return p.PutBucketCors(ctx, bucket, nil)
+}
+
 func (p *Posix) isBucketObjectLockEnabled(bucket string) error {
 	cfg, err := p.meta.RetrieveAttribute(nil, bucket, "", bucketLockKey)
 	if errors.Is(err, fs.ErrNotExist) {
@@ -4908,8 +5004,8 @@ func (p *Posix) GetObjectRetention(_ context.Context, bucket, object, versionId
 	return data, nil
 }

-func (p *Posix) ChangeBucketOwner(ctx context.Context, bucket string, acl []byte) error {
-	return p.PutBucketAcl(ctx, bucket, acl)
+func (p *Posix) ChangeBucketOwner(ctx context.Context, bucket, owner string) error {
+	return auth.UpdateBucketACLOwner(ctx, p, bucket, owner)
 }

 func listBucketFileInfos(bucketlinks bool) ([]fs.FileInfo, error) {
--- a/backend/posix/with_otmpfile.go
+++ b/backend/posix/with_otmpfile.go
@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"syscall"
+	"time"

 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
@@ -165,14 +166,10 @@ func (tmp *tmpfile) link() error {
 	// of last upload completed wins and is not some combination of writes
 	// from simultaneous uploads.
 	objPath := filepath.Join(tmp.bucket, tmp.objname)
-	err := os.Remove(objPath)
-	if err != nil && !errors.Is(err, fs.ErrNotExist) {
-		return fmt.Errorf("remove stale path: %w", err)
-	}

 	dir := filepath.Dir(objPath)

-	err = backend.MkdirAll(dir, tmp.uid, tmp.gid, tmp.needsChown, tmp.newDirPerm)
+	err := backend.MkdirAll(dir, tmp.uid, tmp.gid, tmp.needsChown, tmp.newDirPerm)
 	if err != nil {
 		return fmt.Errorf("make parent dir: %w", err)
 	}
@@ -194,21 +191,33 @@ func (tmp *tmpfile) link() error {
 	}
 	defer dirf.Close()

-	for {
-		err = unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
-			int(dirf.Fd()), filepath.Base(objPath), unix.AT_SYMLINK_FOLLOW)
-		if errors.Is(err, syscall.EEXIST) {
-			err := os.Remove(objPath)
-			if err != nil && !errors.Is(err, fs.ErrNotExist) {
-				return fmt.Errorf("remove stale path: %w", err)
+	err = unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
+		int(dirf.Fd()), filepath.Base(objPath), unix.AT_SYMLINK_FOLLOW)
+	if errors.Is(err, syscall.EEXIST) {
+		// Linkat cannot overwrite files; we will allocate a temporary file, Linkat to it and then Renameat it
+		// to avoid potential race condition
+		retries := 1
+		for {
+			tmpName := fmt.Sprintf(".%s.sgwtmp.%d", filepath.Base(objPath), time.Now().UnixNano())
+			err := unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
+				int(dirf.Fd()), tmpName, unix.AT_SYMLINK_FOLLOW)
+			if errors.Is(err, syscall.EEXIST) && retries < 3 {
+				retries += 1
+				continue
 			}
-			continue
+			if err != nil {
+				return fmt.Errorf("cannot find free temporary file: %w", err)
+			}
+
+			err = unix.Renameat(int(dirf.Fd()), tmpName, int(dirf.Fd()), filepath.Base(objPath))
+			if err != nil {
+				return fmt.Errorf("overwriting renameat failed: %w", err)
+			}
+			break
 		}
-		if err != nil {
-			return fmt.Errorf("link tmpfile (fd %q as %q): %w",
-				filepath.Base(tmp.f.Name()), objPath, err)
-		}
-		break
+	} else if err != nil {
+		return fmt.Errorf("link tmpfile (fd %q as %q): %w",
+			filepath.Base(tmp.f.Name()), objPath, err)
 	}

 	err = tmp.f.Close()
--- a/backend/s3proxy/client.go
+++ b/backend/s3proxy/client.go
@@ -37,6 +37,10 @@ func (s *S3Proxy) getClientWithCtx(ctx context.Context) (*s3.Client, error) {
 		return s3.NewFromConfig(cfg, func(o *s3.Options) {
 			o.BaseEndpoint = &s.endpoint
 			o.UsePathStyle = s.usePathStyle
+			// The http body stream is not seekable, so most operations cannot
+			// be retried. The error returned to the original client may be
+			// retried by the client.
+			o.Retryer = aws.NopRetryer{}
 		}), nil
 	}

--- a/backend/s3proxy/s3.go
+++ b/backend/s3proxy/s3.go
@@ -17,17 +17,13 @@ package s3proxy
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
+	"encoding/xml"
 	"errors"
 	"fmt"
 	"io"
-	"net/http"
 	"strconv"
 	"time"

-	"github.com/aws/aws-sdk-go-v2/aws"
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
@@ -122,7 +118,7 @@ func (s *S3Proxy) ListBuckets(ctx context.Context, input s3response.ListBucketsI
 			continue
 		}

-		data, err := s.getMetaBucketObjData(ctx, *b.Name, metaPrefixAcl)
+		data, err := s.getMetaBucketObjData(ctx, *b.Name, metaPrefixAcl, false)
 		if err != nil {
 			return s3response.ListAllMyBucketsResult{}, handleError(err)
 		}
@@ -186,7 +182,7 @@ func (s *S3Proxy) CreateBucket(ctx context.Context, input *s3.CreateBucketInput,
 	}

 	if s.metaBucket != "" {
-		data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl)
+		data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl, true)
 		if err == nil {
 			acl, err := auth.ParseACL(data)
 			if err != nil {
@@ -380,7 +376,7 @@ func (s *S3Proxy) CreateMultipartUpload(ctx context.Context, input s3response.Cr
 	if input.ExpectedBucketOwner != nil && *input.ExpectedBucketOwner == "" {
 		input.ExpectedBucketOwner = nil
 	}
-	if input.ObjectLockRetainUntilDate != nil && *input.ObjectLockRetainUntilDate == defTime {
+	if input.ObjectLockRetainUntilDate != nil && (*input.ObjectLockRetainUntilDate).Equal(defTime) {
 		input.ObjectLockRetainUntilDate = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -530,7 +526,7 @@ func (s *S3Proxy) AbortMultipartUpload(ctx context.Context, input *s3.AbortMulti
 	if input.ExpectedBucketOwner != nil && *input.ExpectedBucketOwner == "" {
 		input.ExpectedBucketOwner = nil
 	}
-	if input.IfMatchInitiatedTime != nil && *input.IfMatchInitiatedTime == defTime {
+	if input.IfMatchInitiatedTime != nil && (*input.IfMatchInitiatedTime).Equal(defTime) {
 		input.IfMatchInitiatedTime = nil
 	}
 	_, err := s.client.AbortMultipartUpload(ctx, input)
@@ -735,13 +731,13 @@ func (s *S3Proxy) UploadPartCopy(ctx context.Context, input *s3.UploadPartCopyIn
 	if input.CopySourceIfMatch != nil && *input.CopySourceIfMatch == "" {
 		input.CopySourceIfMatch = nil
 	}
-	if input.CopySourceIfModifiedSince != nil && *input.CopySourceIfModifiedSince == defTime {
+	if input.CopySourceIfModifiedSince != nil && (*input.CopySourceIfModifiedSince).Equal(defTime) {
 		input.CopySourceIfModifiedSince = nil
 	}
 	if input.CopySourceIfNoneMatch != nil && *input.CopySourceIfNoneMatch == "" {
 		input.CopySourceIfNoneMatch = nil
 	}
-	if input.CopySourceIfUnmodifiedSince != nil && *input.CopySourceIfUnmodifiedSince == defTime {
+	if input.CopySourceIfUnmodifiedSince != nil && (*input.CopySourceIfUnmodifiedSince).Equal(defTime) {
 		input.CopySourceIfUnmodifiedSince = nil
 	}
 	if input.CopySourceRange != nil && *input.CopySourceRange == "" {
@@ -955,13 +951,13 @@ func (s *S3Proxy) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s
 	if input.IfMatch != nil && *input.IfMatch == "" {
 		input.IfMatch = nil
 	}
-	if input.IfModifiedSince != nil && *input.IfModifiedSince == defTime {
+	if input.IfModifiedSince != nil && (*input.IfModifiedSince).Equal(defTime) {
 		input.IfModifiedSince = nil
 	}
 	if input.IfNoneMatch != nil && *input.IfNoneMatch == "" {
 		input.IfNoneMatch = nil
 	}
-	if input.IfUnmodifiedSince != nil && *input.IfUnmodifiedSince == defTime {
+	if input.IfUnmodifiedSince != nil && (*input.IfUnmodifiedSince).Equal(defTime) {
 		input.IfUnmodifiedSince = nil
 	}
 	if input.PartNumber != nil && *input.PartNumber == 0 {
@@ -985,7 +981,7 @@ func (s *S3Proxy) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s
 	if input.ResponseContentType != nil && *input.ResponseContentType == "" {
 		input.ResponseContentType = nil
 	}
-	if input.ResponseExpires != nil && *input.ResponseExpires == defTime {
+	if input.ResponseExpires != nil && (*input.ResponseExpires).Equal(defTime) {
 		input.ResponseExpires = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -1015,13 +1011,13 @@ func (s *S3Proxy) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.
 	if input.IfMatch != nil && *input.IfMatch == "" {
 		input.IfMatch = nil
 	}
-	if input.IfModifiedSince != nil && *input.IfModifiedSince == defTime {
+	if input.IfModifiedSince != nil && (*input.IfModifiedSince).Equal(defTime) {
 		input.IfModifiedSince = nil
 	}
 	if input.IfNoneMatch != nil && *input.IfNoneMatch == "" {
 		input.IfNoneMatch = nil
 	}
-	if input.IfUnmodifiedSince != nil && *input.IfUnmodifiedSince == defTime {
+	if input.IfUnmodifiedSince != nil && (*input.IfUnmodifiedSince).Equal(defTime) {
 		input.IfUnmodifiedSince = nil
 	}
 	if input.PartNumber != nil && *input.PartNumber == 0 {
@@ -1045,7 +1041,7 @@ func (s *S3Proxy) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.
 	if input.ResponseContentType != nil && *input.ResponseContentType == "" {
 		input.ResponseContentType = nil
 	}
-	if input.ResponseExpires != nil && *input.ResponseExpires == defTime {
+	if input.ResponseExpires != nil && (*input.ResponseExpires).Equal(defTime) {
 		input.ResponseExpires = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -1153,13 +1149,13 @@ func (s *S3Proxy) CopyObject(ctx context.Context, input s3response.CopyObjectInp
 	if input.CopySourceIfMatch != nil && *input.CopySourceIfMatch == "" {
 		input.CopySourceIfMatch = nil
 	}
-	if input.CopySourceIfModifiedSince != nil && *input.CopySourceIfModifiedSince == defTime {
+	if input.CopySourceIfModifiedSince != nil && (*input.CopySourceIfModifiedSince).Equal(defTime) {
 		input.CopySourceIfModifiedSince = nil
 	}
 	if input.CopySourceIfNoneMatch != nil && *input.CopySourceIfNoneMatch == "" {
 		input.CopySourceIfNoneMatch = nil
 	}
-	if input.CopySourceIfUnmodifiedSince != nil && *input.CopySourceIfUnmodifiedSince == defTime {
+	if input.CopySourceIfUnmodifiedSince != nil && (*input.CopySourceIfUnmodifiedSince).Equal(defTime) {
 		input.CopySourceIfUnmodifiedSince = nil
 	}
 	if input.CopySourceSSECustomerAlgorithm != nil && *input.CopySourceSSECustomerAlgorithm == "" {
@@ -1192,7 +1188,7 @@ func (s *S3Proxy) CopyObject(ctx context.Context, input s3response.CopyObjectInp
 	if input.GrantWriteACP != nil && *input.GrantWriteACP == "" {
 		input.GrantWriteACP = nil
 	}
-	if input.ObjectLockRetainUntilDate != nil && *input.ObjectLockRetainUntilDate == defTime {
+	if input.ObjectLockRetainUntilDate != nil && (*input.ObjectLockRetainUntilDate).Equal(defTime) {
 		input.ObjectLockRetainUntilDate = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -1392,7 +1388,7 @@ func (s *S3Proxy) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput)
 	if input.IfMatch != nil && *input.IfMatch == "" {
 		input.IfMatch = nil
 	}
-	if input.IfMatchLastModifiedTime != nil && *input.IfMatchLastModifiedTime == defTime {
+	if input.IfMatchLastModifiedTime != nil && (*input.IfMatchLastModifiedTime).Equal(defTime) {
 		input.IfMatchLastModifiedTime = nil
 	}
 	if input.IfMatchSize != nil && *input.IfMatchSize == 0 {
@@ -1436,7 +1432,7 @@ func (s *S3Proxy) DeleteObjects(ctx context.Context, input *s3.DeleteObjectsInpu
 }

 func (s *S3Proxy) GetBucketAcl(ctx context.Context, input *s3.GetBucketAclInput) ([]byte, error) {
-	data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl)
+	data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl, false)
 	if err != nil {
 		return nil, handleError(err)
 	}
@@ -1501,12 +1497,51 @@ func (s *S3Proxy) DeleteObjectTagging(ctx context.Context, bucket, object string
 	return handleError(err)
 }

+func (s *S3Proxy) PutBucketCors(ctx context.Context, bucket string, cors []byte) error {
+	cfg, err := auth.ParseCORSOutput(cors)
+	if err != nil {
+		return handleError(err)
+	}
+
+	_, err = s.client.PutBucketCors(ctx, &s3.PutBucketCorsInput{
+		Bucket:            &bucket,
+		CORSConfiguration: parseGatewayCORSToSDKConfig(cfg),
+	})
+
+	return handleError(err)
+}
+
+func (s *S3Proxy) GetBucketCors(ctx context.Context, bucket string) ([]byte, error) {
+	resp, err := s.client.GetBucketCors(ctx, &s3.GetBucketCorsInput{
+		Bucket: &bucket,
+	})
+	if err != nil {
+		return nil, handleError(err)
+	}
+
+	config := parseSdkCORSToGatewayConfig(resp.CORSRules)
+	data, err := xml.Marshal(config)
+	if err != nil {
+		return nil, handleError(err)
+	}
+
+	return data, nil
+}
+
+func (s *S3Proxy) DeleteBucketCors(ctx context.Context, bucket string) error {
+	_, err := s.client.DeleteBucketCors(ctx, &s3.DeleteBucketCorsInput{
+		Bucket: &bucket,
+	})
+
+	return handleError(err)
+}
+
 func (s *S3Proxy) PutBucketPolicy(ctx context.Context, bucket string, policy []byte) error {
 	return handleError(s.putMetaBucketObj(ctx, bucket, policy, metaPrefixPolicy))
 }

 func (s *S3Proxy) GetBucketPolicy(ctx context.Context, bucket string) ([]byte, error) {
-	data, err := s.getMetaBucketObjData(ctx, bucket, metaPrefixPolicy)
+	data, err := s.getMetaBucketObjData(ctx, bucket, metaPrefixPolicy, false)
 	if err != nil {
 		return nil, handleError(err)
 	}
@@ -1552,82 +1587,39 @@ func (s *S3Proxy) GetObjectLegalHold(ctx context.Context, bucket, object, versio
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }

-func (s *S3Proxy) ChangeBucketOwner(ctx context.Context, bucket string, acl []byte) error {
-	acll, err := auth.ParseACL(acl)
-	if err != nil {
-		return err
-	}
-
-	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/change-bucket-owner/?bucket=%v&owner=%v", s.endpoint, bucket, acll.Owner), nil)
-	if err != nil {
-		return fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	signer := v4.NewSigner()
-
-	hashedPayload := sha256.Sum256([]byte{})
-	hexPayload := hex.EncodeToString(hashedPayload[:])
-
-	req.Header.Set("X-Amz-Content-Sha256", hexPayload)
-
-	signErr := signer.SignHTTP(req.Context(), aws.Credentials{AccessKeyID: s.access, SecretAccessKey: s.secret}, req, hexPayload, "s3", s.awsRegion, time.Now())
-	if signErr != nil {
-		return fmt.Errorf("failed to sign the request: %w", err)
-	}
-
-	client := http.Client{}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	if resp.StatusCode > 300 {
-		body, err := io.ReadAll(resp.Body)
-		if err != nil {
-			return err
-		}
-		defer resp.Body.Close()
-		return fmt.Errorf("%v", string(body))
-	}
-
-	return nil
+func (s *S3Proxy) ChangeBucketOwner(ctx context.Context, bucket, owner string) error {
+	return auth.UpdateBucketACLOwner(ctx, s, bucket, owner)
 }

 func (s *S3Proxy) ListBucketsAndOwners(ctx context.Context) ([]s3response.Bucket, error) {
-	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/list-buckets", s.endpoint), nil)
-	if err != nil {
-		return []s3response.Bucket{}, fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	signer := v4.NewSigner()
-
-	hashedPayload := sha256.Sum256([]byte{})
-	hexPayload := hex.EncodeToString(hashedPayload[:])
-
-	req.Header.Set("X-Amz-Content-Sha256", hexPayload)
-
-	signErr := signer.SignHTTP(req.Context(), aws.Credentials{AccessKeyID: s.access, SecretAccessKey: s.secret}, req, hexPayload, "s3", s.awsRegion, time.Now())
-	if signErr != nil {
-		return []s3response.Bucket{}, fmt.Errorf("failed to sign the request: %w", err)
-	}
-
-	client := http.Client{}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return []s3response.Bucket{}, fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return []s3response.Bucket{}, err
-	}
-	defer resp.Body.Close()
-
 	var buckets []s3response.Bucket
-	if err := json.Unmarshal(body, &buckets); err != nil {
-		return []s3response.Bucket{}, err
+
+	paginator := s3.NewListBucketsPaginator(s.client, &s3.ListBucketsInput{})
+
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return nil, handleError(err)
+		}
+		for _, bucket := range page.Buckets {
+			if *bucket.Name == s.metaBucket {
+				continue
+			}
+			aclJSON, err := s.getMetaBucketObjData(ctx, *bucket.Name, metaPrefixAcl, false)
+			if err != nil {
+				return nil, handleError(err)
+			}
+
+			acl, err := auth.ParseACL(aclJSON)
+			if err != nil {
+				return buckets, fmt.Errorf("parse acl tag: %w", err)
+			}
+
+			buckets = append(buckets, s3response.Bucket{
+				Name:  *bucket.Name,
+				Owner: acl.Owner,
+			})
+		}
 	}

 	return buckets, nil
@@ -1656,7 +1648,10 @@ func (s *S3Proxy) putMetaBucketObj(ctx context.Context, bucket string, data []by
 	return err
 }

-func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefix metaPrefix) ([]byte, error) {
+// set checkExists to true if using to check for existence of bucket, in
+// this case it will not return default acl/policy if the metadata does
+// not exist
+func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefix metaPrefix, checkExists bool) ([]byte, error) {
 	// return default bahviour of get bucket policy/acl, if meta bucket is not provided
 	if s.metaBucket == "" {
 		switch prefix {
@@ -1674,6 +1669,10 @@ func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefi
 		Key:    &key,
 	})
 	if areErrSame(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
+		if checkExists {
+			return nil, err
+		}
+
 		switch prefix {
 		case metaPrefixAcl:
 			// If bucket acl is not found, return default acl
@@ -1782,3 +1781,89 @@ func convertObjectVersions(versions []types.ObjectVersion) []s3response.ObjectVe

 	return result
 }
+
+func parseGatewayCORSToSDKConfig(config *auth.CORSConfiguration) *types.CORSConfiguration {
+	if config == nil {
+		return nil
+	}
+
+	result := &types.CORSConfiguration{
+		CORSRules: make([]types.CORSRule, 0, len(config.Rules)),
+	}
+
+	for _, cfg := range config.Rules {
+		result.CORSRules = append(result.CORSRules, types.CORSRule{
+			AllowedMethods: convertCORSMethodsToString(cfg.AllowedMethods),
+			AllowedHeaders: convertCORSHeadersToString(cfg.AllowedHeaders),
+			ExposeHeaders:  convertCORSHeadersToString(cfg.ExposeHeaders),
+			AllowedOrigins: cfg.AllowedOrigins,
+			ID:             cfg.ID,
+			MaxAgeSeconds:  cfg.MaxAgeSeconds,
+		})
+	}
+
+	return result
+}
+
+// convertCORSHeadersToString []auth.CORSHeader to []string
+func convertCORSHeadersToString(headers []auth.CORSHeader) []string {
+	result := make([]string, 0, len(headers))
+	for _, h := range headers {
+		result = append(result, h.String())
+	}
+
+	return result
+}
+
+// convertCORSMethodsToString converts []auth.CORSHTTPMethod to []string
+func convertCORSMethodsToString(methods []auth.CORSHTTPMethod) []string {
+	result := make([]string, 0, len(methods))
+	for _, m := range methods {
+		result = append(result, m.String())
+	}
+
+	return result
+}
+
+// convertCORSHeaders converts []string to []auth.CORSHeader
+func convertCORSHeaders(headers []string) []auth.CORSHeader {
+	result := make([]auth.CORSHeader, 0, len(headers))
+	for _, h := range headers {
+		result = append(result, auth.CORSHeader(h))
+	}
+
+	return result
+}
+
+// convertCORSMethods converts []string to []auth.CORSHTTPMethod
+func convertCORSMethods(methods []string) []auth.CORSHTTPMethod {
+	result := make([]auth.CORSHTTPMethod, 0, len(methods))
+	for _, m := range methods {
+		result = append(result, auth.CORSHTTPMethod(m))
+	}
+
+	return result
+}
+
+func parseSdkCORSToGatewayConfig(rules []types.CORSRule) *auth.CORSConfiguration {
+	if rules == nil {
+		return nil
+	}
+
+	result := &auth.CORSConfiguration{
+		Rules: make([]auth.CORSRule, 0, len(rules)),
+	}
+
+	for _, cfg := range rules {
+		result.Rules = append(result.Rules, auth.CORSRule{
+			AllowedMethods: convertCORSMethods(cfg.AllowedMethods),
+			AllowedHeaders: convertCORSHeaders(cfg.AllowedHeaders),
+			ExposeHeaders:  convertCORSHeaders(cfg.ExposeHeaders),
+			AllowedOrigins: cfg.AllowedOrigins,
+			ID:             cfg.ID,
+			MaxAgeSeconds:  cfg.MaxAgeSeconds,
+		})
+	}
+
+	return result
+}
--- a/backend/scoutfs/scoutfs.go
+++ b/backend/scoutfs/scoutfs.go
@@ -21,7 +21,6 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
-	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -30,21 +29,27 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/pkg/xattr"
-	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
-	"github.com/versity/versitygw/backend/meta"
 	"github.com/versity/versitygw/backend/posix"
-	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3response"
 )

+// ScoutfsOpts are the options for the ScoutFS backend
 type ScoutfsOpts struct {
-	ChownUID         bool
-	ChownGID         bool
-	GlacierMode      bool
-	BucketLinks      bool
-	NewDirPerm       fs.FileMode
+	// ChownUID sets the UID of the object to the UID of the user on PUT
+	ChownUID bool
+	// ChownGID sets the GID of the object to the GID of the user on PUT
+	ChownGID bool
+	// BucketLinks enables symlinks to directories to be treated as buckets
+	BucketLinks bool
+	//VersioningDir sets the version directory to enable object versioning
+	VersioningDir string
+	// NewDirPerm specifies the permission to set on newly created directories
+	NewDirPerm fs.FileMode
+	// GlacierMode enables glacier emulation for offline files
+	GlacierMode bool
+	// DisableNoArchive prevents setting noarchive on temporary files
 	DisableNoArchive bool
 }

@@ -53,9 +58,6 @@ type ScoutFS struct {
 	rootfd  *os.File
 	rootdir string

-	// bucket/object metadata storage facility
-	meta meta.MetadataStorer
-
 	// glaciermode enables the following behavior:
 	// GET object:  if file offline, return invalid object state
 	// HEAD object: if file offline, set obj storage class to GLACIER
@@ -67,19 +69,6 @@ type ScoutFS struct {
 	// RestoreObject: add batch stage request to file
 	glaciermode bool

-	// chownuid/gid enable chowning of files to the account uid/gid
-	// when objects are uploaded
-	chownuid bool
-	chowngid bool
-
-	// euid/egid are the effective uid/gid of the running versitygw process
-	// used to determine if chowning is needed
-	euid int
-	egid int
-
-	// newDirPerm is the permissions to use when creating new directories
-	newDirPerm fs.FileMode
-
 	// disableNoArchive is used to disable setting scoutam noarchive flag
 	// on mutlipart parts. This is enabled by default to prevent archive
 	// copies of temporary multipart parts.
@@ -89,24 +78,6 @@ type ScoutFS struct {
 var _ backend.Backend = &ScoutFS{}

 const (
-	metaTmpDir          = ".sgwtmp"
-	metaTmpMultipartDir = metaTmpDir + "/multipart"
-	tagHdr              = "X-Amz-Tagging"
-	metaHdr             = "X-Amz-Meta"
-	contentTypeHdr      = "content-type"
-	contentEncHdr       = "content-encoding"
-	contentLangHdr      = "content-language"
-	contentDispHdr      = "content-disposition"
-	cacheCtrlHdr        = "cache-control"
-	expiresHdr          = "expires"
-	emptyMD5            = "d41d8cd98f00b204e9800998ecf8427e"
-	etagkey             = "etag"
-	checksumsKey        = "checksums"
-	objectRetentionKey  = "object-retention"
-	objectLegalHoldKey  = "object-legal-hold"
-)
-
-var (
 	stageComplete      = "ongoing-request=\"false\", expiry-date=\"Fri, 2 Dec 2050 00:00:00 GMT\""
 	stageInProgress    = "true"
 	stageNotInProgress = "false"
@@ -146,25 +117,6 @@ func (*ScoutFS) String() string {
 	return "ScoutFS Gateway"
 }

-// getChownIDs returns the uid and gid that should be used for chowning
-// the object to the account uid/gid. It also returns a boolean indicating
-// if chowning is needed.
-func (s *ScoutFS) getChownIDs(acct auth.Account) (int, int, bool) {
-	uid := s.euid
-	gid := s.egid
-	var needsChown bool
-	if s.chownuid && acct.UserID != s.euid {
-		uid = acct.UserID
-		needsChown = true
-	}
-	if s.chowngid && acct.GroupID != s.egid {
-		gid = acct.GroupID
-		needsChown = true
-	}
-
-	return uid, gid, needsChown
-}
-
 func (s *ScoutFS) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3.UploadPartOutput, error) {
 	out, err := s.Posix.UploadPart(ctx, input)
 	if err != nil {
@@ -175,7 +127,7 @@ func (s *ScoutFS) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s
 		sum := sha256.Sum256([]byte(*input.Key))
 		partPath := filepath.Join(
 			*input.Bucket,                        // bucket
-			metaTmpMultipartDir,                  // temp multipart dir
+			posix.MetaTmpMultipartDir,            // temp multipart dir
 			fmt.Sprintf("%x", sum),               // hashed objname
 			*input.UploadId,                      // upload id
 			fmt.Sprintf("%v", *input.PartNumber), // part number
@@ -194,446 +146,7 @@ func (s *ScoutFS) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s
 // ioctl to not have to read and copy the part data to the final object. This
 // saves a read and write cycle for all mutlipart uploads.
 func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
-	acct, ok := ctx.Value("account").(auth.Account)
-	if !ok {
-		acct = auth.Account{}
-	}
-
-	var res s3response.CompleteMultipartUploadResult
-
-	if input.Bucket == nil {
-		return res, "", s3err.GetAPIError(s3err.ErrInvalidBucketName)
-	}
-	if input.Key == nil {
-		return res, "", s3err.GetAPIError(s3err.ErrNoSuchKey)
-	}
-	if input.UploadId == nil {
-		return res, "", s3err.GetAPIError(s3err.ErrNoSuchUpload)
-	}
-	if input.MultipartUpload == nil {
-		return res, "", s3err.GetAPIError(s3err.ErrInvalidRequest)
-	}
-
-	bucket := *input.Bucket
-	object := *input.Key
-	uploadID := *input.UploadId
-	parts := input.MultipartUpload.Parts
-
-	_, err := os.Stat(bucket)
-	if errors.Is(err, fs.ErrNotExist) {
-		return res, "", s3err.GetAPIError(s3err.ErrNoSuchBucket)
-	}
-	if err != nil {
-		return res, "", fmt.Errorf("stat bucket: %w", err)
-	}
-
-	sum, err := s.checkUploadIDExists(bucket, object, uploadID)
-	if err != nil {
-		return res, "", err
-	}
-
-	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum))
-
-	checksums, err := s.retrieveChecksums(nil, bucket, filepath.Join(objdir, uploadID))
-	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-		return res, "", fmt.Errorf("get mp checksums: %w", err)
-	}
-
-	// ChecksumType should be the same as specified on CreateMultipartUpload
-	if input.ChecksumType != "" && checksums.Type != input.ChecksumType {
-		checksumType := checksums.Type
-		if checksumType == "" {
-			checksumType = types.ChecksumType("null")
-		}
-
-		return res, "", s3err.GetChecksumTypeMismatchOnMpErr(checksumType)
-	}
-
-	// check all parts ok
-	last := len(parts) - 1
-	var totalsize int64
-
-	// The initialie values is the lower limit of partNumber: 0
-	var partNumber int32
-	for i, part := range parts {
-		if part.PartNumber == nil {
-			return res, "", s3err.GetAPIError(s3err.ErrInvalidPart)
-		}
-		if *part.PartNumber < 1 {
-			return res, "", s3err.GetAPIError(s3err.ErrInvalidCompleteMpPartNumber)
-		}
-		if *part.PartNumber <= partNumber {
-			return res, "", s3err.GetAPIError(s3err.ErrInvalidPartOrder)
-		}
-
-		partNumber = *part.PartNumber
-
-		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
-		fullPartPath := filepath.Join(bucket, partObjPath)
-		fi, err := os.Lstat(fullPartPath)
-		if err != nil {
-			return res, "", s3err.GetAPIError(s3err.ErrInvalidPart)
-		}
-
-		totalsize += fi.Size()
-		// all parts except the last need to be greater, thena
-		// the minimum allowed size (5 Mib)
-		if i < last && fi.Size() < backend.MinPartSize {
-			return res, "", s3err.GetAPIError(s3err.ErrEntityTooSmall)
-		}
-
-		b, err := s.meta.RetrieveAttribute(nil, bucket, partObjPath, etagkey)
-		etag := string(b)
-		if err != nil {
-			etag = ""
-		}
-		if parts[i].ETag == nil || !backend.AreEtagsSame(etag, *parts[i].ETag) {
-			return res, "", s3err.GetAPIError(s3err.ErrInvalidPart)
-		}
-
-		partChecksum, err := s.retrieveChecksums(nil, bucket, partObjPath)
-		if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-			return res, "", fmt.Errorf("get part checksum: %w", err)
-		}
-
-		// If checksum has been provided on mp initalization
-		err = validatePartChecksum(partChecksum, part)
-		if err != nil {
-			return res, "", err
-		}
-	}
-
-	if input.MpuObjectSize != nil && totalsize != *input.MpuObjectSize {
-		return res, "", s3err.GetIncorrectMpObjectSizeErr(totalsize, *input.MpuObjectSize)
-	}
-
-	// use totalsize=0 because we wont be writing to the file, only moving
-	// extents around.  so we dont want to fallocate this.
-	f, err := s.openTmpFile(filepath.Join(bucket, metaTmpDir), bucket, object, 0, acct)
-	if err != nil {
-		if errors.Is(err, syscall.EDQUOT) {
-			return res, "", s3err.GetAPIError(s3err.ErrQuotaExceeded)
-		}
-		return res, "", fmt.Errorf("open temp file: %w", err)
-	}
-	defer f.cleanup()
-
-	for _, part := range parts {
-		if part.PartNumber == nil || *part.PartNumber < 1 {
-			return res, "", s3err.GetAPIError(s3err.ErrInvalidPart)
-		}
-
-		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
-		fullPartPath := filepath.Join(bucket, partObjPath)
-		pf, err := os.Open(fullPartPath)
-		if err != nil {
-			return res, "", fmt.Errorf("open part %v: %v", *part.PartNumber, err)
-		}
-
-		// scoutfs move data is a metadata only operation that moves the data
-		// extent references from the source, appeding to the destination.
-		// this needs to be 4k aligned.
-		err = moveData(pf, f.File())
-		pf.Close()
-		if err != nil {
-			return res, "", fmt.Errorf("move blocks part %v: %v", *part.PartNumber, err)
-		}
-	}
-
-	userMetaData := make(map[string]string)
-	upiddir := filepath.Join(objdir, uploadID)
-	objMeta := s.loadUserMetaData(bucket, upiddir, userMetaData)
-	err = s.storeObjectMetadata(f.File(), bucket, object, objMeta)
-	if err != nil {
-		return res, "", err
-	}
-
-	objname := filepath.Join(bucket, object)
-	dir := filepath.Dir(objname)
-	if dir != "" {
-		uid, gid, doChown := s.getChownIDs(acct)
-		err = backend.MkdirAll(dir, uid, gid, doChown, s.newDirPerm)
-		if err != nil {
-			return res, "", err
-		}
-	}
-
-	for k, v := range userMetaData {
-		err = s.meta.StoreAttribute(f.File(), bucket, object, fmt.Sprintf("%v.%v", metaHdr, k), []byte(v))
-		if err != nil {
-			return res, "", fmt.Errorf("set user attr %q: %w", k, err)
-		}
-	}
-
-	// load and set tagging
-	tagging, err := s.meta.RetrieveAttribute(nil, bucket, upiddir, tagHdr)
-	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-		return res, "", fmt.Errorf("get object tagging: %w", err)
-	}
-	if err == nil {
-		err := s.meta.StoreAttribute(f.File(), bucket, object, tagHdr, tagging)
-		if err != nil {
-			return res, "", fmt.Errorf("set object tagging: %w", err)
-		}
-	}
-
-	// load and set legal hold
-	lHold, err := s.meta.RetrieveAttribute(nil, bucket, upiddir, objectLegalHoldKey)
-	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-		return res, "", fmt.Errorf("get object legal hold: %w", err)
-	}
-	if err == nil {
-		err := s.meta.StoreAttribute(f.File(), bucket, object, objectLegalHoldKey, lHold)
-		if err != nil {
-			return res, "", fmt.Errorf("set object legal hold: %w", err)
-		}
-	}
-
-	// load and set retention
-	ret, err := s.meta.RetrieveAttribute(nil, bucket, upiddir, objectRetentionKey)
-	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-		return res, "", fmt.Errorf("get object retention: %w", err)
-	}
-	if err == nil {
-		err := s.meta.StoreAttribute(f.File(), bucket, object, objectRetentionKey, ret)
-		if err != nil {
-			return res, "", fmt.Errorf("set object retention: %w", err)
-		}
-	}
-
-	// Calculate s3 compatible md5sum for complete multipart.
-	s3MD5 := backend.GetMultipartMD5(parts)
-
-	err = s.meta.StoreAttribute(f.File(), bucket, object, etagkey, []byte(s3MD5))
-	if err != nil {
-		return res, "", fmt.Errorf("set etag attr: %w", err)
-	}
-
-	err = f.link()
-	if err != nil {
-		return res, "", fmt.Errorf("link object in namespace: %w", err)
-	}
-
-	// cleanup tmp dirs
-	os.RemoveAll(filepath.Join(bucket, upiddir))
-	// use Remove for objdir in case there are still other uploads
-	// for same object name outstanding
-	os.Remove(filepath.Join(bucket, objdir))
-
-	return s3response.CompleteMultipartUploadResult{
-		Bucket: &bucket,
-		ETag:   &s3MD5,
-		Key:    &object,
-	}, "", nil
-}
-
-func (s *ScoutFS) storeObjectMetadata(f *os.File, bucket, object string, m objectMetadata) error {
-	if getString(m.ContentType) != "" {
-		err := s.meta.StoreAttribute(f, bucket, object, contentTypeHdr, []byte(*m.ContentType))
-		if err != nil {
-			return fmt.Errorf("set content-type: %w", err)
-		}
-	}
-	if getString(m.ContentEncoding) != "" {
-		err := s.meta.StoreAttribute(f, bucket, object, contentEncHdr, []byte(*m.ContentEncoding))
-		if err != nil {
-			return fmt.Errorf("set content-encoding: %w", err)
-		}
-	}
-	if getString(m.ContentDisposition) != "" {
-		err := s.meta.StoreAttribute(f, bucket, object, contentDispHdr, []byte(*m.ContentDisposition))
-		if err != nil {
-			return fmt.Errorf("set content-disposition: %w", err)
-		}
-	}
-	if getString(m.ContentLanguage) != "" {
-		err := s.meta.StoreAttribute(f, bucket, object, contentLangHdr, []byte(*m.ContentLanguage))
-		if err != nil {
-			return fmt.Errorf("set content-language: %w", err)
-		}
-	}
-	if getString(m.CacheControl) != "" {
-		err := s.meta.StoreAttribute(f, bucket, object, cacheCtrlHdr, []byte(*m.CacheControl))
-		if err != nil {
-			return fmt.Errorf("set cache-control: %w", err)
-		}
-	}
-	if getString(m.Expires) != "" {
-		err := s.meta.StoreAttribute(f, bucket, object, expiresHdr, []byte(*m.Expires))
-		if err != nil {
-			return fmt.Errorf("set cache-control: %w", err)
-		}
-	}
-
-	return nil
-}
-
-func validatePartChecksum(checksum s3response.Checksum, part types.CompletedPart) error {
-	n := numberOfChecksums(part)
-	if n > 1 {
-		return s3err.GetAPIError(s3err.ErrInvalidChecksumPart)
-	}
-	if checksum.Algorithm == "" {
-		if n != 0 {
-			return s3err.GetAPIError(s3err.ErrInvalidPart)
-		}
-
-		return nil
-	}
-
-	algo := checksum.Algorithm
-	if n == 0 {
-		return s3err.APIError{
-			Code:           "InvalidRequest",
-			Description:    fmt.Sprintf("The upload was created using a %v checksum. The complete request must include the checksum for each part. It was missing for part %v in the request.", strings.ToLower(string(algo)), *part.PartNumber),
-			HTTPStatusCode: http.StatusBadRequest,
-		}
-	}
-
-	for _, cs := range []struct {
-		checksum         *string
-		expectedChecksum string
-		algo             types.ChecksumAlgorithm
-	}{
-		{part.ChecksumCRC32, getString(checksum.CRC32), types.ChecksumAlgorithmCrc32},
-		{part.ChecksumCRC32C, getString(checksum.CRC32C), types.ChecksumAlgorithmCrc32c},
-		{part.ChecksumSHA1, getString(checksum.SHA1), types.ChecksumAlgorithmSha1},
-		{part.ChecksumSHA256, getString(checksum.SHA256), types.ChecksumAlgorithmSha256},
-		{part.ChecksumCRC64NVME, getString(checksum.CRC64NVME), types.ChecksumAlgorithmCrc64nvme},
-	} {
-		if cs.checksum == nil {
-			continue
-		}
-
-		if !utils.IsValidChecksum(*cs.checksum, cs.algo) {
-			return s3err.GetAPIError(s3err.ErrInvalidChecksumPart)
-		}
-
-		if *cs.checksum != cs.expectedChecksum {
-			if algo == cs.algo {
-				return s3err.GetAPIError(s3err.ErrInvalidPart)
-			}
-
-			return s3err.APIError{
-				Code:           "BadDigest",
-				Description:    fmt.Sprintf("The %v you specified for part %v did not match what we received.", strings.ToLower(string(cs.algo)), *part.PartNumber),
-				HTTPStatusCode: http.StatusBadRequest,
-			}
-		}
-	}
-
-	return nil
-}
-
-func numberOfChecksums(part types.CompletedPart) int {
-	counter := 0
-	if getString(part.ChecksumCRC32) != "" {
-		counter++
-	}
-	if getString(part.ChecksumCRC32C) != "" {
-		counter++
-	}
-	if getString(part.ChecksumSHA1) != "" {
-		counter++
-	}
-	if getString(part.ChecksumSHA256) != "" {
-		counter++
-	}
-	if getString(part.ChecksumCRC64NVME) != "" {
-		counter++
-	}
-
-	return counter
-}
-
-func (s *ScoutFS) checkUploadIDExists(bucket, object, uploadID string) ([32]byte, error) {
-	sum := sha256.Sum256([]byte(object))
-	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))
-
-	_, err := os.Stat(filepath.Join(objdir, uploadID))
-	if errors.Is(err, fs.ErrNotExist) {
-		return [32]byte{}, s3err.GetAPIError(s3err.ErrNoSuchUpload)
-	}
-	if err != nil {
-		return [32]byte{}, fmt.Errorf("stat upload: %w", err)
-	}
-	return sum, nil
-}
-
-type objectMetadata struct {
-	ContentType        *string
-	ContentEncoding    *string
-	ContentDisposition *string
-	ContentLanguage    *string
-	CacheControl       *string
-	Expires            *string
-}
-
-// fll out the user metadata map with the metadata for the object
-// and return the content type and encoding
-func (s *ScoutFS) loadUserMetaData(bucket, object string, m map[string]string) objectMetadata {
-	ents, err := s.meta.ListAttributes(bucket, object)
-	if err != nil || len(ents) == 0 {
-		return objectMetadata{}
-	}
-	for _, e := range ents {
-		if !isValidMeta(e) {
-			continue
-		}
-		b, err := s.meta.RetrieveAttribute(nil, bucket, object, e)
-		if err != nil {
-			continue
-		}
-		if b == nil {
-			m[strings.TrimPrefix(e, fmt.Sprintf("%v.", metaHdr))] = ""
-			continue
-		}
-		m[strings.TrimPrefix(e, fmt.Sprintf("%v.", metaHdr))] = string(b)
-	}
-
-	var result objectMetadata
-
-	b, err := s.meta.RetrieveAttribute(nil, bucket, object, contentTypeHdr)
-	if err == nil {
-		result.ContentType = backend.GetPtrFromString(string(b))
-	}
-
-	b, err = s.meta.RetrieveAttribute(nil, bucket, object, contentEncHdr)
-	if err == nil {
-		result.ContentEncoding = backend.GetPtrFromString(string(b))
-	}
-
-	b, err = s.meta.RetrieveAttribute(nil, bucket, object, contentDispHdr)
-	if err == nil {
-		result.ContentDisposition = backend.GetPtrFromString(string(b))
-	}
-
-	b, err = s.meta.RetrieveAttribute(nil, bucket, object, contentLangHdr)
-	if err == nil {
-		result.ContentLanguage = backend.GetPtrFromString(string(b))
-	}
-
-	b, err = s.meta.RetrieveAttribute(nil, bucket, object, cacheCtrlHdr)
-	if err == nil {
-		result.CacheControl = backend.GetPtrFromString(string(b))
-	}
-
-	b, err = s.meta.RetrieveAttribute(nil, bucket, object, expiresHdr)
-	if err == nil {
-		result.Expires = backend.GetPtrFromString(string(b))
-	}
-
-	return result
-}
-
-func isValidMeta(val string) bool {
-	if strings.HasPrefix(val, metaHdr) {
-		return true
-	}
-	if strings.EqualFold(val, "Expires") {
-		return true
-	}
-	return false
+	return s.Posix.CompleteMultipartUploadWithCopy(ctx, input, moveData)
 }

 func (s *ScoutFS) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
@@ -730,216 +243,47 @@ func (s *ScoutFS) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.
 }

 func (s *ScoutFS) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3response.ListObjectsResult, error) {
-	if input.Bucket == nil {
-		return s3response.ListObjectsResult{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	if s.glaciermode {
+		return s.Posix.ListObjectsParametrized(ctx, input, s.glacierFileToObj)
+	} else {
+		return s.Posix.ListObjects(ctx, input)
 	}
-	bucket := *input.Bucket
-	prefix := ""
-	if input.Prefix != nil {
-		prefix = *input.Prefix
-	}
-	marker := ""
-	if input.Marker != nil {
-		marker = *input.Marker
-	}
-	delim := ""
-	if input.Delimiter != nil {
-		delim = *input.Delimiter
-	}
-	maxkeys := int32(0)
-	if input.MaxKeys != nil {
-		maxkeys = *input.MaxKeys
-	}
-
-	_, err := os.Stat(bucket)
-	if errors.Is(err, fs.ErrNotExist) {
-		return s3response.ListObjectsResult{}, s3err.GetAPIError(s3err.ErrNoSuchBucket)
-	}
-	if err != nil {
-		return s3response.ListObjectsResult{}, fmt.Errorf("stat bucket: %w", err)
-	}
-
-	fileSystem := os.DirFS(bucket)
-	results, err := backend.Walk(ctx, fileSystem, prefix, delim, marker, maxkeys,
-		s.fileToObj(bucket), []string{metaTmpDir})
-	if err != nil {
-		return s3response.ListObjectsResult{}, fmt.Errorf("walk %v: %w", bucket, err)
-	}
-
-	return s3response.ListObjectsResult{
-		CommonPrefixes: results.CommonPrefixes,
-		Contents:       results.Objects,
-		Delimiter:      backend.GetPtrFromString(delim),
-		Marker:         backend.GetPtrFromString(marker),
-		NextMarker:     backend.GetPtrFromString(results.NextMarker),
-		Prefix:         backend.GetPtrFromString(prefix),
-		IsTruncated:    &results.Truncated,
-		MaxKeys:        &maxkeys,
-		Name:           &bucket,
-	}, nil
 }

 func (s *ScoutFS) ListObjectsV2(ctx context.Context, input *s3.ListObjectsV2Input) (s3response.ListObjectsV2Result, error) {
-	if input.Bucket == nil {
-		return s3response.ListObjectsV2Result{}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	if s.glaciermode {
+		return s.Posix.ListObjectsV2Parametrized(ctx, input, s.glacierFileToObj)
+	} else {
+		return s.Posix.ListObjectsV2(ctx, input)
 	}
-	bucket := *input.Bucket
-	prefix := ""
-	if input.Prefix != nil {
-		prefix = *input.Prefix
-	}
-	marker := ""
-	if input.ContinuationToken != nil {
-		if input.StartAfter != nil {
-			marker = max(*input.StartAfter, *input.ContinuationToken)
-		} else {
-			marker = *input.ContinuationToken
-		}
-	}
-	delim := ""
-	if input.Delimiter != nil {
-		delim = *input.Delimiter
-	}
-	maxkeys := int32(0)
-	if input.MaxKeys != nil {
-		maxkeys = *input.MaxKeys
-	}
-
-	_, err := os.Stat(bucket)
-	if errors.Is(err, fs.ErrNotExist) {
-		return s3response.ListObjectsV2Result{}, s3err.GetAPIError(s3err.ErrNoSuchBucket)
-	}
-	if err != nil {
-		return s3response.ListObjectsV2Result{}, fmt.Errorf("stat bucket: %w", err)
-	}
-
-	fileSystem := os.DirFS(bucket)
-	results, err := backend.Walk(ctx, fileSystem, prefix, delim, marker, int32(maxkeys),
-		s.fileToObj(bucket), []string{metaTmpDir})
-	if err != nil {
-		return s3response.ListObjectsV2Result{}, fmt.Errorf("walk %v: %w", bucket, err)
-	}
-
-	count := int32(len(results.Objects))
-
-	return s3response.ListObjectsV2Result{
-		CommonPrefixes:        results.CommonPrefixes,
-		Contents:              results.Objects,
-		IsTruncated:           &results.Truncated,
-		MaxKeys:               &maxkeys,
-		Name:                  &bucket,
-		KeyCount:              &count,
-		Delimiter:             backend.GetPtrFromString(delim),
-		ContinuationToken:     backend.GetPtrFromString(marker),
-		NextContinuationToken: backend.GetPtrFromString(results.NextMarker),
-		Prefix:                backend.GetPtrFromString(prefix),
-		StartAfter:            backend.GetPtrFromString(*input.StartAfter),
-	}, nil
 }

-func (s *ScoutFS) fileToObj(bucket string) backend.GetObjFunc {
+// FileToObj function for ListObject calls that adds a Glacier storage class if the file is offline
+func (s *ScoutFS) glacierFileToObj(bucket string, fetchOwner bool) backend.GetObjFunc {
+	posixFileToObj := s.Posix.FileToObj(bucket, fetchOwner)
+
 	return func(path string, d fs.DirEntry) (s3response.Object, error) {
+		res, err := posixFileToObj(path, d)
+		if err != nil || d.IsDir() {
+			return res, err
+		}
 		objPath := filepath.Join(bucket, path)
-		if d.IsDir() {
-			// directory object only happens if directory empty
-			// check to see if this is a directory object by checking etag
-			etagBytes, err := s.meta.RetrieveAttribute(nil, bucket, path, etagkey)
-			if errors.Is(err, meta.ErrNoSuchKey) || errors.Is(err, fs.ErrNotExist) {
-				return s3response.Object{}, backend.ErrSkipObj
-			}
-			if err != nil {
-				return s3response.Object{}, fmt.Errorf("get etag: %w", err)
-			}
-			etag := string(etagBytes)
-
-			fi, err := d.Info()
-			if errors.Is(err, fs.ErrNotExist) {
-				return s3response.Object{}, backend.ErrSkipObj
-			}
-			if err != nil {
-				return s3response.Object{}, fmt.Errorf("get fileinfo: %w", err)
-			}
-
-			size := int64(0)
-			mtime := fi.ModTime()
-
-			return s3response.Object{
-				ETag:         &etag,
-				Key:          &path,
-				LastModified: &mtime,
-				Size:         &size,
-				StorageClass: types.ObjectStorageClassStandard,
-			}, nil
-		}
-
-		// Retreive the object checksum algorithm
-		checksums, err := s.retrieveChecksums(nil, bucket, path)
-		if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-			return s3response.Object{}, backend.ErrSkipObj
-		}
-
-		// file object, get object info and fill out object data
-		b, err := s.meta.RetrieveAttribute(nil, bucket, path, etagkey)
-		if errors.Is(err, fs.ErrNotExist) {
-			return s3response.Object{}, backend.ErrSkipObj
-		}
-		if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
-			return s3response.Object{}, fmt.Errorf("get etag: %w", err)
-		}
-		// note: meta.ErrNoSuchKey will return etagBytes = []byte{}
-		// so this will just set etag to "" if its not already set
-
-		etag := string(b)
-
-		fi, err := d.Info()
+		// Check if there are any offline exents associated with this file.
+		// If so, we will return the Glacier storage class
+		st, err := statMore(objPath)
 		if errors.Is(err, fs.ErrNotExist) {
 			return s3response.Object{}, backend.ErrSkipObj
 		}
 		if err != nil {
-			return s3response.Object{}, fmt.Errorf("get fileinfo: %w", err)
+			return s3response.Object{}, fmt.Errorf("stat more: %w", err)
 		}
-
-		sc := types.ObjectStorageClassStandard
-		if s.glaciermode {
-			// Check if there are any offline exents associated with this file.
-			// If so, we will return the InvalidObjectState error.
-			st, err := statMore(objPath)
-			if errors.Is(err, fs.ErrNotExist) {
-				return s3response.Object{}, backend.ErrSkipObj
-			}
-			if err != nil {
-				return s3response.Object{}, fmt.Errorf("stat more: %w", err)
-			}
-			if st.Offline_blocks != 0 {
-				sc = types.ObjectStorageClassGlacier
-			}
+		if st.Offline_blocks != 0 {
+			res.StorageClass = types.ObjectStorageClassGlacier
 		}
-
-		size := fi.Size()
-		mtime := fi.ModTime()
-
-		return s3response.Object{
-			ETag:              &etag,
-			Key:               &path,
-			LastModified:      &mtime,
-			Size:              &size,
-			StorageClass:      sc,
-			ChecksumAlgorithm: []types.ChecksumAlgorithm{checksums.Algorithm},
-			ChecksumType:      checksums.Type,
-		}, nil
+		return res, nil
 	}
 }

-func (s *ScoutFS) retrieveChecksums(f *os.File, bucket, object string) (checksums s3response.Checksum, err error) {
-	checksumsAtr, err := s.meta.RetrieveAttribute(f, bucket, object, checksumsKey)
-	if err != nil {
-		return checksums, err
-	}
-
-	err = json.Unmarshal(checksumsAtr, &checksums)
-	return checksums, err
-}
-
 // RestoreObject will set stage request on file if offline and do nothing if
 // file is online
 func (s *ScoutFS) RestoreObject(_ context.Context, input *s3.RestoreObjectInput) error {
@@ -965,13 +309,6 @@ func (s *ScoutFS) RestoreObject(_ context.Context, input *s3.RestoreObjectInput)
 	return nil
 }

-func getString(str *string) string {
-	if str == nil {
-		return ""
-	}
-	return *str
-}
-
 func isStaging(objname string) (bool, error) {
 	b, err := xattr.Get(objname, flagskey)
 	if err != nil && !isNoAttr(err) {
--- a/backend/scoutfs/scoutfs_compat.go
+++ b/backend/scoutfs/scoutfs_compat.go
@@ -17,32 +17,24 @@
 package scoutfs

 import (
-	"errors"
 	"fmt"
-	"io/fs"
 	"os"
-	"path/filepath"
-	"strconv"
-	"syscall"
-
-	"golang.org/x/sys/unix"

 	"github.com/versity/scoutfs-go"
-	"github.com/versity/versitygw/auth"
-	"github.com/versity/versitygw/backend"
 	"github.com/versity/versitygw/backend/meta"
 	"github.com/versity/versitygw/backend/posix"
-	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3api/debuglogger"
 )

 func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 	metastore := meta.XattrMeta{}

 	p, err := posix.New(rootdir, metastore, posix.PosixOpts{
-		ChownUID:    opts.ChownUID,
-		ChownGID:    opts.ChownGID,
-		BucketLinks: opts.BucketLinks,
-		NewDirPerm:  opts.NewDirPerm,
+		ChownUID:      opts.ChownUID,
+		ChownGID:      opts.ChownGID,
+		BucketLinks:   opts.BucketLinks,
+		NewDirPerm:    opts.NewDirPerm,
+		VersioningDir: opts.VersioningDir,
 	})
 	if err != nil {
 		return nil, err
@@ -57,148 +49,31 @@ func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 		Posix:            p,
 		rootfd:           f,
 		rootdir:          rootdir,
-		meta:             metastore,
-		chownuid:         opts.ChownUID,
-		chowngid:         opts.ChownGID,
 		glaciermode:      opts.GlacierMode,
-		newDirPerm:       opts.NewDirPerm,
 		disableNoArchive: opts.DisableNoArchive,
 	}, nil
 }

-const procfddir = "/proc/self/fd"
-
-type tmpfile struct {
-	f          *os.File
-	bucket     string
-	objname    string
-	size       int64
-	needsChown bool
-	uid        int
-	gid        int
-	newDirPerm fs.FileMode
-}
-
-var (
-	defaultFilePerm uint32 = 0644
-)
-
-func (s *ScoutFS) openTmpFile(dir, bucket, obj string, size int64, acct auth.Account) (*tmpfile, error) {
-	uid, gid, doChown := s.getChownIDs(acct)
-
-	// O_TMPFILE allows for a file handle to an unnamed file in the filesystem.
-	// This can help reduce contention within the namespace (parent directories),
-	// etc. And will auto cleanup the inode on close if we never link this
-	// file descriptor into the namespace.
-	fd, err := unix.Open(dir, unix.O_RDWR|unix.O_TMPFILE|unix.O_CLOEXEC, defaultFilePerm)
-	if err != nil {
-		if errors.Is(err, syscall.EROFS) {
-			return nil, s3err.GetAPIError(s3err.ErrMethodNotAllowed)
-		}
-		return nil, err
-	}
-
-	// for O_TMPFILE, filename is /proc/self/fd/<fd> to be used
-	// later to link file into namespace
-	f := os.NewFile(uintptr(fd), filepath.Join(procfddir, strconv.Itoa(fd)))
-
-	tmp := &tmpfile{
-		f:          f,
-		bucket:     bucket,
-		objname:    obj,
-		size:       size,
-		needsChown: doChown,
-		uid:        uid,
-		gid:        gid,
-		newDirPerm: s.newDirPerm,
-	}
-
-	if doChown {
-		err := f.Chown(uid, gid)
-		if err != nil {
-			return nil, fmt.Errorf("set temp file ownership: %w", err)
-		}
-	}
-
-	return tmp, nil
-}
-
-func (tmp *tmpfile) link() error {
-	// We use Linkat/Rename as the atomic operation for object puts. The
-	// upload is written to a temp (or unnamed/O_TMPFILE) file to not conflict
-	// with any other simultaneous uploads. The final operation is to move the
-	// temp file into place for the object. This ensures the object semantics
-	// of last upload completed wins and is not some combination of writes
-	// from simultaneous uploads.
-	objPath := filepath.Join(tmp.bucket, tmp.objname)
-	err := os.Remove(objPath)
-	if err != nil && !errors.Is(err, fs.ErrNotExist) {
-		return fmt.Errorf("remove stale path: %w", err)
-	}
-
-	dir := filepath.Dir(objPath)
-
-	err = backend.MkdirAll(dir, tmp.uid, tmp.gid, tmp.needsChown, tmp.newDirPerm)
-	if err != nil {
-		return fmt.Errorf("make parent dir: %w", err)
-	}
-
-	procdir, err := os.Open(procfddir)
-	if err != nil {
-		return fmt.Errorf("open proc dir: %w", err)
-	}
-	defer procdir.Close()
-
-	dirf, err := os.Open(dir)
-	if err != nil {
-		return fmt.Errorf("open parent dir: %w", err)
-	}
-	defer dirf.Close()
-
-	for {
-		err = unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
-			int(dirf.Fd()), filepath.Base(objPath), unix.AT_SYMLINK_FOLLOW)
-		if errors.Is(err, fs.ErrExist) {
-			err := os.Remove(objPath)
-			if err != nil && !errors.Is(err, fs.ErrNotExist) {
-				return fmt.Errorf("remove stale path: %w", err)
-			}
-			continue
-		}
-		if err != nil {
-			return fmt.Errorf("link tmpfile: %w", err)
-		}
-		break
-	}
-
-	err = tmp.f.Close()
-	if err != nil {
-		return fmt.Errorf("close tmpfile: %w", err)
-	}
-
-	return nil
-}
-
-func (tmp *tmpfile) Write(b []byte) (int, error) {
-	if int64(len(b)) > tmp.size {
-		return 0, fmt.Errorf("write exceeds content length %v", tmp.size)
-	}
-
-	n, err := tmp.f.Write(b)
-	tmp.size -= int64(n)
-	return n, err
-}
-
-func (tmp *tmpfile) cleanup() {
-	tmp.f.Close()
-}
-
-func (tmp *tmpfile) File() *os.File {
-	return tmp.f
-}
-
 func moveData(from *os.File, to *os.File) error {
-	return scoutfs.MoveData(from, to)
+	// May fail if the files are not 4K aligned; check for alignment
+	ffi, err := from.Stat()
+	if err != nil {
+		return fmt.Errorf("stat from: %v", err)
+	}
+	tfi, err := to.Stat()
+	if err != nil {
+		return fmt.Errorf("stat to: %v", err)
+	}
+	if ffi.Size()%4096 != 0 || tfi.Size()%4096 != 0 {
+		return os.ErrInvalid
+	}
+
+	//
+	err = scoutfs.MoveData(from, to)
+	if err != nil {
+		debuglogger.Logf("ScoutFs MoveData failed: %v", err)
+	}
+	return err
 }

 func statMore(path string) (stat, error) {
--- a/backend/scoutfs/scoutfs_incompat.go
+++ b/backend/scoutfs/scoutfs_incompat.go
@@ -20,44 +20,16 @@ import (
 	"errors"
 	"fmt"
 	"os"
-
-	"github.com/versity/versitygw/auth"
 )

 func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 	return nil, fmt.Errorf("scoutfs only available on linux")
 }

-type tmpfile struct{}
-
 var (
 	errNotSupported = errors.New("not supported")
 )

-func (s *ScoutFS) openTmpFile(_, _, _ string, _ int64, _ auth.Account) (*tmpfile, error) {
-	// make these look used for static check
-	_ = s.chownuid
-	_ = s.chowngid
-	_ = s.euid
-	_ = s.egid
-	return nil, errNotSupported
-}
-
-func (tmp *tmpfile) link() error {
-	return errNotSupported
-}
-
-func (tmp *tmpfile) Write(b []byte) (int, error) {
-	return 0, errNotSupported
-}
-
-func (tmp *tmpfile) cleanup() {
-}
-
-func (tmp *tmpfile) File() *os.File {
-	return nil
-}
-
 func moveData(_, _ *os.File) error {
 	return errNotSupported
 }
--- a/cmd/versitygw/main.go
+++ b/cmd/versitygw/main.go
@@ -45,6 +45,8 @@ var (
 	certFile, keyFile                        string
 	kafkaURL, kafkaTopic, kafkaKey           string
 	natsURL, natsTopic                       string
+	rabbitmqURL, rabbitmqExchange            string
+	rabbitmqRoutingKey                       string
 	eventWebhookURL                          string
 	eventConfigFilePath                      string
 	logWebhookURL, accessLog                 string
@@ -61,10 +63,10 @@ var (
 	ldapAccessAtr, ldapSecAtr, ldapRoleAtr   string
 	ldapUserIdAtr, ldapGroupIdAtr            string
 	vaultEndpointURL, vaultSecretStoragePath string
-	vaultMountPath, vaultRootToken           string
-	vaultRoleId, vaultRoleSecret             string
-	vaultServerCert, vaultClientCert         string
-	vaultClientCertKey                       string
+	vaultAuthMethod, vaultMountPath          string
+	vaultRootToken, vaultRoleId              string
+	vaultRoleSecret, vaultServerCert         string
+	vaultClientCert, vaultClientCertKey      string
 	s3IamAccess, s3IamSecret                 string
 	s3IamRegion, s3IamBucket                 string
 	s3IamEndpoint                            string
@@ -288,6 +290,27 @@ func initFlags() []cli.Flag {
 			Destination: &natsTopic,
 			Aliases:     []string{"ent"},
 		},
+		&cli.StringFlag{
+			Name:        "event-rabbitmq-url",
+			Usage:       "rabbitmq server url to send the bucket notifications (amqp or amqps scheme)",
+			EnvVars:     []string{"VGW_EVENT_RABBITMQ_URL"},
+			Destination: &rabbitmqURL,
+			Aliases:     []string{"eru"},
+		},
+		&cli.StringFlag{
+			Name:        "event-rabbitmq-exchange",
+			Usage:       "rabbitmq exchange to publish bucket notifications to (blank for default)",
+			EnvVars:     []string{"VGW_EVENT_RABBITMQ_EXCHANGE"},
+			Destination: &rabbitmqExchange,
+			Aliases:     []string{"ere"},
+		},
+		&cli.StringFlag{
+			Name:        "event-rabbitmq-routing-key",
+			Usage:       "rabbitmq routing key when publishing bucket notifications (defaults to bucket name when blank)",
+			EnvVars:     []string{"VGW_EVENT_RABBITMQ_ROUTING_KEY"},
+			Destination: &rabbitmqRoutingKey,
+			Aliases:     []string{"errk"},
+		},
 		&cli.StringFlag{
 			Name:        "event-webhook-url",
 			Usage:       "webhook url to send bucket notifications",
@@ -380,6 +403,12 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_IAM_VAULT_SECRET_STORAGE_PATH"},
 			Destination: &vaultSecretStoragePath,
 		},
+		&cli.StringFlag{
+			Name:        "iam-vault-auth-method",
+			Usage:       "vault server auth method",
+			EnvVars:     []string{"VGW_IAM_VAULT_AUTH_METHOD"},
+			Destination: &vaultAuthMethod,
+		},
 		&cli.StringFlag{
 			Name:        "iam-vault-mount-path",
 			Usage:       "vault server mount path",
@@ -615,30 +644,6 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		opts = append(opts, s3api.WithHostStyle(virtualDomain))
 	}

-	admApp := fiber.New(fiber.Config{
-		AppName:               "versitygw",
-		ServerHeader:          "VERSITYGW",
-		Network:               fiber.NetworkTCP,
-		DisableStartupMessage: true,
-	})
-
-	var admOpts []s3api.AdminOpt
-
-	if admCertFile != "" || admKeyFile != "" {
-		if admCertFile == "" {
-			return fmt.Errorf("TLS key specified without cert file")
-		}
-		if admKeyFile == "" {
-			return fmt.Errorf("TLS cert specified without key file")
-		}
-
-		cert, err := tls.LoadX509KeyPair(admCertFile, admKeyFile)
-		if err != nil {
-			return fmt.Errorf("tls: load certs: %v", err)
-		}
-		admOpts = append(admOpts, s3api.WithAdminSrvTLS(cert))
-	}
-
 	iam, err := auth.New(&auth.Opts{
 		RootAccount: auth.Account{
 			Access: rootUserAccess,
@@ -658,6 +663,7 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		LDAPGroupIdAtr:         ldapGroupIdAtr,
 		VaultEndpointURL:       vaultEndpointURL,
 		VaultSecretStoragePath: vaultSecretStoragePath,
+		VaultAuthMethod:        vaultAuthMethod,
 		VaultMountPath:         vaultMountPath,
 		VaultRootToken:         vaultRootToken,
 		VaultRoleId:            vaultRoleId,
@@ -710,6 +716,9 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		KafkaTopicKey:        kafkaKey,
 		NatsURL:              natsURL,
 		NatsTopic:            natsTopic,
+		RabbitmqURL:          rabbitmqURL,
+		RabbitmqExchange:     rabbitmqExchange,
+		RabbitmqRoutingKey:   rabbitmqRoutingKey,
 		WebhookURL:           eventWebhookURL,
 		FilterConfigFilePath: eventConfigFilePath,
 	})
@@ -725,7 +734,41 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		return fmt.Errorf("init gateway: %v", err)
 	}

-	admSrv := s3api.NewAdminServer(admApp, be, middlewares.RootUserConfig{Access: rootUserAccess, Secret: rootUserSecret}, admPort, region, iam, loggers.AdminLogger, admOpts...)
+	var admSrv *s3api.S3AdminServer
+
+	if admPort != "" {
+		admApp := fiber.New(fiber.Config{
+			AppName:               "versitygw",
+			ServerHeader:          "VERSITYGW",
+			Network:               fiber.NetworkTCP,
+			DisableStartupMessage: true,
+		})
+
+		var opts []s3api.AdminOpt
+
+		if admCertFile != "" || admKeyFile != "" {
+			if admCertFile == "" {
+				return fmt.Errorf("TLS key specified without cert file")
+			}
+			if admKeyFile == "" {
+				return fmt.Errorf("TLS cert specified without key file")
+			}
+
+			cert, err := tls.LoadX509KeyPair(admCertFile, admKeyFile)
+			if err != nil {
+				return fmt.Errorf("tls: load certs: %v", err)
+			}
+			opts = append(opts, s3api.WithAdminSrvTLS(cert))
+		}
+		if quiet {
+			opts = append(opts, s3api.WithAdminQuiet())
+		}
+		if debug {
+			opts = append(opts, s3api.WithAdminDebug())
+		}
+
+		admSrv = s3api.NewAdminServer(admApp, be, middlewares.RootUserConfig{Access: rootUserAccess, Secret: rootUserSecret}, admPort, region, iam, loggers.AdminLogger, opts...)
+	}

 	if !quiet {
 		printBanner(port, admPort, certFile != "", admCertFile != "")
@@ -970,10 +1013,7 @@ func getMatchingIPs(spec string) ([]string, error) {
 const columnWidth = 70

 func centerText(text string) string {
-	padding := (columnWidth - 2 - len(text)) / 2
-	if padding < 0 {
-		padding = 0
-	}
+	padding := max((columnWidth-2-len(text))/2, 0)
 	return strings.Repeat(" ", padding) + text
 }

--- a/cmd/versitygw/scoutfs.go
+++ b/cmd/versitygw/scoutfs.go
@@ -72,6 +72,12 @@ move interfaces as well as support for tiered filesystems.`,
 				EnvVars:     []string{"VGW_BUCKET_LINKS"},
 				Destination: &bucketlinks,
 			},
+			&cli.StringFlag{
+				Name:        "versioning-dir",
+				Usage:       "the directory path to enable bucket versioning",
+				EnvVars:     []string{"VGW_VERSIONING_DIR"},
+				Destination: &versioningDir,
+			},
 			&cli.UintFlag{
 				Name:        "dir-perms",
 				Usage:       "default directory permissions for new directories",
@@ -106,6 +112,7 @@ func runScoutfs(ctx *cli.Context) error {
 	opts.BucketLinks = bucketlinks
 	opts.NewDirPerm = fs.FileMode(dirPerms)
 	opts.DisableNoArchive = disableNoArchive
+	opts.VersioningDir = versioningDir

 	be, err := scoutfs.New(ctx.Args().Get(0), opts)
 	if err != nil {
--- a/extra/example.conf
+++ b/extra/example.conf
@@ -169,6 +169,19 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_EVENT_NATS_URL=
 #VGW_EVENT_NATS_TOPIC=

+# Bucket events can be sent to a RabbitMQ messaging service. When
+# VGW_EVENT_RABBITMQ_URL is specified, events will be published to the specified
+# exchange (VGW_EVENT_RABBITMQ_EXCHANGE) using the routing key
+# (VGW_EVENT_RABBITMQ_ROUTING_KEY). If exchange is blank the default exchange is
+# used. If routing key is blank, it will be left empty (the server can bind a
+# queue with an empty binding key or you can set an explicit key).
+# Example URL formats:
+#   amqp://user:pass@rabbitmq:5672/
+#   amqps://user:pass@rabbitmq:5671/vhost
+#VGW_EVENT_RABBITMQ_URL=
+#VGW_EVENT_RABBITMQ_EXCHANGE=
+#VGW_EVENT_RABBITMQ_ROUTING_KEY=
+
 # Bucket events can be sent to a webhook. When VGW_EVENT_WEBHOOK_URL is
 # specified, all configured bucket events will be sent to the webhook.
 #VGW_EVENT_WEBHOOK_URL=
@@ -430,6 +443,14 @@ ROOT_SECRET_ACCESS_KEY=
 # as any parent directories automatically created with object uploads.
 #VGW_DIR_PERMS=0755

+# To enable object versions, the VGW_VERSIONING_DIR option must be set to the
+# directory that will be used to store the object versions. The version
+# directory must NOT be a subdirectory of the VGW_BACKEND_ARG directory.
+# There may be implications for archive policy updates to include version
+# directory as well. It is recommended to discuss archive implications of
+# versioning with Versity support before enabling on an archiving filesystem.
+#VGW_VERSIONING_DIR=
+
 # The default behavior of the gateway is to automatically set the noarchive
 # flag on the multipart upload parts while the multipart upload is in progress.
 # This is to prevent the parts from being archived since they are temporary
--- a/go.mod
+++ b/go.mod
@@ -5,42 +5,45 @@ go 1.23.0
 toolchain go1.24.1

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1
-	github.com/DataDog/datadog-go/v5 v5.6.0
-	github.com/aws/aws-sdk-go-v2 v1.36.5
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0
-	github.com/aws/smithy-go v1.22.4
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.2
+	github.com/DataDog/datadog-go/v5 v5.7.1
+	github.com/aws/aws-sdk-go-v2 v1.38.1
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.1
+	github.com/aws/smithy-go v1.22.5
 	github.com/go-ldap/ldap/v3 v3.4.11
-	github.com/gofiber/fiber/v2 v2.52.8
+	github.com/gofiber/fiber/v2 v2.52.9
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/vault-client-go v0.4.3
-	github.com/nats-io/nats.go v1.43.0
+	github.com/nats-io/nats.go v1.45.0
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/pkg/xattr v0.4.12
-	github.com/segmentio/kafka-go v0.4.48
+	github.com/rabbitmq/amqp091-go v1.10.0
+	github.com/segmentio/kafka-go v0.4.49
 	github.com/smira/go-statsd v1.3.4
+	github.com/stretchr/testify v1.11.0
 	github.com/urfave/cli/v2 v2.27.7
-	github.com/valyala/fasthttp v1.62.0
+	github.com/valyala/fasthttp v1.65.0
 	github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44
-	golang.org/x/sync v0.15.0
-	golang.org/x/sys v0.33.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/sys v0.35.0
 )

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
@@ -51,26 +54,28 @@ require (
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 require (
 	github.com/andybalholm/brotli v1.2.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.17
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.70
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.82
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.2
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.6
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.0
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.4 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,23 +1,23 @@
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.0 h1:ci6Yd6nysBRLEodoziB6ah1+YOzZbZk+NYneoA6q+6E=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.0/go.mod h1:QyVsSSN64v5TGltphKLQ2sQxe4OBQg0J1eKRcVBnfgE=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 h1:MhRfI58HblXzCtWEZCO0feHs8LweePB3s90r7WaR1KU=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0/go.mod h1:okZ+ZURbArNdlJ+ptXoyHNuOETzOl1Oww19rm8I2WLA=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0 h1:LR0kAX9ykz8G4YgLCaRDVJ3+n43R8MneB5dTy2konZo=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0/go.mod h1:DWAciXemNf++PQJLeXUB4HHH5OpsAh12HZnu2wXE1jA=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.2 h1:FwladfywkNirM+FZYLBR2kBz5C8Tg0fw5w5Y7meRXWI=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.2/go.mod h1:vv5Ad0RrIoT1lJFdWBZwt4mB1+j+V8DUroixmKDTCdk=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/DataDog/datadog-go/v5 v5.6.0 h1:2oCLxjF/4htd55piM75baflj/KoE6VYS7alEUqFvRDw=
-github.com/DataDog/datadog-go/v5 v5.6.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
+github.com/DataDog/datadog-go/v5 v5.7.1 h1:dNhEwKaO3LJhGYKajl2DjobArfa5R9YF72z3Dy+PH3k=
+github.com/DataDog/datadog-go/v5 v5.7.1/go.mod h1:CA9Ih6tb3jtxk+ps1xvTnxmhjr7ldE8TiwrZyrm31ss=
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@@ -25,63 +25,59 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
-github.com/aws/aws-sdk-go-v2 v1.36.5 h1:0OF9RiEMEdDdZEMqF9MRjevyxAQcf6gY+E7vwBILFj0=
-github.com/aws/aws-sdk-go-v2 v1.36.5/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 h1:12SpdwU8Djs+YGklkinSSlcrPyj3H4VifVsKf78KbwA=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11/go.mod h1:dd+Lkp6YmMryke+qxW/VnKyhMBDTYP41Q2Bb+6gNZgY=
-github.com/aws/aws-sdk-go-v2/config v1.29.17 h1:jSuiQ5jEe4SAMH6lLRMY9OVC+TqJLP5655pBGjmnjr0=
-github.com/aws/aws-sdk-go-v2/config v1.29.17/go.mod h1:9P4wwACpbeXs9Pm9w1QTh6BwWwJjwYvJ1iCt5QbCXh8=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.70 h1:ONnH5CM16RTXRkS8Z1qg7/s2eDOhHhaXVd72mmyv4/0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.70/go.mod h1:M+lWhhmomVGgtuPOhO85u4pEa3SmssPTdcYpP/5J/xc=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 h1:KAXP9JSHO1vKGCr5f4O6WmlVKLFFXgWYAGoJosorxzU=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32/go.mod h1:h4Sg6FQdexC1yYG9RDnOvLbW1a/P986++/Y/a+GyEM8=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.82 h1:EO13QJTCD1Ig2IrQnoHTRrn981H9mB7afXsZ89WptI4=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.82/go.mod h1:AGh1NCg0SH+uyJamiJA5tTQcql4MMRDXGRdMmCxCXzY=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 h1:SsytQyTMHMDPspp+spo7XwXTP44aJZZAC7fBV2C5+5s=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36/go.mod h1:Q1lnJArKRXkenyog6+Y+zr7WDpk4e6XlR6gs20bbeNo=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 h1:i2vNHQiXUvKhs3quBR6aqlgJaiaexz/aNvdCktW/kAM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36/go.mod h1:UdyGa7Q91id/sdyHPwth+043HhmP6yP9MBHgbZM0xo8=
+github.com/aws/aws-sdk-go-v2 v1.38.1 h1:j7sc33amE74Rz0M/PoCpsZQ6OunLqys/m5antM0J+Z8=
+github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 h1:6GMWV6CNpA/6fbFHnoAjrv4+LGfyTqZz2LtCHnspgDg=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0/go.mod h1:/mXlTIVG9jbxkqDnr5UQNQxW1HRYxeGklkM9vAFeabg=
+github.com/aws/aws-sdk-go-v2/config v1.31.2 h1:NOaSZpVGEH2Np/c1toSeW0jooNl+9ALmsUTZ8YvkJR0=
+github.com/aws/aws-sdk-go-v2/config v1.31.2/go.mod h1:17ft42Yb2lF6OigqSYiDAiUcX4RIkEMY6XxEMJsrAes=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.6 h1:AmmvNEYrru7sYNJnp3pf57lGbiarX4T9qU/6AZ9SucU=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.6/go.mod h1:/jdQkh1iVPa01xndfECInp1v1Wnp70v3K4MvtlLGVEc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 h1:lpdMwTzmuDLkgW7086jE94HweHCqG+uOJwHf3LZs7T0=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4/go.mod h1:9xzb8/SV62W6gHQGC/8rrvgNXU6ZoYM3sAIJCIrXJxY=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.0 h1:2FFgK3oFA8PTNBjprLFfcmkgg7U9YuSimBvR64RUmiA=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.0/go.mod h1:xdxj6nC1aU/jAO80RIlIj3fU40MOSqutEA9N2XFct04=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 h1:IdCLsiiIj5YJ3AFevsewURCPV+YWUlOW8JiPhoAy8vg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4/go.mod h1:l4bdfCD7XyyZA9BolKBo1eLqgaJxl0/x91PL4Yqe0ao=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 h1:j7vjtr1YIssWQOMeOWRbh3z8g2oY/xPjnZH2gLY4sGw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4/go.mod h1:yDmJgqOiH4EA8Hndnv4KwAo8jCGTSnM5ASG1nBI+toA=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 h1:GMYy2EOWfzdP3wfVAGXBNKY5vK4K8vMET4sYOYltmqs=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36/go.mod h1:gDhdAV6wL3PmPqBhiPbnlS447GoWs8HTTOYef9/9Inw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 h1:nAP2GYbfh8dd2zGZqFRSMlq+/F6cMPBUuCsGAMkN074=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4/go.mod h1:LT10DsiGjLWh4GbjInf9LQejkYEhBgBCjLG5+lvk4EE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 h1:t0E6FzREdtCsiLIoLCWsYliNsRBgyGD/MCK571qk4MI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17/go.mod h1:ygpklyoaypuyDvOM5ujWGrYWpAK3h7ugnmKCU/76Ys4=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 h1:qcLWgdhq45sDM9na4cvXax9dyLitn8EYBRl8Ak4XtG4=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17/go.mod h1:M+jkjBFZ2J6DJrjMv2+vkBbuht6kxJYtJiwoVgX4p4U=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0 h1:JubM8CGDDFaAOmBrd8CRYNr49ZNgEAiLwGwgNMdS0nw=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0/go.mod h1:kUklwasNoCn5YpyAqC/97r6dzTA1SRKJfKq16SXeoDU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 h1:AIRJ3lfb2w/1/8wOOSqYb9fUKGwQbtysJ2H1MofRUPg=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.5/go.mod h1:b7SiVprpU+iGazDUqvRSLf5XmCdn+JtT1on7uNL6Ipc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 h1:BpOxT3yhLwSJ77qIY3DoHAQjZsc4HEGfMCE4NGy3uFg=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3/go.mod h1:vq/GQR1gOFLquZMSrxUK/cpvKCNVYibNyJ1m7JrU88E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 h1:NFOJ/NXEGV4Rq//71Hs1jC/NvPs1ezajK+yQmkwnPV0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.34.0/go.mod h1:7ph2tGpfQvwzgistp2+zga9f+bCjlQJPkPUmMgDSD7w=
-github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw=
-github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.4 h1:BE/MNQ86yzTINrfxPPFS86QCBNQeLKY2A0KhDh47+wI=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.4/go.mod h1:SPBBhkJxjcrzJBc+qY85e83MQ2q3qdra8fghhkkyrJg=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.4 h1:Beh9oVgtQnBgR4sKKzkUBRQpf1GnL4wt0l4s8h2VCJ0=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.4/go.mod h1:b17At0o8inygF+c6FOD3rNyYZufPw62o9XJbSfQPgbo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 h1:ueB2Te0NacDMnaC+68za9jLwkjzxGWm0KB5HTUHjLTI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4/go.mod h1:nLEfLnVMmLvyIG58/6gsSA03F1voKGaCfHV7+lR8S7s=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.4 h1:HVSeukL40rHclNcUqVcBwE1YoZhOkoLeBfhUqR3tjIU=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.4/go.mod h1:DnbBOv4FlIXHj2/xmrUQYtawRFC9L9ZmQPz+DBc6X5I=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.87.1 h1:2n6Pd67eJwAb/5KCX62/8RTU0aFAAW7V5XIGSghiHrw=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.87.1/go.mod h1:w5PC+6GHLkvMJKasYGVloB3TduOtROEMqm15HSuIbw4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 h1:ve9dYBB8CfJGTFqcQ3ZLAAb/KXWgYlgu/2R2TZL2Ko0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.28.2/go.mod h1:n9bTZFZcBa9hGGqVz3i/a6+NG0zmZgtkB9qVVFDqPA8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.2 h1:pd9G9HQaM6UZAZh19pYOkpKSQkyQQ9ftnl/LttQOcGI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.2/go.mod h1:eknndR9rU8UpE/OmFpqU78V1EcXPKFTTm5l/buZYgvM=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 h1:iV1Ko4Em/lkJIsoKyGfc0nQySi+v0Udxr6Igq+y9JZc=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.0/go.mod h1:bEPcjW7IbolPfK67G1nilqWyoxYMSPrDiIQ3RdIdKgo=
+github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
+github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
 github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
-github.com/gofiber/fiber/v2 v2.52.8 h1:xl4jJQ0BV5EJTA2aWiKw/VddRpHrKeZLF0QPUxqn0x4=
-github.com/gofiber/fiber/v2 v2.52.8/go.mod h1:YEcBbO/FB+5M1IZNBP9FO3J9281zgPAreiI1oqg8nDw=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/gofiber/fiber/v2 v2.52.9 h1:YjKl5DOiyP3j0mO61u3NTmK7or8GzzWzCFzkboyP5cw=
+github.com/gofiber/fiber/v2 v2.52.9/go.mod h1:YEcBbO/FB+5M1IZNBP9FO3J9281zgPAreiI1oqg8nDw=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -115,9 +111,12 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
@@ -128,8 +127,8 @@ github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6T
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/nats-io/nats.go v1.43.0 h1:uRFZ2FEoRvP64+UUhaTokyS18XBCR/xM2vQZKO4i8ug=
-github.com/nats-io/nats.go v1.43.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
+github.com/nats-io/nats.go v1.45.0 h1:/wGPbnYXDM0pLKFjZTX+2JOw9TQPoIgTFrUaH97giwA=
+github.com/nats-io/nats.go v1.45.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
 github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
 github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
@@ -137,7 +136,6 @@ github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OS
 github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
 github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
-github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
 github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -147,36 +145,39 @@ github.com/pkg/xattr v0.4.12 h1:rRTkSyFNTRElv6pkA3zpjHpQ90p/OdHQC1GmGh1aTjM=
 github.com/pkg/xattr v0.4.12/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
-github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzukfVhBw=
+github.com/rabbitmq/amqp091-go v1.10.0/go.mod h1:Hy4jKW5kQART1u+JkDTF9YYOQUHXqMuhrgxOEeS7G4o=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/segmentio/kafka-go v0.4.48 h1:9jyu9CWK4W5W+SroCe8EffbrRZVqAOkuaLd/ApID4Vs=
-github.com/segmentio/kafka-go v0.4.48/go.mod h1:HjF6XbOKh0Pjlkr5GVZxt6CsjjwnmhVOfURM5KMd8qg=
+github.com/segmentio/kafka-go v0.4.49 h1:GJiNX1d/g+kG6ljyJEoi9++PUMdXGAxb7JGPiDCuNmk=
+github.com/segmentio/kafka-go v0.4.49/go.mod h1:Y1gn60kzLEEaW28YshXyk2+VCUKbJ3Qr6DrnT3i4+9E=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smira/go-statsd v1.3.4 h1:kBYWcLSGT+qC6JVbvfz48kX7mQys32fjDOPrfmsSx2c=
 github.com/smira/go-statsd v1.3.4/go.mod h1:RjdsESPgDODtg1VpVVf9MJrEW2Hw0wtRNbmB1CAhu6A=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQl8=
+github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=
 github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.62.0 h1:8dKRBX/y2rCzyc6903Zu1+3qN0H/d2MsxPPmVNamiH0=
-github.com/valyala/fasthttp v1.62.0/go.mod h1:FCINgr4GKdKqV8Q0xv8b+UxPV+H/O5nNFo3D+r54Htg=
+github.com/valyala/fasthttp v1.65.0 h1:j/u3uzFEGFfRxw79iYzJN+TteTJwbYkru9uDp3d0Yf8=
+github.com/valyala/fasthttp v1.65.0/go.mod h1:P/93/YkKPMsKSnATEeELUCkG8a7Y+k99uxNHVbKINr4=
 github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44 h1:Wx1o3pNrCzsHIIDyZ2MLRr6tF/1FhAr7HNDn80QqDWE=
 github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44/go.mod h1:gJsq73k+4685y+rbDIpPY8i/5GbsiwP6JFoFyUDB1fQ=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
@@ -190,32 +191,22 @@ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBi
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -223,42 +214,27 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/metrics/actions.go
+++ b/metrics/actions.go
@@ -24,57 +24,98 @@ var (
 )

 var (
-	ActionUndetected                    = "ActionUnDetected"
-	ActionAbortMultipartUpload          = "s3_AbortMultipartUpload"
-	ActionCompleteMultipartUpload       = "s3_CompleteMultipartUpload"
-	ActionCopyObject                    = "s3_CopyObject"
-	ActionCreateBucket                  = "s3_CreateBucket"
-	ActionCreateMultipartUpload         = "s3_CreateMultipartUpload"
-	ActionDeleteBucket                  = "s3_DeleteBucket"
-	ActionDeleteBucketPolicy            = "s3_DeleteBucketPolicy"
-	ActionDeleteBucketTagging           = "s3_DeleteBucketTagging"
-	ActionDeleteObject                  = "s3_DeleteObject"
-	ActionDeleteObjectTagging           = "s3_DeleteObjectTagging"
-	ActionDeleteObjects                 = "s3_DeleteObjects"
-	ActionGetBucketAcl                  = "s3_GetBucketAcl"
-	ActionGetBucketPolicy               = "s3_GetBucketPolicy"
-	ActionGetBucketTagging              = "s3_GetBucketTagging"
-	ActionGetBucketVersioning           = "s3_GetBucketVersioning"
-	ActionGetObject                     = "s3_GetObject"
-	ActionGetObjectAcl                  = "s3_GetObjectAcl"
-	ActionGetObjectAttributes           = "s3_GetObjectAttributes"
-	ActionGetObjectLegalHold            = "s3_GetObjectLegalHold"
-	ActionGetObjectLockConfiguration    = "s3_GetObjectLockConfiguration"
-	ActionGetObjectRetention            = "s3_GetObjectRetention"
-	ActionGetObjectTagging              = "s3_GetObjectTagging"
-	ActionHeadBucket                    = "s3_HeadBucket"
-	ActionHeadObject                    = "s3_HeadObject"
-	ActionListAllMyBuckets              = "s3_ListAllMyBuckets"
-	ActionListMultipartUploads          = "s3_ListMultipartUploads"
-	ActionListObjectVersions            = "s3_ListObjectVersions"
-	ActionListObjects                   = "s3_ListObjects"
-	ActionListObjectsV2                 = "s3_ListObjectsV2"
-	ActionListParts                     = "s3_ListParts"
-	ActionPutBucketAcl                  = "s3_PutBucketAcl"
-	ActionPutBucketPolicy               = "s3_PutBucketPolicy"
-	ActionPutBucketTagging              = "s3_PutBucketTagging"
-	ActionPutBucketVersioning           = "s3_PutBucketVersioning"
-	ActionPutObject                     = "s3_PutObject"
-	ActionPutObjectAcl                  = "s3_PutObjectAcl"
-	ActionPutObjectLegalHold            = "s3_PutObjectLegalHold"
-	ActionPutObjectLockConfiguration    = "s3_PutObjectLockConfiguration"
-	ActionPutObjectRetention            = "s3_PutObjectRetention"
-	ActionPutObjectTagging              = "s3_PutObjectTagging"
-	ActionRestoreObject                 = "s3_RestoreObject"
-	ActionSelectObjectContent           = "s3_SelectObjectContent"
-	ActionUploadPart                    = "s3_UploadPart"
-	ActionUploadPartCopy                = "s3_UploadPartCopy"
-	ActionPutBucketOwnershipControls    = "s3_PutBucketOwnershipControls"
-	ActionGetBucketOwnershipControls    = "s3_GetBucketOwnershipControls"
-	ActionDeleteBucketOwnershipControls = "s3_DeleteBucketOwnershipControls"
-	ActionPutBucketCors                 = "s3_PutBucketCors"
-	ActionGetBucketCors                 = "s3_GetBucketCors"
-	ActionDeleteBucketCors              = "s3_DeleteBucketCors"
+	ActionUndetected                                  = "ActionUnDetected"
+	ActionAbortMultipartUpload                        = "s3_AbortMultipartUpload"
+	ActionCompleteMultipartUpload                     = "s3_CompleteMultipartUpload"
+	ActionCopyObject                                  = "s3_CopyObject"
+	ActionCreateBucket                                = "s3_CreateBucket"
+	ActionCreateMultipartUpload                       = "s3_CreateMultipartUpload"
+	ActionDeleteBucket                                = "s3_DeleteBucket"
+	ActionDeleteBucketPolicy                          = "s3_DeleteBucketPolicy"
+	ActionDeleteBucketTagging                         = "s3_DeleteBucketTagging"
+	ActionDeleteObject                                = "s3_DeleteObject"
+	ActionDeleteObjectTagging                         = "s3_DeleteObjectTagging"
+	ActionDeleteObjects                               = "s3_DeleteObjects"
+	ActionGetBucketAcl                                = "s3_GetBucketAcl"
+	ActionGetBucketPolicy                             = "s3_GetBucketPolicy"
+	ActionGetBucketTagging                            = "s3_GetBucketTagging"
+	ActionGetBucketVersioning                         = "s3_GetBucketVersioning"
+	ActionGetObject                                   = "s3_GetObject"
+	ActionGetObjectAcl                                = "s3_GetObjectAcl"
+	ActionGetObjectAttributes                         = "s3_GetObjectAttributes"
+	ActionGetObjectLegalHold                          = "s3_GetObjectLegalHold"
+	ActionGetObjectLockConfiguration                  = "s3_GetObjectLockConfiguration"
+	ActionGetObjectRetention                          = "s3_GetObjectRetention"
+	ActionGetObjectTagging                            = "s3_GetObjectTagging"
+	ActionHeadBucket                                  = "s3_HeadBucket"
+	ActionHeadObject                                  = "s3_HeadObject"
+	ActionListAllMyBuckets                            = "s3_ListAllMyBuckets"
+	ActionListMultipartUploads                        = "s3_ListMultipartUploads"
+	ActionListObjectVersions                          = "s3_ListObjectVersions"
+	ActionListObjects                                 = "s3_ListObjects"
+	ActionListObjectsV2                               = "s3_ListObjectsV2"
+	ActionListParts                                   = "s3_ListParts"
+	ActionPutBucketAcl                                = "s3_PutBucketAcl"
+	ActionPutBucketPolicy                             = "s3_PutBucketPolicy"
+	ActionPutBucketTagging                            = "s3_PutBucketTagging"
+	ActionPutBucketVersioning                         = "s3_PutBucketVersioning"
+	ActionPutObject                                   = "s3_PutObject"
+	ActionPutObjectAcl                                = "s3_PutObjectAcl"
+	ActionPutObjectLegalHold                          = "s3_PutObjectLegalHold"
+	ActionPutObjectLockConfiguration                  = "s3_PutObjectLockConfiguration"
+	ActionPutObjectRetention                          = "s3_PutObjectRetention"
+	ActionPutObjectTagging                            = "s3_PutObjectTagging"
+	ActionRestoreObject                               = "s3_RestoreObject"
+	ActionSelectObjectContent                         = "s3_SelectObjectContent"
+	ActionUploadPart                                  = "s3_UploadPart"
+	ActionUploadPartCopy                              = "s3_UploadPartCopy"
+	ActionPutBucketOwnershipControls                  = "s3_PutBucketOwnershipControls"
+	ActionGetBucketOwnershipControls                  = "s3_GetBucketOwnershipControls"
+	ActionDeleteBucketOwnershipControls               = "s3_DeleteBucketOwnershipControls"
+	ActionPutBucketCors                               = "s3_PutBucketCors"
+	ActionGetBucketCors                               = "s3_GetBucketCors"
+	ActionDeleteBucketCors                            = "s3_DeleteBucketCors"
+	ActionOptions                                     = "s3_Options"
+	ActionPutBucketAnalyticsConfiguration             = "s3_PutBucketAnalyticsConfiguration"
+	ActionGetBucketAnalyticsConfiguration             = "s3_GetBucketAnalyticsConfiguration"
+	ActionListBucketAnalyticsConfigurations           = "s3_ListBucketAnalyticsConfigurations"
+	ActionDeleteBucketAnalyticsConfiguration          = "s3_DeleteBucketAnalyticsConfiguration"
+	ActionPutBucketEncryption                         = "s3_PutBucketEncryption"
+	ActionGetBucketEncryption                         = "s3_GetBucketEncryption"
+	ActionDeleteBucketEncryption                      = "s3_DeleteBucketEncryption"
+	ActionPutBucketIntelligentTieringConfiguration    = "s3_PutBucketIntelligentTieringConfiguration"
+	ActionGetBucketIntelligentTieringConfiguration    = "s3_GetBucketIntelligentTieringConfiguration"
+	ActionListBucketIntelligentTieringConfigurations  = "s3_ListBucketIntelligentTieringConfigurations"
+	ActionDeleteBucketIntelligentTieringConfiguration = "s3_DeleteBucketIntelligentTieringConfiguration"
+	ActionPutBucketInventoryConfiguration             = "s3_PutBucketInventoryConfiguration"
+	ActionGetBucketInventoryConfiguration             = "s3_GetBucketInventoryConfiguration"
+	ActionListBucketInventoryConfigurations           = "s3_ListBucketInventoryConfigurations"
+	ActionDeleteBucketInventoryConfiguration          = "s3_DeleteBucketInventoryConfiguration"
+	ActionPutBucketLifecycleConfiguration             = "s3_PutBucketLifecycleConfiguration"
+	ActionGetBucketLifecycleConfiguration             = "s3_GetBucketLifecycleConfiguration"
+	ActionDeleteBucketLifecycle                       = "s3_DeleteBucketLifecycle"
+	ActionPutBucketLogging                            = "s3_PutBucketLogging"
+	ActionGetBucketLogging                            = "s3_GetBucketLogging"
+	ActionPutBucketRequestPayment                     = "s3_PutBucketRequestPayment"
+	ActionGetBucketRequestPayment                     = "s3_GetBucketRequestPayment"
+	ActionPutBucketMetricsConfiguration               = "s3_PutBucketMetricsConfiguration"
+	ActionGetBucketMetricsConfiguration               = "s3_GetBucketMetricsConfiguration"
+	ActionListBucketMetricsConfigurations             = "s3_ListBucketMetricsConfigurations"
+	ActionDeleteBucketMetricsConfiguration            = "s3_DeleteBucketMetricsConfiguration"
+	ActionPutBucketReplication                        = "s3_PutBucketReplication"
+	ActionGetBucketReplication                        = "s3_GetBucketReplication"
+	ActionDeleteBucketReplication                     = "s3_DeleteBucketReplication"
+	ActionPutPublicAccessBlock                        = "s3_PutPublicAccessBlock"
+	ActionGetPublicAccessBlock                        = "s3_GetPublicAccessBlock"
+	ActionDeletePublicAccessBlock                     = "s3_DeletePublicAccessBlock"
+	ActionPutBucketNotificationConfiguration          = "s3_PutBucketNotificationConfiguration"
+	ActionGetBucketNotificationConfiguration          = "s3_GetBucketNotificationConfiguration"
+	ActionPutBucketAccelerateConfiguration            = "s3_PutBucketAccelerateConfiguration"
+	ActionGetBucketAccelerateConfiguration            = "s3_GetBucketAccelerateConfiguration"
+	ActionPutBucketWebsite                            = "s3_PutBucketWebsite"
+	ActionGetBucketWebsite                            = "s3_GetBucketWebsite"
+	ActionDeleteBucketWebsite                         = "s3_DeleteBucketWebsite"
+	ActionGetBucketPolicyStatus                       = "s3_GetBucketPolicyStatus"

 	// Admin actions
 	ActionAdminCreateUser        = "admin_CreateUser"
@@ -281,4 +322,180 @@ func init() {
 		Name:    "DeleteBucketCors",
 		Service: "s3",
 	}
+	ActionMap[ActionPutBucketOwnershipControls] = Action{
+		Name:    "PutBucketOwnershipControls",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketOwnershipControls] = Action{
+		Name:    "GetBucketOwnershipControls",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketOwnershipControls] = Action{
+		Name:    "DeleteBucketOwnershipControls",
+		Service: "s3",
+	}
+	ActionMap[ActionOptions] = Action{
+		Name:    "Options",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketAnalyticsConfiguration] = Action{
+		Name:    "PutBucketAnalyticsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketAnalyticsConfiguration] = Action{
+		Name:    "GetBucketAnalyticsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketAnalyticsConfigurations] = Action{
+		Name:    "ListBucketAnalyticsConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketAnalyticsConfiguration] = Action{
+		Name:    "DeleteBucketAnalyticsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketEncryption] = Action{
+		Name:    "PutBucketEncryption",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketEncryption] = Action{
+		Name:    "GetBucketEncryption",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketEncryption] = Action{
+		Name:    "DeleteBucketEncryption",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketIntelligentTieringConfiguration] = Action{
+		Name:    "PutBucketIntelligentTieringConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketIntelligentTieringConfiguration] = Action{
+		Name:    "GetBucketIntelligentTieringConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketIntelligentTieringConfigurations] = Action{
+		Name:    "ListBucketIntelligentTieringConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketIntelligentTieringConfiguration] = Action{
+		Name:    "DeleteBucketIntelligentTieringConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketInventoryConfiguration] = Action{
+		Name:    "PutBucketInventoryConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketInventoryConfiguration] = Action{
+		Name:    "GetBucketInventoryConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketInventoryConfigurations] = Action{
+		Name:    "ListBucketInventoryConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketInventoryConfiguration] = Action{
+		Name:    "DeleteBucketInventoryConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketLifecycleConfiguration] = Action{
+		Name:    "PutBucketLifecycleConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketLifecycleConfiguration] = Action{
+		Name:    "GetBucketLifecycleConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketLifecycle] = Action{
+		Name:    "DeleteBucketLifecycle",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketLogging] = Action{
+		Name:    "PutBucketLogging",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketLogging] = Action{
+		Name:    "GetBucketLogging",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketRequestPayment] = Action{
+		Name:    "PutBucketRequestPayment",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketRequestPayment] = Action{
+		Name:    "GetBucketRequestPayment",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketMetricsConfiguration] = Action{
+		Name:    "PutBucketMetricsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketMetricsConfiguration] = Action{
+		Name:    "GetBucketMetricsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketMetricsConfigurations] = Action{
+		Name:    "ListBucketMetricsConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketMetricsConfiguration] = Action{
+		Name:    "DeleteBucketMetricsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketReplication] = Action{
+		Name:    "PutBucketReplication",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketReplication] = Action{
+		Name:    "GetBucketReplication",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketReplication] = Action{
+		Name:    "DeleteBucketReplication",
+		Service: "s3",
+	}
+	ActionMap[ActionPutPublicAccessBlock] = Action{
+		Name:    "PutPublicAccessBlock",
+		Service: "s3",
+	}
+	ActionMap[ActionGetPublicAccessBlock] = Action{
+		Name:    "GetPublicAccessBlock",
+		Service: "s3",
+	}
+	ActionMap[ActionDeletePublicAccessBlock] = Action{
+		Name:    "DeletePublicAccessBlock",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketNotificationConfiguration] = Action{
+		Name:    "PutBucketNotificationConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketNotificationConfiguration] = Action{
+		Name:    "GetBucketNotificationConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketAccelerateConfiguration] = Action{
+		Name:    "PutBucketAccelerateConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketAccelerateConfiguration] = Action{
+		Name:    "GetBucketAccelerateConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketWebsite] = Action{
+		Name:    "PutBucketWebsite",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketWebsite] = Action{
+		Name:    "GetBucketWebsite",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketWebsite] = Action{
+		Name:    "DeleteBucketWebsite",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketPolicyStatus] = Action{
+		Name:    "GetBucketPolicyStatus",
+		Service: "s3",
+	}
 }
--- a/metrics/metrics.go
+++ b/metrics/metrics.go
@@ -41,8 +41,14 @@ type Tag struct {
 	Value string
 }

-// Manager is a manager of metrics plugins
-type Manager struct {
+// Manager is the interface definition for metrics manager
+type Manager interface {
+	Send(ctx *fiber.Ctx, err error, action string, count int64, status int)
+	Close()
+}
+
+// manager is a manager of metrics plugins
+type manager struct {
 	wg  sync.WaitGroup
 	ctx context.Context

@@ -59,7 +65,7 @@ type Config struct {
 }

 // NewManager initializes metrics plugins and returns a new metrics manager
-func NewManager(ctx context.Context, conf Config) (*Manager, error) {
+func NewManager(ctx context.Context, conf Config) (Manager, error) {
 	if len(conf.StatsdServers) == 0 && len(conf.DogStatsdServers) == 0 {
 		return nil, nil
 	}
@@ -74,7 +80,7 @@ func NewManager(ctx context.Context, conf Config) (*Manager, error) {

 	addDataChan := make(chan datapoint, dataItemCount)

-	mgr := &Manager{
+	mgr := &manager{
 		addDataChan: addDataChan,
 		ctx:         ctx,
 		config:      conf,
@@ -112,7 +118,7 @@ func NewManager(ctx context.Context, conf Config) (*Manager, error) {
 	return mgr, nil
 }

-func (m *Manager) Send(ctx *fiber.Ctx, err error, action string, count int64, status int) {
+func (m *manager) Send(ctx *fiber.Ctx, err error, action string, count int64, status int) {
 	// In case of Authentication failures, url parsing ...
 	if action == "" {
 		action = ActionUndetected
@@ -168,12 +174,12 @@ func (m *Manager) Send(ctx *fiber.Ctx, err error, action string, count int64, st
 }

 // increment increments the key by one
-func (m *Manager) increment(key string, tags ...Tag) {
+func (m *manager) increment(key string, tags ...Tag) {
 	m.add(key, 1, tags...)
 }

 // add adds value to key
-func (m *Manager) add(key string, value int64, tags ...Tag) {
+func (m *manager) add(key string, value int64, tags ...Tag) {
 	if m.ctx.Err() != nil {
 		return
 	}
@@ -192,7 +198,7 @@ func (m *Manager) add(key string, value int64, tags ...Tag) {
 }

 // Close closes metrics channels, waits for data to complete, closes all plugins
-func (m *Manager) Close() {
+func (m *manager) Close() {
 	// drain the datapoint channels
 	close(m.addDataChan)
 	m.wg.Wait()
@@ -209,7 +215,7 @@ type publisher interface {
 	Close()
 }

-func (m *Manager) addForwarder(addChan <-chan datapoint) {
+func (m *manager) addForwarder(addChan <-chan datapoint) {
 	for data := range addChan {
 		for _, s := range m.publishers {
 			s.Add(data.key, data.value, data.tags...)
--- a/s3api/admin-router.go
+++ b/s3api/admin-router.go
@@ -18,30 +18,59 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/controllers"
+	"github.com/versity/versitygw/s3api/middlewares"
 	"github.com/versity/versitygw/s3log"
 )

 type S3AdminRouter struct{}

-func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.AuditLogger) {
-	controller := controllers.NewAdminController(iam, be, logger)
+func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.AuditLogger, root middlewares.RootUserConfig, region string, debug bool) {
+	ctrl := controllers.NewAdminController(iam, be, logger)
+	services := &controllers.Services{
+		Logger: logger,
+	}

 	// CreateUser admin api
-	app.Patch("/create-user", controller.CreateUser)
+	app.Patch("/create-user",
+		controllers.ProcessHandlers(ctrl.CreateUser, metrics.ActionAdminCreateUser, services,
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.IsAdmin(metrics.ActionAdminCreateUser),
+		))

 	// DeleteUsers admin api
-	app.Patch("/delete-user", controller.DeleteUser)
+	app.Patch("/delete-user",
+		controllers.ProcessHandlers(ctrl.DeleteUser, metrics.ActionAdminDeleteUser, services,
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.IsAdmin(metrics.ActionAdminDeleteUser),
+		))

 	// UpdateUser admin api
-	app.Patch("/update-user", controller.UpdateUser)
+	app.Patch("/update-user",
+		controllers.ProcessHandlers(ctrl.UpdateUser, metrics.ActionAdminUpdateUser, services,
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.IsAdmin(metrics.ActionAdminUpdateUser),
+		))

 	// ListUsers admin api
-	app.Patch("/list-users", controller.ListUsers)
+	app.Patch("/list-users",
+		controllers.ProcessHandlers(ctrl.ListUsers, metrics.ActionAdminListUsers, services,
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.IsAdmin(metrics.ActionAdminListUsers),
+		))

 	// ChangeBucketOwner admin api
-	app.Patch("/change-bucket-owner", controller.ChangeBucketOwner)
+	app.Patch("/change-bucket-owner",
+		controllers.ProcessHandlers(ctrl.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, services,
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner),
+		))

 	// ListBucketsAndOwners admin api
-	app.Patch("/list-buckets", controller.ListBuckets)
+	app.Patch("/list-buckets",
+		controllers.ProcessHandlers(ctrl.ListBuckets, metrics.ActionAdminListBuckets, services,
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.IsAdmin(metrics.ActionAdminListBuckets),
+		))
 }
--- a/s3api/admin-server.go
+++ b/s3api/admin-server.go
@@ -21,6 +21,7 @@ import (
 	"github.com/gofiber/fiber/v2/middleware/logger"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3api/middlewares"
 	"github.com/versity/versitygw/s3log"
 )
@@ -31,6 +32,8 @@ type S3AdminServer struct {
 	router  *S3AdminRouter
 	port    string
 	cert    *tls.Certificate
+	quiet   bool
+	debug   bool
 }

 func NewAdminServer(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, port, region string, iam auth.IAMService, l s3log.AuditLogger, opts ...AdminOpt) *S3AdminServer {
@@ -46,17 +49,15 @@ func NewAdminServer(app *fiber.App, be backend.Backend, root middlewares.RootUse
 	}

 	// Logging middlewares
-	app.Use(logger.New())
-	app.Use(middlewares.DecodeURL(l, nil))
+	if !server.quiet {
+		app.Use(logger.New(logger.Config{
+			Format: "${time} | ${status} | ${latency} | ${ip} | ${method} | ${path} | ${error} | ${queryParams}\n",
+		}))
+	}
+	app.Use(controllers.WrapMiddleware(middlewares.DecodeURL, l, nil))
+	app.Use(middlewares.DebugLogger())

-	// Authentication middlewares
-	app.Use(middlewares.VerifyV4Signature(root, iam, l, nil, region, false))
-	app.Use(middlewares.VerifyMD5Body(l))
-
-	// Admin role checker
-	app.Use(middlewares.IsAdmin(l))
-
-	server.router.Init(app, be, iam, l)
+	server.router.Init(app, be, iam, l, root, region, server.debug)

 	return server
 }
@@ -67,6 +68,16 @@ func WithAdminSrvTLS(cert tls.Certificate) AdminOpt {
 	return func(s *S3AdminServer) { s.cert = &cert }
 }

+// WithQuiet silences default logging output
+func WithAdminQuiet() AdminOpt {
+	return func(s *S3AdminServer) { s.quiet = true }
+}
+
+// WithAdminDebug enables the debug logging
+func WithAdminDebug() AdminOpt {
+	return func(s *S3AdminServer) { s.debug = true }
+}
+
 func (sa *S3AdminServer) Serve() (err error) {
 	if sa.cert != nil {
 		return sa.app.ListenTLSWithCertificate(sa.port, *sa.cert)
--- a/s3api/controllers/admin.go
+++ b/s3api/controllers/admin.go
@@ -15,17 +15,13 @@
 package controllers

 import (
-	"encoding/json"
 	"encoding/xml"
-	"fmt"
 	"net/http"
 	"strings"

-	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
-	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3log"
 	"github.com/versity/versitygw/s3response"
@@ -41,23 +37,19 @@ func NewAdminController(iam auth.IAMService, be backend.Backend, l s3log.AuditLo
 	return AdminController{iam: iam, be: be, l: l}
 }

-func (c AdminController) CreateUser(ctx *fiber.Ctx) error {
+func (c AdminController) CreateUser(ctx *fiber.Ctx) (*Response, error) {
 	var usr auth.Account
 	err := xml.Unmarshal(ctx.Body(), &usr)
 	if err != nil {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedXML),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminCreateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	if !usr.Role.IsValid() {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminCreateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole)
 	}

 	err = c.iam.CreateAccount(usr)
@@ -66,47 +58,38 @@ func (c AdminController) CreateUser(ctx *fiber.Ctx) error {
 			err = s3err.GetAPIError(s3err.ErrAdminUserExists)
 		}

-		return SendResponse(ctx, err,
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminCreateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
 	}

-	return SendResponse(ctx, nil,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminCreateUser,
+	return &Response{
+		MetaOpts: &MetaOptions{
 			Status: http.StatusCreated,
-		})
+		},
+	}, nil
 }

-func (c AdminController) UpdateUser(ctx *fiber.Ctx) error {
+func (c AdminController) UpdateUser(ctx *fiber.Ctx) (*Response, error) {
 	access := ctx.Query("access")
 	if access == "" {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminMissingUserAcess),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminMissingUserAcess)
 	}

 	var props auth.MutableProps
 	if err := xml.Unmarshal(ctx.Body(), &props); err != nil {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedXML),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	err := props.Validate()
 	if err != nil {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole)
 	}

 	err = c.iam.UpdateUserAccount(access, props)
@@ -115,98 +98,66 @@ func (c AdminController) UpdateUser(ctx *fiber.Ctx) error {
 			err = s3err.GetAPIError(s3err.ErrAdminUserNotFound)
 		}

-		return SendResponse(ctx, err,
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
 	}

-	return SendResponse(ctx, nil,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminUpdateUser,
-		})
+	return &Response{
+		MetaOpts: &MetaOptions{},
+	}, nil
 }

-func (c AdminController) DeleteUser(ctx *fiber.Ctx) error {
+func (c AdminController) DeleteUser(ctx *fiber.Ctx) (*Response, error) {
 	access := ctx.Query("access")
+	if access == "" {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminMissingUserAcess)
+	}

 	err := c.iam.DeleteUserAccount(access)
-	return SendResponse(ctx, err,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminDeleteUser,
-		})
+	return &Response{
+		MetaOpts: &MetaOptions{},
+	}, err
 }

-func (c AdminController) ListUsers(ctx *fiber.Ctx) error {
+func (c AdminController) ListUsers(ctx *fiber.Ctx) (*Response, error) {
 	accs, err := c.iam.ListUserAccounts()
-	return SendXMLResponse(ctx,
-		auth.ListUserAccountsResult{
-			Accounts: accs,
-		}, err,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminListUsers,
-		})
+	return &Response{
+		Data:     auth.ListUserAccountsResult{Accounts: accs},
+		MetaOpts: &MetaOptions{},
+	}, err
 }

-func (c AdminController) ChangeBucketOwner(ctx *fiber.Ctx) error {
+func (c AdminController) ChangeBucketOwner(ctx *fiber.Ctx) (*Response, error) {
 	owner := ctx.Query("owner")
 	bucket := ctx.Query("bucket")

 	accs, err := auth.CheckIfAccountsExist([]string{owner}, c.iam)
 	if err != nil {
-		return SendResponse(ctx, err,
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminChangeBucketOwner,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
 	}
 	if len(accs) > 0 {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminUserNotFound),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminChangeBucketOwner,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminUserNotFound)
 	}

-	acl := auth.ACL{
-		Owner: owner,
-		Grantees: []auth.Grantee{
-			{
-				Permission: auth.PermissionFullControl,
-				Access:     owner,
-				Type:       types.TypeCanonicalUser,
-			},
-		},
-	}
-
-	aclParsed, err := json.Marshal(acl)
-	if err != nil {
-		return SendResponse(ctx, fmt.Errorf("failed to marshal the bucket acl: %w", err),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminChangeBucketOwner,
-			})
-	}
-
-	err = c.be.ChangeBucketOwner(ctx.Context(), bucket, aclParsed)
-	return SendResponse(ctx, err,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminChangeBucketOwner,
-		})
+	err = c.be.ChangeBucketOwner(ctx.Context(), bucket, owner)
+	return &Response{
+		MetaOpts: &MetaOptions{},
+	}, err
 }

-func (c AdminController) ListBuckets(ctx *fiber.Ctx) error {
+func (c AdminController) ListBuckets(ctx *fiber.Ctx) (*Response, error) {
 	buckets, err := c.be.ListBucketsAndOwners(ctx.Context())
-	return SendXMLResponse(ctx,
-		s3response.ListBucketsResult{
+	return &Response{
+		Data: s3response.ListBucketsResult{
 			Buckets: buckets,
-		}, err, &MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminListBuckets,
-		})
+		},
+		MetaOpts: &MetaOptions{},
+	}, err
 }
--- a/s3api/controllers/admin_test.go
+++ b/s3api/controllers/admin_test.go
@@ -16,439 +16,564 @@ package controllers

 import (
 	"context"
-	"fmt"
+	"encoding/xml"
+	"errors"
 	"net/http"
-	"net/http/httptest"
-	"strings"
 	"testing"

-	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3log"
 	"github.com/versity/versitygw/s3response"
 )

-func TestAdminController_CreateUser(t *testing.T) {
+func TestNewAdminController(t *testing.T) {
 	type args struct {
-		req *http.Request
+		iam auth.IAMService
+		be  backend.Backend
+		l   s3log.AuditLogger
 	}
-
-	adminController := AdminController{
-		iam: &IAMServiceMock{
-			CreateAccountFunc: func(account auth.Account) error {
-				return nil
-			},
-		},
-	}
-
-	app := fiber.New()
-
-	app.Patch("/create-user", adminController.CreateUser)
-
-	succUser := `
-		<Account>
-			<Access>access</Access>
-			<Secret>secret</Secret>
-			<Role>admin</Role>
-			<UserID>0</UserID>
-			<GroupID>0</GroupID>
-		</Account>
-	`
-	invuser := `
-		<Account>
-			<Access>access</Access>
-			<Secret>secret</Secret>
-			<Role>invalid_role</Role>
-			<UserID>0</UserID>
-			<GroupID>0</GroupID>
-		</Account>
-	`
-
 	tests := []struct {
-		name       string
-		app        *fiber.App
-		args       args
-		wantErr    bool
-		statusCode int
+		name string
+		args args
+		want AdminController
 	}{
 		{
-			name: "Admin-create-user-malformed-body",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/create-user", nil),
-			},
-			wantErr:    false,
-			statusCode: 400,
-		},
-		{
-			name: "Admin-create-user-invalid-requester-role",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/create-user", strings.NewReader(invuser)),
-			},
-			wantErr:    false,
-			statusCode: 400,
-		},
-		{
-			name: "Admin-create-user-success",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/create-user", strings.NewReader(succUser)),
-			},
-			wantErr:    false,
-			statusCode: 201,
+			name: "initialize admin api",
+			args: args{},
+			want: AdminController{},
 		},
 	}
 	for _, tt := range tests {
-		resp, err := tt.app.Test(tt.args.req)
+		t.Run(tt.name, func(t *testing.T) {
+			got := NewAdminController(tt.args.iam, tt.args.be, tt.args.l)
+			assert.Equal(t, got, tt.want)
+		})
+	}
+}

-		if (err != nil) != tt.wantErr {
-			t.Errorf("AdminController.CreateUser() error = %v, wantErr %v", err, tt.wantErr)
-		}
+func TestAdminController_CreateUser(t *testing.T) {
+	validBody, err := xml.Marshal(auth.Account{
+		Access: "access",
+		Secret: "secret",
+		Role:   auth.RoleAdmin,
+	})
+	assert.NoError(t, err)

-		if resp.StatusCode != tt.statusCode {
-			t.Errorf("AdminController.CreateUser() statusCode = %v, wantStatusCode = %v", resp.StatusCode, tt.statusCode)
-		}
+	invalidUserRoleBody, err := xml.Marshal(auth.Account{
+		Access: "access",
+		Secret: "secret",
+		Role:   auth.Role("invalid_role"),
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "invalid request body",
+			input: testInput{
+				body: []byte("invalid_request_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "invalid user role",
+			input: testInput{
+				body: invalidUserRoleBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminInvalidUserRole),
+			},
+		},
+		{
+			name: "backend returns user exists error",
+			input: testInput{
+				body:  validBody,
+				beErr: auth.ErrUserExists,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminUserExists),
+			},
+		},
+		{
+			name: "backend returns other error",
+			input: testInput{
+				body:  validBody,
+				beErr: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				body: validBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						Status: http.StatusCreated,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			iam := &IAMServiceMock{
+				CreateAccountFunc: func(account auth.Account) error {
+					return tt.input.beErr
+				},
+			}
+
+			ctrl := AdminController{
+				iam: iam,
+			}
+
+			testController(
+				t,
+				ctrl.CreateUser,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					body: tt.input.body,
+				})
+		})
 	}
 }

 func TestAdminController_UpdateUser(t *testing.T) {
-	type args struct {
-		req *http.Request
-	}
+	validBody, err := xml.Marshal(auth.MutableProps{
+		Secret: utils.GetStringPtr("secret"),
+		Role:   auth.RoleAdmin,
+	})
+	assert.NoError(t, err)

-	adminController := AdminController{
-		iam: &IAMServiceMock{
-			UpdateUserAccountFunc: func(access string, props auth.MutableProps) error {
-				return nil
-			},
-		},
-	}
-
-	app := fiber.New()
-
-	app.Patch("/update-user", adminController.UpdateUser)
-
-	adminControllerErr := AdminController{
-		iam: &IAMServiceMock{
-			UpdateUserAccountFunc: func(access string, props auth.MutableProps) error {
-				return auth.ErrNoSuchUser
-			},
-		},
-	}
-
-	appNotFound := fiber.New()
-
-	appNotFound.Patch("/update-user", adminControllerErr.UpdateUser)
-
-	succUser := `
-		<Account>
-			<Secret>secret</Secret>
-			<UserID>0</UserID>
-			<GroupID>0</GroupID>
-		</Account>
-	`
+	invalidUserRoleBody, err := xml.Marshal(auth.MutableProps{
+		Secret: utils.GetStringPtr("secret"),
+		Role:   auth.Role("invalid_role"),
+	})
+	assert.NoError(t, err)

 	tests := []struct {
-		name       string
-		app        *fiber.App
-		args       args
-		wantErr    bool
-		statusCode int
+		name   string
+		input  testInput
+		output testOutput
 	}{
 		{
-			name: "Admin-update-user-success",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/update-user?access=access", strings.NewReader(succUser)),
+			name: "missing user access key",
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminMissingUserAcess),
 			},
-			wantErr:    false,
-			statusCode: 200,
 		},
 		{
-			name: "Admin-update-user-missing-access",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/update-user", strings.NewReader(succUser)),
+			name: "invalid request body",
+			input: testInput{
+				body: []byte("invalid_request_body"),
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
 			},
-			wantErr:    false,
-			statusCode: 404,
 		},
 		{
-			name: "Admin-update-user-invalid-request-body",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/update-user?access=access", nil),
+			name: "invalid user role",
+			input: testInput{
+				body: invalidUserRoleBody,
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminInvalidUserRole),
 			},
-			wantErr:    false,
-			statusCode: 400,
 		},
 		{
-			name: "Admin-update-user-not-found",
-			app:  appNotFound,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/update-user?access=access", strings.NewReader(succUser)),
+			name: "backend returns user not found error",
+			input: testInput{
+				body:  validBody,
+				beErr: auth.ErrNoSuchUser,
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminUserNotFound),
+			},
+		},
+		{
+			name: "backend returns other error",
+			input: testInput{
+				body:  validBody,
+				beErr: s3err.GetAPIError(s3err.ErrInvalidRequest),
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				body: validBody,
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
 			},
-			wantErr:    false,
-			statusCode: 404,
 		},
 	}
 	for _, tt := range tests {
-		resp, err := tt.app.Test(tt.args.req)
+		t.Run(tt.name, func(t *testing.T) {
+			iam := &IAMServiceMock{
+				UpdateUserAccountFunc: func(access string, props auth.MutableProps) error {
+					return tt.input.beErr
+				},
+			}

-		if (err != nil) != tt.wantErr {
-			t.Errorf("AdminController.UpdateUser() error = %v, wantErr %v", err, tt.wantErr)
-		}
+			ctrl := AdminController{
+				iam: iam,
+			}

-		if resp.StatusCode != tt.statusCode {
-			t.Errorf("AdminController.UpdateUser() statusCode = %v, wantStatusCode = %v", resp.StatusCode, tt.statusCode)
-		}
+			testController(
+				t,
+				ctrl.UpdateUser,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					body:    tt.input.body,
+					queries: tt.input.queries,
+				})
+		})
 	}
 }

 func TestAdminController_DeleteUser(t *testing.T) {
-	type args struct {
-		req *http.Request
-	}
-
-	adminController := AdminController{
-		iam: &IAMServiceMock{
-			DeleteUserAccountFunc: func(access string) error {
-				return nil
-			},
-		},
-	}
-
-	app := fiber.New()
-
-	app.Patch("/delete-user", adminController.DeleteUser)
-
 	tests := []struct {
-		name       string
-		app        *fiber.App
-		args       args
-		wantErr    bool
-		statusCode int
+		name   string
+		input  testInput
+		output testOutput
 	}{
 		{
-			name: "Admin-delete-user-success",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/delete-user?access=test", nil),
+			name: "missing user access key",
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminMissingUserAcess),
+			},
+		},
+		{
+			name: "backend returns other error",
+			input: testInput{
+				beErr: s3err.GetAPIError(s3err.ErrInvalidRequest),
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				queries: map[string]string{
+					"access": "user",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
 			},
-			wantErr:    false,
-			statusCode: 200,
 		},
 	}
 	for _, tt := range tests {
-		resp, err := tt.app.Test(tt.args.req)
+		t.Run(tt.name, func(t *testing.T) {
+			iam := &IAMServiceMock{
+				DeleteUserAccountFunc: func(access string) error {
+					return tt.input.beErr
+				},
+			}

-		if (err != nil) != tt.wantErr {
-			t.Errorf("AdminController.DeleteUser() error = %v, wantErr %v", err, tt.wantErr)
-		}
+			ctrl := AdminController{
+				iam: iam,
+			}

-		if resp.StatusCode != tt.statusCode {
-			t.Errorf("AdminController.DeleteUser() statusCode = %v, wantStatusCode = %v", resp.StatusCode, tt.statusCode)
-		}
+			testController(
+				t,
+				ctrl.DeleteUser,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					queries: tt.input.queries,
+				})
+		})
 	}
 }

 func TestAdminController_ListUsers(t *testing.T) {
-	type args struct {
-		req *http.Request
-	}
-
-	adminController := AdminController{
-		iam: &IAMServiceMock{
-			ListUserAccountsFunc: func() ([]auth.Account, error) {
-				return []auth.Account{}, nil
-			},
+	accs := []auth.Account{
+		{
+			Access: "access",
+			Secret: "secret",
+		},
+		{
+			Access: "access",
+			Secret: "secret",
 		},
 	}
-
-	adminControllerErr := AdminController{
-		iam: &IAMServiceMock{
-			ListUserAccountsFunc: func() ([]auth.Account, error) {
-				return []auth.Account{}, fmt.Errorf("server error")
-			},
-		},
-	}
-
-	appErr := fiber.New()
-	appErr.Patch("/list-users", adminControllerErr.ListUsers)
-
-	appSucc := fiber.New()
-	appSucc.Patch("/list-users", adminController.ListUsers)
-
 	tests := []struct {
-		name       string
-		app        *fiber.App
-		args       args
-		wantErr    bool
-		statusCode int
+		name   string
+		input  testInput
+		output testOutput
 	}{
 		{
-			name: "Admin-list-users-iam-error",
-			app:  appErr,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/list-users", nil),
+			name: "backend returns error",
+			input: testInput{
+				beRes: []auth.Account{},
+				beErr: s3err.GetAPIError(s3err.ErrInternalError),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: auth.ListUserAccountsResult{
+						Accounts: []auth.Account{},
+					},
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInternalError),
 			},
-			wantErr:    false,
-			statusCode: 500,
 		},
 		{
-			name: "Admin-list-users-success",
-			app:  appSucc,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/list-users", nil),
+			name: "successful response",
+			input: testInput{
+				beRes: accs,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: auth.ListUserAccountsResult{
+						Accounts: accs,
+					},
+					MetaOpts: &MetaOptions{},
+				},
 			},
-			wantErr:    false,
-			statusCode: 200,
 		},
 	}
 	for _, tt := range tests {
-		resp, err := tt.app.Test(tt.args.req)
+		t.Run(tt.name, func(t *testing.T) {
+			iam := &IAMServiceMock{
+				ListUserAccountsFunc: func() ([]auth.Account, error) {
+					return tt.input.beRes.([]auth.Account), tt.input.beErr
+				},
+			}

-		if (err != nil) != tt.wantErr {
-			t.Errorf("AdminController.ListUsers() error = %v, wantErr %v", err, tt.wantErr)
-		}
+			ctrl := AdminController{
+				iam: iam,
+			}

-		if resp.StatusCode != tt.statusCode {
-			t.Errorf("AdminController.ListUsers() statusCode = %v, wantStatusCode = %v", resp.StatusCode, tt.statusCode)
-		}
+			testController(
+				t,
+				ctrl.ListUsers,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					queries: tt.input.queries,
+				})
+		})
 	}
 }

 func TestAdminController_ChangeBucketOwner(t *testing.T) {
-	type args struct {
-		req *http.Request
-	}
-	adminController := AdminController{
-		be: &BackendMock{
-			ChangeBucketOwnerFunc: func(contextMoqParam context.Context, bucket string, acl []byte) error {
-				return nil
-			},
-		},
-		iam: &IAMServiceMock{
-			GetUserAccountFunc: func(access string) (auth.Account, error) {
-				return auth.Account{}, nil
-			},
-		},
-	}
-
-	adminControllerIamErr := AdminController{
-		iam: &IAMServiceMock{
-			GetUserAccountFunc: func(access string) (auth.Account, error) {
-				return auth.Account{}, fmt.Errorf("unknown server error")
-			},
-		},
-	}
-
-	adminControllerIamAccDoesNotExist := AdminController{
-		iam: &IAMServiceMock{
-			GetUserAccountFunc: func(access string) (auth.Account, error) {
-				return auth.Account{}, auth.ErrNoSuchUser
-			},
-		},
-	}
-
-	app := fiber.New()
-	app.Patch("/change-bucket-owner", adminController.ChangeBucketOwner)
-
-	appIamErr := fiber.New()
-	appIamErr.Patch("/change-bucket-owner", adminControllerIamErr.ChangeBucketOwner)
-
-	appIamNoSuchUser := fiber.New()
-	appIamNoSuchUser.Patch("/change-bucket-owner", adminControllerIamAccDoesNotExist.ChangeBucketOwner)
-
 	tests := []struct {
-		name       string
-		app        *fiber.App
-		args       args
-		wantErr    bool
-		statusCode int
+		name   string
+		input  testInput
+		output testOutput
 	}{
 		{
-			name: "Change-bucket-owner-check-account-server-error",
-			app:  appIamErr,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/change-bucket-owner", nil),
+			name: "fails to get user account",
+			input: testInput{
+				extraMockErr: s3err.GetAPIError(s3err.ErrInternalError),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: errors.New("check user account: "),
 			},
-			wantErr:    false,
-			statusCode: 500,
 		},
 		{
-			name: "Change-bucket-owner-acc-does-not-exist",
-			app:  appIamNoSuchUser,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/change-bucket-owner", nil),
+			name: "user not found",
+			input: testInput{
+				extraMockErr: auth.ErrNoSuchUser,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminUserNotFound),
 			},
-			wantErr:    false,
-			statusCode: 404,
 		},
 		{
-			name: "Change-bucket-owner-success",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/change-bucket-owner?bucket=bucket&owner=owner", nil),
+			name: "backend returns error",
+			input: testInput{
+				beErr: s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
 			},
-			wantErr:    false,
-			statusCode: 200,
 		},
 	}
 	for _, tt := range tests {
-		resp, err := tt.app.Test(tt.args.req)
+		t.Run(tt.name, func(t *testing.T) {
+			iam := &IAMServiceMock{
+				GetUserAccountFunc: func(access string) (auth.Account, error) {
+					return auth.Account{}, tt.input.extraMockErr
+				},
+			}
+			be := &BackendMock{
+				ChangeBucketOwnerFunc: func(contextMoqParam context.Context, bucket, owner string) error {
+					return tt.input.beErr
+				},
+			}

-		if (err != nil) != tt.wantErr {
-			t.Errorf("AdminController.ChangeBucketOwner() error = %v, wantErr %v", err, tt.wantErr)
-		}
+			ctrl := AdminController{
+				iam: iam,
+				be:  be,
+			}

-		if resp.StatusCode != tt.statusCode {
-			t.Errorf("AdminController.ChangeBucketOwner() statusCode = %v, wantStatusCode = %v", resp.StatusCode, tt.statusCode)
-		}
+			testController(
+				t,
+				ctrl.ChangeBucketOwner,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{},
+			)
+		})
 	}
 }

 func TestAdminController_ListBuckets(t *testing.T) {
-	type args struct {
-		req *http.Request
-	}
-	adminController := AdminController{
-		be: &BackendMock{
-			ListBucketsAndOwnersFunc: func(contextMoqParam context.Context) ([]s3response.Bucket, error) {
-				return []s3response.Bucket{}, nil
-			},
+	res := []s3response.Bucket{
+		{
+			Name:  "bucket",
+			Owner: "owner",
 		},
 	}

-	app := fiber.New()
-	app.Patch("/list-buckets", adminController.ListBuckets)
-
 	tests := []struct {
-		name       string
-		app        *fiber.App
-		args       args
-		wantErr    bool
-		statusCode int
+		name   string
+		input  testInput
+		output testOutput
 	}{
 		{
-			name: "List-buckets-success",
-			app:  app,
-			args: args{
-				req: httptest.NewRequest(http.MethodPatch, "/list-buckets", nil),
+			name: "backend returns other error",
+			input: testInput{
+				beRes: []s3response.Bucket{},
+				beErr: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.ListBucketsResult{
+						Buckets: []s3response.Bucket{},
+					},
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				beRes: res,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.ListBucketsResult{
+						Buckets: res,
+					},
+					MetaOpts: &MetaOptions{},
+				},
 			},
-			wantErr:    false,
-			statusCode: 200,
 		},
 	}
 	for _, tt := range tests {
-		resp, err := tt.app.Test(tt.args.req)
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				ListBucketsAndOwnersFunc: func(contextMoqParam context.Context) ([]s3response.Bucket, error) {
+					return tt.input.beRes.([]s3response.Bucket), tt.input.beErr
+				},
+			}

-		if (err != nil) != tt.wantErr {
-			t.Errorf("AdminController.ListBuckets() error = %v, wantErr %v", err, tt.wantErr)
-		}
+			ctrl := AdminController{
+				be: be,
+			}

-		if resp.StatusCode != tt.statusCode {
-			t.Errorf("AdminController.ListBuckets() statusCode = %v, wantStatusCode = %v", resp.StatusCode, tt.statusCode)
-		}
+			testController(
+				t,
+				ctrl.ListBuckets,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{},
+			)
+		})
 	}
 }
--- a/s3api/controllers/backend_moq_test.go
+++ b/s3api/controllers/backend_moq_test.go
@@ -26,7 +26,7 @@ var _ backend.Backend = &BackendMock{}
 //			AbortMultipartUploadFunc: func(contextMoqParam context.Context, abortMultipartUploadInput *s3.AbortMultipartUploadInput) error {
 //				panic("mock out the AbortMultipartUpload method")
 //			},
-//			ChangeBucketOwnerFunc: func(contextMoqParam context.Context, bucket string, acl []byte) error {
+//			ChangeBucketOwnerFunc: func(contextMoqParam context.Context, bucket string, owner string) error {
 //				panic("mock out the ChangeBucketOwner method")
 //			},
 //			CompleteMultipartUploadFunc: func(contextMoqParam context.Context, completeMultipartUploadInput *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
@@ -134,7 +134,7 @@ var _ backend.Backend = &BackendMock{}
 //			PutBucketAclFunc: func(contextMoqParam context.Context, bucket string, data []byte) error {
 //				panic("mock out the PutBucketAcl method")
 //			},
-//			PutBucketCorsFunc: func(contextMoqParam context.Context, bytes []byte) error {
+//			PutBucketCorsFunc: func(contextMoqParam context.Context, bucket string, cors []byte) error {
 //				panic("mock out the PutBucketCors method")
 //			},
 //			PutBucketOwnershipControlsFunc: func(contextMoqParam context.Context, bucket string, ownership types.ObjectOwnership) error {
@@ -196,7 +196,7 @@ type BackendMock struct {
 	AbortMultipartUploadFunc func(contextMoqParam context.Context, abortMultipartUploadInput *s3.AbortMultipartUploadInput) error

 	// ChangeBucketOwnerFunc mocks the ChangeBucketOwner method.
-	ChangeBucketOwnerFunc func(contextMoqParam context.Context, bucket string, acl []byte) error
+	ChangeBucketOwnerFunc func(contextMoqParam context.Context, bucket string, owner string) error

 	// CompleteMultipartUploadFunc mocks the CompleteMultipartUpload method.
 	CompleteMultipartUploadFunc func(contextMoqParam context.Context, completeMultipartUploadInput *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error)
@@ -304,7 +304,7 @@ type BackendMock struct {
 	PutBucketAclFunc func(contextMoqParam context.Context, bucket string, data []byte) error

 	// PutBucketCorsFunc mocks the PutBucketCors method.
-	PutBucketCorsFunc func(contextMoqParam context.Context, bytes []byte) error
+	PutBucketCorsFunc func(contextMoqParam context.Context, bucket string, cors []byte) error

 	// PutBucketOwnershipControlsFunc mocks the PutBucketOwnershipControls method.
 	PutBucketOwnershipControlsFunc func(contextMoqParam context.Context, bucket string, ownership types.ObjectOwnership) error
@@ -369,8 +369,8 @@ type BackendMock struct {
 			ContextMoqParam context.Context
 			// Bucket is the bucket argument value.
 			Bucket string
-			// ACL is the acl argument value.
-			ACL []byte
+			// Owner is the owner argument value.
+			Owner string
 		}
 		// CompleteMultipartUpload holds details about calls to the CompleteMultipartUpload method.
 		CompleteMultipartUpload []struct {
@@ -635,8 +635,10 @@ type BackendMock struct {
 		PutBucketCors []struct {
 			// ContextMoqParam is the contextMoqParam argument value.
 			ContextMoqParam context.Context
-			// Bytes is the bytes argument value.
-			Bytes []byte
+			// Bucket is the bucket argument value.
+			Bucket string
+			// Cors is the cors argument value.
+			Cors []byte
 		}
 		// PutBucketOwnershipControls holds details about calls to the PutBucketOwnershipControls method.
 		PutBucketOwnershipControls []struct {
@@ -864,23 +866,23 @@ func (mock *BackendMock) AbortMultipartUploadCalls() []struct {
 }

 // ChangeBucketOwner calls ChangeBucketOwnerFunc.
-func (mock *BackendMock) ChangeBucketOwner(contextMoqParam context.Context, bucket string, acl []byte) error {
+func (mock *BackendMock) ChangeBucketOwner(contextMoqParam context.Context, bucket string, owner string) error {
 	if mock.ChangeBucketOwnerFunc == nil {
 		panic("BackendMock.ChangeBucketOwnerFunc: method is nil but Backend.ChangeBucketOwner was just called")
 	}
 	callInfo := struct {
 		ContextMoqParam context.Context
 		Bucket          string
-		ACL             []byte
+		Owner           string
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
-		ACL:             acl,
+		Owner:           owner,
 	}
 	mock.lockChangeBucketOwner.Lock()
 	mock.calls.ChangeBucketOwner = append(mock.calls.ChangeBucketOwner, callInfo)
 	mock.lockChangeBucketOwner.Unlock()
-	return mock.ChangeBucketOwnerFunc(contextMoqParam, bucket, acl)
+	return mock.ChangeBucketOwnerFunc(contextMoqParam, bucket, owner)
 }

 // ChangeBucketOwnerCalls gets all the calls that were made to ChangeBucketOwner.
@@ -890,12 +892,12 @@ func (mock *BackendMock) ChangeBucketOwner(contextMoqParam context.Context, buck
 func (mock *BackendMock) ChangeBucketOwnerCalls() []struct {
 	ContextMoqParam context.Context
 	Bucket          string
-	ACL             []byte
+	Owner           string
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
 		Bucket          string
-		ACL             []byte
+		Owner           string
 	}
 	mock.lockChangeBucketOwner.RLock()
 	calls = mock.calls.ChangeBucketOwner
@@ -2192,21 +2194,23 @@ func (mock *BackendMock) PutBucketAclCalls() []struct {
 }

 // PutBucketCors calls PutBucketCorsFunc.
-func (mock *BackendMock) PutBucketCors(contextMoqParam context.Context, bytes []byte) error {
+func (mock *BackendMock) PutBucketCors(contextMoqParam context.Context, bucket string, cors []byte) error {
 	if mock.PutBucketCorsFunc == nil {
 		panic("BackendMock.PutBucketCorsFunc: method is nil but Backend.PutBucketCors was just called")
 	}
 	callInfo := struct {
 		ContextMoqParam context.Context
-		Bytes           []byte
+		Bucket          string
+		Cors            []byte
 	}{
 		ContextMoqParam: contextMoqParam,
-		Bytes:           bytes,
+		Bucket:          bucket,
+		Cors:            cors,
 	}
 	mock.lockPutBucketCors.Lock()
 	mock.calls.PutBucketCors = append(mock.calls.PutBucketCors, callInfo)
 	mock.lockPutBucketCors.Unlock()
-	return mock.PutBucketCorsFunc(contextMoqParam, bytes)
+	return mock.PutBucketCorsFunc(contextMoqParam, bucket, cors)
 }

 // PutBucketCorsCalls gets all the calls that were made to PutBucketCors.
@@ -2215,11 +2219,13 @@ func (mock *BackendMock) PutBucketCors(contextMoqParam context.Context, bytes []
 //	len(mockedBackend.PutBucketCorsCalls())
 func (mock *BackendMock) PutBucketCorsCalls() []struct {
 	ContextMoqParam context.Context
-	Bytes           []byte
+	Bucket          string
+	Cors            []byte
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
-		Bytes           []byte
+		Bucket          string
+		Cors            []byte
 	}
 	mock.lockPutBucketCors.RLock()
 	calls = mock.calls.PutBucketCors
--- a/s3api/controllers/base.go
+++ b/s3api/controllers/base.go
--- a/s3api/controllers/base_test.go
+++ b/s3api/controllers/base_test.go
--- a/s3api/controllers/bucket-delete.go
+++ b/s3api/controllers/bucket-delete.go
@@ -0,0 +1,194 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"net/http"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+)
+
+func (c S3ApiController) DeleteBucketTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Action:         auth.PutBucketTaggingAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketTagging(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucketOwnershipControls(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Action:        auth.PutBucketOwnershipControlsAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketOwnershipControls(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Action:        auth.DeleteBucketPolicyAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketPolicy(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucketCors(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Action:         auth.PutBucketCorsAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketCors(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucket(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Action:         auth.DeleteBucketAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucket(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-delete_test.go
+++ b/s3api/controllers/bucket-delete_test.go
@@ -0,0 +1,413 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_DeleteBucketTagging(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrAclNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAclNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketTaggingFunc: func(_ context.Context, _ string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketOwnershipControls(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketOwnershipControlsFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketOwnershipControls,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketPolicy(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketPolicy,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketCors(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketCorsFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketCors,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucket(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucket,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-get.go
+++ b/s3api/controllers/bucket-get.go
@@ -0,0 +1,621 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) GetBucketTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketTaggingAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	tags, err := c.be.GetBucketTagging(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	resp := s3response.Tagging{
+		TagSet: s3response.TagSet{
+			Tags: make([]s3response.Tag, 0, len(tags)),
+		},
+	}
+
+	for key, val := range tags {
+		resp.TagSet.Tags = append(resp.TagSet.Tags,
+			s3response.Tag{Key: key, Value: val})
+	}
+
+	return &Response{
+		Data: resp,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketOwnershipControls(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketOwnershipControlsAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketOwnershipControls(ctx.Context(), bucket)
+	return &Response{
+		Data: s3response.OwnershipControls{
+			Rules: []types.OwnershipControlsRule{
+				{
+					ObjectOwnership: data,
+				},
+			},
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketVersioning(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketVersioningAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	// Only admin users and the bucket owner are allowed to get the versioning state of a bucket.
+	if err := auth.IsAdminOrOwner(acct, isRoot, parsedAcl); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketVersioning(ctx.Context(), bucket)
+	return &Response{
+		Data: data,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketCors(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketCorsAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketCors(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	output, err := auth.ParseCORSOutput(data)
+	return &Response{
+		Data: output,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketPolicyAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketPolicy(ctx.Context(), bucket)
+	return &Response{
+		Data: data,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketPolicyStatus(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketPolicyStatusAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	policyRaw, err := c.be.GetBucketPolicy(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	policy, err := auth.ParsePolicyDocument(policyRaw)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	isPublic := policy.IsPublic()
+
+	return &Response{
+		Data: types.PolicyStatus{
+			IsPublic: &isPublic,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
+
+func (c S3ApiController) ListObjectVersions(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	delimiter := ctx.Query("delimiter")
+	maxkeysStr := ctx.Query("max-keys")
+	keyMarker := ctx.Query("key-marker")
+	versionIdMarker := ctx.Query("version-id-marker")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.ListBucketVersionsAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	maxkeys, err := utils.ParseUint(maxkeysStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max keys %q: %v",
+			maxkeysStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxKeys)
+	}
+
+	data, err := c.be.ListObjectVersions(ctx.Context(),
+		&s3.ListObjectVersionsInput{
+			Bucket:          &bucket,
+			Delimiter:       &delimiter,
+			KeyMarker:       &keyMarker,
+			MaxKeys:         &maxkeys,
+			Prefix:          &prefix,
+			VersionIdMarker: &versionIdMarker,
+		})
+	return &Response{
+		Data: data,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectLockConfiguration(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketObjectLockConfigurationAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectLockConfiguration(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	resp, err := auth.ParseBucketLockConfigurationOutput(data)
+	return &Response{
+		Data: resp,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketAcl(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionReadAcp,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.GetBucketAclAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketAcl(ctx.Context(),
+		&s3.GetBucketAclInput{Bucket: &bucket})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := auth.ParseACLOutput(data, parsedAcl.Owner)
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListMultipartUploads(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	delimiter := ctx.Query("delimiter")
+	keyMarker := ctx.Query("key-marker")
+	maxUploadsStr := ctx.Query("max-uploads")
+	uploadIdMarker := ctx.Query("upload-id-marker")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.ListBucketMultipartUploadsAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	maxUploads, err := utils.ParseUint(maxUploadsStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max uploads %q: %v",
+			maxUploadsStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxUploads)
+	}
+	res, err := c.be.ListMultipartUploads(ctx.Context(),
+		&s3.ListMultipartUploadsInput{
+			Bucket:         &bucket,
+			Delimiter:      &delimiter,
+			Prefix:         &prefix,
+			UploadIdMarker: &uploadIdMarker,
+			MaxUploads:     &maxUploads,
+			KeyMarker:      &keyMarker,
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListObjectsV2(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	cToken := ctx.Query("continuation-token")
+	sAfter := ctx.Query("start-after")
+	delimiter := ctx.Query("delimiter")
+	maxkeysStr := ctx.Query("max-keys")
+	fetchOwner := strings.EqualFold(ctx.Query("fetch-owner"), "true")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.ListBucketAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	maxkeys, err := utils.ParseUint(maxkeysStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max keys %q: %v",
+			maxkeysStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxKeys)
+	}
+
+	res, err := c.be.ListObjectsV2(ctx.Context(),
+		&s3.ListObjectsV2Input{
+			Bucket:            &bucket,
+			Prefix:            &prefix,
+			ContinuationToken: &cToken,
+			Delimiter:         &delimiter,
+			MaxKeys:           &maxkeys,
+			StartAfter:        &sAfter,
+			FetchOwner:        &fetchOwner,
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListObjects(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	marker := ctx.Query("marker")
+	delimiter := ctx.Query("delimiter")
+	maxkeysStr := ctx.Query("max-keys")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.ListBucketAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	maxkeys, err := utils.ParseUint(maxkeysStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max keys %q: %v",
+			maxkeysStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxKeys)
+	}
+
+	res, err := c.be.ListObjects(ctx.Context(),
+		&s3.ListObjectsInput{
+			Bucket:    &bucket,
+			Prefix:    &prefix,
+			Marker:    &marker,
+			Delimiter: &delimiter,
+			MaxKeys:   &maxkeys,
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-get_test.go
+++ b/s3api/controllers/bucket-get_test.go
--- a/s3api/controllers/bucket-head.go
+++ b/s3api/controllers/bucket-head.go
@@ -0,0 +1,73 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+)
+
+func (c S3ApiController) HeadBucket(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	region := utils.ContextKeyRegion.Get(ctx).(string)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionRead,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Action:         auth.ListBucketAction,
+			IsBucketPublic: isPublicBucket,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	_, err = c.be.HeadBucket(ctx.Context(),
+		&s3.HeadBucketInput{
+			Bucket: &bucket,
+		})
+
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"X-Amz-Access-Point-Alias": utils.GetStringPtr("false"),
+			"X-Amz-Bucket-Region":      utils.GetStringPtr(region),
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/bucket-head_test.go
+++ b/s3api/controllers/bucket-head_test.go
@@ -0,0 +1,136 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_HeadBucket(t *testing.T) {
+	region := "us-east-1"
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: false,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "user",
+						Role:   auth.RoleUser,
+					},
+					utils.ContextKeyRegion: region,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: true,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "root",
+						Role:   auth.RoleAdmin,
+					},
+					utils.ContextKeyRegion: region,
+				},
+				beErr: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: true,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "root",
+						Role:   auth.RoleAdmin,
+					},
+					utils.ContextKeyRegion: region,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"X-Amz-Access-Point-Alias": utils.GetStringPtr("false"),
+						"X-Amz-Bucket-Region":      utils.GetStringPtr(region),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				HeadBucketFunc: func(contextMoqParam context.Context, headBucketInput *s3.HeadBucketInput) (*s3.HeadBucketOutput, error) {
+					return &s3.HeadBucketOutput{}, tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.HeadBucket,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-list.go
+++ b/s3api/controllers/bucket-list.go
@@ -0,0 +1,69 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"strconv"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) ListBuckets(ctx *fiber.Ctx) (*Response, error) {
+	cToken := ctx.Query("continuation-token")
+	prefix := ctx.Query("prefix")
+	maxBucketsStr := ctx.Query("max-buckets")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	region, ok := utils.ContextKeyRegion.Get(ctx).(string)
+	if !ok {
+		region = defaultRegion
+	}
+
+	maxBuckets := defaultMaxBuckets
+	if maxBucketsStr != "" {
+		maxBucketsParsed, err := strconv.ParseInt(maxBucketsStr, 10, 32)
+		if err != nil || maxBucketsParsed < 0 || maxBucketsParsed > int64(defaultMaxBuckets) {
+			debuglogger.Logf("error parsing max-buckets %q: %v", maxBucketsStr, err)
+			return &Response{
+				MetaOpts: &MetaOptions{},
+			}, s3err.GetAPIError(s3err.ErrInvalidMaxBuckets)
+		}
+		maxBuckets = int32(maxBucketsParsed)
+	}
+
+	res, err := c.be.ListBuckets(ctx.Context(),
+		s3response.ListBucketsInput{
+			Owner:             acct.Access,
+			IsAdmin:           acct.Role == auth.RoleAdmin,
+			MaxBuckets:        maxBuckets,
+			ContinuationToken: cToken,
+			Prefix:            prefix,
+		})
+	if err != nil {
+		return &Response{}, err
+	}
+
+	for i := range res.Buckets.Bucket {
+		res.Buckets.Bucket[i].BucketRegion = region
+	}
+
+	return &Response{
+		Data: res,
+	}, nil
+}
--- a/s3api/controllers/bucket-list_test.go
+++ b/s3api/controllers/bucket-list_test.go
@@ -0,0 +1,108 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_ListBuckets(t *testing.T) {
+	validRes := s3response.ListAllMyBucketsResult{
+		Owner: s3response.CanonicalUser{
+			ID: "root",
+		},
+		Buckets: s3response.ListAllMyBucketsList{
+			Bucket: []s3response.ListAllMyBucketsEntry{
+				{Name: "test"},
+			},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "invalid max buckets",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"max-buckets": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxBuckets),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				beRes:  s3response.ListAllMyBucketsResult{},
+			},
+			output: testOutput{
+				response: &Response{},
+				err:      s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				queries: map[string]string{
+					"max-buckets": "3",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: validRes,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				ListBucketsFunc: func(contextMoqParam context.Context, listBucketsInput s3response.ListBucketsInput) (s3response.ListAllMyBucketsResult, error) {
+					return tt.input.beRes.(s3response.ListAllMyBucketsResult), tt.input.beErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.ListBuckets,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-post.go
+++ b/s3api/controllers/bucket-post.go
@@ -0,0 +1,94 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"encoding/xml"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	bypass := strings.EqualFold(ctx.Get("X-Amz-Bypass-Governance-Retention"), "true")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Action:         auth.DeleteObjectAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var dObj s3response.DeleteObjects
+	err = xml.Unmarshal(ctx.Body(), &dObj)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling delete objects: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, dObj.Objects, bypass, IsBucketPublic, c.be)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.DeleteObjects(ctx.Context(),
+		&s3.DeleteObjectsInput{
+			Bucket: &bucket,
+			Delete: &types.Delete{
+				Objects: dObj.Objects,
+			},
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			ObjectCount: int64(len(dObj.Objects)),
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectRemovedDeleteObjects,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-post_test.go
+++ b/s3api/controllers/bucket-post_test.go
@@ -0,0 +1,165 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/xml"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_DeleteObjects(t *testing.T) {
+	validBody, err := xml.Marshal(s3response.DeleteObjects{
+		Objects: []types.ObjectIdentifier{
+			{Key: utils.GetStringPtr("obj")},
+		},
+	})
+	assert.NoError(t, err)
+
+	validRes := s3response.DeleteResult{
+		Deleted: []types.DeletedObject{
+			{Key: utils.GetStringPtr("key")},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "check object access returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				beRes:        s3response.DeleteResult{},
+				beErr:        s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				body:         validBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.DeleteResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRemovedDeleteObjects,
+						ObjectCount: 1,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validBody,
+				beRes:        validRes,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: validRes,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRemovedDeleteObjects,
+						ObjectCount: 1,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectsFunc: func(contextMoqParam context.Context, deleteObjectsInput *s3.DeleteObjectsInput) (s3response.DeleteResult, error) {
+					return tt.input.beRes.(s3response.DeleteResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+				GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, tt.input.extraMockErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObjects,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-put.go
+++ b/s3api/controllers/bucket-put.go
@@ -0,0 +1,603 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"bytes"
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) PutBucketTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.PutBucketTaggingAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	tagging, err := utils.ParseTagging(ctx.Body(), utils.TagLimitBucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketTagging(ctx.Context(), bucket, tagging)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketOwnershipControls(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+
+	if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:      c.readonly,
+		Acl:           parsedAcl,
+		AclPermission: auth.PermissionWrite,
+		IsRoot:        isRoot,
+		Acc:           acct,
+		Bucket:        bucket,
+		Action:        auth.PutBucketOwnershipControlsAction,
+	}); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var ownershipControls s3response.OwnershipControls
+	if err := xml.Unmarshal(ctx.Body(), &ownershipControls); err != nil {
+		debuglogger.Logf("failed to unmarshal request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	rulesCount := len(ownershipControls.Rules)
+	isValidOwnership := utils.IsValidOwnership(ownershipControls.Rules[0].ObjectOwnership)
+	if rulesCount != 1 || !isValidOwnership {
+		if rulesCount != 1 {
+			debuglogger.Logf("ownership control rules should be 1, got %v", rulesCount)
+		}
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err := c.be.PutBucketOwnershipControls(ctx.Context(), bucket, ownershipControls.Rules[0].ObjectOwnership)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketVersioning(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.PutBucketVersioningAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var versioningConf types.VersioningConfiguration
+	err = xml.Unmarshal(ctx.Body(), &versioningConf)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling versioning configuration: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	if versioningConf.Status != types.BucketVersioningStatusEnabled &&
+		versioningConf.Status != types.BucketVersioningStatusSuspended {
+		debuglogger.Logf("invalid versioning configuration status: %v", versioningConf.Status)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err = c.be.PutBucketVersioning(ctx.Context(), bucket, versioningConf.Status)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectLockConfiguration(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.PutBucketObjectLockConfigurationAction,
+		IsBucketPublic: isPublicBucket,
+	}); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	config, err := auth.ParseBucketLockConfigurationInput(ctx.Body())
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectLockConfiguration(ctx.Context(), bucket, config)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketCors(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Action:         auth.PutBucketCorsAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	body := ctx.Body()
+
+	var corsConfig auth.CORSConfiguration
+	err = xml.Unmarshal(body, &corsConfig)
+	if err != nil {
+		debuglogger.Logf("invalid CORS request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	// validate the CORS configuration rules
+	err = corsConfig.Validate()
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	algo, checksusms, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if algo != "" {
+		rdr, err := utils.NewHashReader(bytes.NewReader(body), checksusms[algo], utils.HashType(strings.ToLower(string(algo))))
+		if err != nil {
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, err
+		}
+
+		// Pass the same body to avoid data duplication
+		_, err = rdr.Read(body)
+		if err != nil {
+			debuglogger.Logf("failed to read hash calculation data: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, err
+		}
+	}
+
+	err = c.be.PutBucketCors(ctx.Context(), bucket, body)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:      c.readonly,
+		Acl:           parsedAcl,
+		AclPermission: auth.PermissionWrite,
+		IsRoot:        isRoot,
+		Acc:           acct,
+		Bucket:        bucket,
+		Action:        auth.PutBucketPolicyAction,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.ValidatePolicyDocument(ctx.Body(), bucket, c.iam)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketPolicy(ctx.Context(), bucket, ctx.Body())
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketAcl(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acl := ctx.Get("X-Amz-Acl")
+	grantFullControl := ctx.Get("X-Amz-Grant-Full-Control")
+	grantRead := ctx.Get("X-Amz-Grant-Read")
+	grantReadACP := ctx.Get("X-Amz-Grant-Read-Acp")
+	grantWrite := ctx.Get("X-Amz-Grant-Write")
+	grantWriteACP := ctx.Get("X-Amz-Grant-Write-Acp")
+	// context locals
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+
+	grants := grantFullControl + grantRead + grantReadACP + grantWrite + grantWriteACP
+	var input *auth.PutBucketAclInput
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWriteAcp,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Action:        auth.PutBucketAclAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	ownership, err := c.be.GetBucketOwnershipControls(ctx.Context(), bucket)
+	if err != nil && !errors.Is(err, s3err.GetAPIError(s3err.ErrOwnershipControlsNotFound)) {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	if ownership == types.ObjectOwnershipBucketOwnerEnforced {
+		debuglogger.Logf("bucket acls are disabled")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrAclNotSupported)
+	}
+
+	if len(ctx.Body()) > 0 {
+		var accessControlPolicy auth.AccessControlPolicy
+		err := xml.Unmarshal(ctx.Body(), &accessControlPolicy)
+		if err != nil {
+			debuglogger.Logf("error unmarshalling access control policy: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrMalformedACL)
+		}
+
+		err = accessControlPolicy.Validate()
+		if err != nil {
+			debuglogger.Logf("invalid access control policy: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, err
+		}
+
+		if *accessControlPolicy.Owner.ID != parsedAcl.Owner {
+			debuglogger.Logf("invalid access control policy owner id: %v, expected %v", *accessControlPolicy.Owner.ID, parsedAcl.Owner)
+			return &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: parsedAcl.Owner,
+					},
+				}, s3err.APIError{
+					Code:           "InvalidArgument",
+					Description:    "Invalid id",
+					HTTPStatusCode: http.StatusBadRequest,
+				}
+		}
+
+		if grants+acl != "" {
+			debuglogger.Logf("invalid request: %q (grants) %q (acl)",
+				grants, acl)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrUnexpectedContent)
+		}
+
+		input = &auth.PutBucketAclInput{
+			Bucket:              &bucket,
+			AccessControlPolicy: &accessControlPolicy,
+		}
+	} else if acl != "" {
+		if acl != "private" && acl != "public-read" && acl != "public-read-write" {
+			debuglogger.Logf("invalid acl: %q", acl)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+		}
+		if grants != "" {
+			debuglogger.Logf("invalid request: %q (grants) %q (acl)",
+				grants, acl)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrBothCannedAndHeaderGrants)
+		}
+
+		input = &auth.PutBucketAclInput{
+			Bucket: &bucket,
+			ACL:    types.BucketCannedACL(acl),
+		}
+	} else if grants != "" {
+		input = &auth.PutBucketAclInput{
+			Bucket:           &bucket,
+			GrantFullControl: &grantFullControl,
+			GrantRead:        &grantRead,
+			GrantReadACP:     &grantReadACP,
+			GrantWrite:       &grantWrite,
+			GrantWriteACP:    &grantWriteACP,
+		}
+	} else {
+		debuglogger.Logf("none of the bucket acl options has been specified: canned, req headers, req body")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMissingSecurityHeader)
+	}
+
+	updAcl, err := auth.UpdateACL(input, parsedAcl, c.iam, acct.Role == auth.RoleAdmin)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketAcl(ctx.Context(), bucket, updAcl)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) CreateBucket(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acl := ctx.Get("X-Amz-Acl")
+	grantFullControl := ctx.Get("X-Amz-Grant-Full-Control")
+	grantRead := ctx.Get("X-Amz-Grant-Read")
+	grantReadACP := ctx.Get("X-Amz-Grant-Read-Acp")
+	grantWrite := ctx.Get("X-Amz-Grant-Write")
+	grantWriteACP := ctx.Get("X-Amz-Grant-Write-Acp")
+	lockEnabled := strings.EqualFold(ctx.Get("X-Amz-Bucket-Object-Lock-Enabled"), "true")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	grants := grantFullControl + grantRead + grantReadACP + grantWrite + grantWriteACP
+	objectOwnership := types.ObjectOwnership(
+		ctx.Get("X-Amz-Object-Ownership", string(types.ObjectOwnershipBucketOwnerEnforced)),
+	)
+
+	if acct.Role != auth.RoleAdmin && acct.Role != auth.RoleUserPlus {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	// validate the bucket name
+	if ok := utils.IsValidBucketName(bucket); !ok {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	}
+
+	// validate the object ownership value
+	if ok := utils.IsValidOwnership(objectOwnership); !ok {
+		return &Response{
+				MetaOpts: &MetaOptions{},
+			}, s3err.APIError{
+				Code:           "InvalidArgument",
+				Description:    fmt.Sprintf("Invalid x-amz-object-ownership header: %v", objectOwnership),
+				HTTPStatusCode: http.StatusBadRequest,
+			}
+	}
+
+	if acl+grants != "" && objectOwnership == types.ObjectOwnershipBucketOwnerEnforced {
+		debuglogger.Logf("bucket acls are disabled for %v object ownership", objectOwnership)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: acct.Access,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidBucketAclWithObjectOwnership)
+	}
+
+	if acl != "" && grants != "" {
+		debuglogger.Logf("invalid request: %q (grants) %q (acl)", grants, acl)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: acct.Access,
+			},
+		}, s3err.GetAPIError(s3err.ErrBothCannedAndHeaderGrants)
+	}
+
+	defACL := auth.ACL{
+		Owner: acct.Access,
+	}
+
+	updAcl, err := auth.UpdateACL(&auth.PutBucketAclInput{
+		GrantFullControl: &grantFullControl,
+		GrantRead:        &grantRead,
+		GrantReadACP:     &grantReadACP,
+		GrantWrite:       &grantWrite,
+		GrantWriteACP:    &grantWriteACP,
+		AccessControlPolicy: &auth.AccessControlPolicy{
+			Owner: &types.Owner{
+				ID: &acct.Access,
+			}},
+		ACL: types.BucketCannedACL(acl),
+	}, defACL, c.iam, acct.Role == auth.RoleAdmin)
+	if err != nil {
+		debuglogger.Logf("failed to update bucket acl: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: acct.Access,
+			},
+		}, err
+	}
+
+	err = c.be.CreateBucket(ctx.Context(), &s3.CreateBucketInput{
+		Bucket:                     &bucket,
+		ObjectOwnership:            objectOwnership,
+		ObjectLockEnabledForBucket: &lockEnabled,
+	}, updAcl)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: acct.Access,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-put_test.go
+++ b/s3api/controllers/bucket-put_test.go
--- a/s3api/controllers/object-delete.go
+++ b/s3api/controllers/object-delete.go
@@ -0,0 +1,198 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3event"
+)
+
+func (c S3ApiController) DeleteObjectTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.DeleteObjectTaggingAction,
+			IsBucketPublic: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteObjectTagging(ctx.Context(), bucket, key)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			Status:      http.StatusNoContent,
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectTaggingDelete,
+		},
+	}, err
+}
+
+func (c S3ApiController) AbortMultipartUpload(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	uploadId := ctx.Query("uploadId")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.AbortMultipartUploadAction,
+			IsBucketPublic: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.AbortMultipartUpload(ctx.Context(),
+		&s3.AbortMultipartUploadInput{
+			UploadId: &uploadId,
+			Bucket:   &bucket,
+			Key:      &key,
+		})
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	bypass := strings.EqualFold(ctx.Get("X-Amz-Bypass-Governance-Retention"), "true")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	//TODO: check s3:DeleteObjectVersion policy in case a use tries to delete a version of an object
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.DeleteObjectAction,
+			IsBucketPublic: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.CheckObjectAccess(
+		ctx.Context(),
+		bucket,
+		acct.Access,
+		[]types.ObjectIdentifier{
+			{
+				Key:       &key,
+				VersionId: &versionId,
+			},
+		},
+		bypass,
+		isBucketPublic,
+		c.be,
+	)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.DeleteObject(ctx.Context(),
+		&s3.DeleteObjectInput{
+			Bucket:    &bucket,
+			Key:       &key,
+			VersionId: &versionId,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+				EventName:   s3event.EventObjectRemovedDelete,
+				Status:      http.StatusNoContent,
+			},
+		}, err
+	}
+
+	headers := map[string]*string{
+		"x-amz-version-id": res.VersionId,
+	}
+
+	if res.DeleteMarker != nil && *res.DeleteMarker {
+		headers["x-amz-delete-marker"] = utils.GetStringPtr("true")
+	}
+
+	return &Response{
+		Headers: headers,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectRemovedDelete,
+			Status:      http.StatusNoContent,
+		},
+	}, nil
+}
--- a/s3api/controllers/object-delete_test.go
+++ b/s3api/controllers/object-delete_test.go
@@ -0,0 +1,296 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+)
+
+func TestS3ApiController_DeleteObjectTagging(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectTaggingDelete,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectTaggingDelete,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectTaggingFunc: func(contextMoqParam context.Context, bucket, object string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObjectTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_AbortMultipartUpload(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				AbortMultipartUploadFunc: func(contextMoqParam context.Context, abortMultipartUploadInput *s3.AbortMultipartUploadInput) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.AbortMultipartUpload,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteObject(t *testing.T) {
+	delMarker, versionId := true, "versionId"
+	var emptyRes *s3.DeleteObjectOutput
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "object locked",
+			input: testInput{
+				locals:       defaultLocals,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				beErr:        s3err.GetAPIError(s3err.ErrInvalidRequest),
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+				beRes:        emptyRes,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectRemovedDelete,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals:       defaultLocals,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+				beRes: &s3.DeleteObjectOutput{
+					DeleteMarker: &delMarker,
+					VersionId:    &versionId,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"x-amz-version-id":    &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectRemovedDelete,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectFunc: func(contextMoqParam context.Context, deleteObjectInput *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error) {
+					return tt.input.beRes.(*s3.DeleteObjectOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+				GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, tt.input.extraMockErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-get.go
+++ b/s3api/controllers/object-get.go
@@ -0,0 +1,509 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"math"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) GetObjectTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.GetObjectTaggingAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectTagging(ctx.Context(), bucket, key)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	tags := s3response.Tagging{
+		TagSet: s3response.TagSet{Tags: []s3response.Tag{}},
+	}
+
+	for key, val := range data {
+		tags.TagSet.Tags = append(tags.TagSet.Tags,
+			s3response.Tag{Key: key, Value: val})
+	}
+
+	return &Response{
+		Data: tags,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectRetention(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.GetObjectRetentionAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectRetention(ctx.Context(), bucket, key, versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	retention, err := auth.ParseObjectLockRetentionOutput(data)
+	return &Response{
+		Data: retention,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectLegalHold(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.GetObjectLegalHoldAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectLegalHold(ctx.Context(), bucket, key, versionId)
+	return &Response{
+		Data: auth.ParseObjectLegalHoldOutput(data),
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectAcl(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionReadAcp,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.GetObjectAclAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	res, err := c.be.GetObjectAcl(ctx.Context(), &s3.GetObjectAclInput{
+		Bucket: &bucket,
+		Key:    &key,
+	})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListParts(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	uploadId := ctx.Query("uploadId")
+	partNumberMarker := ctx.Query("part-number-marker")
+	maxPartsStr := ctx.Query("max-parts")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.ListMultipartUploadPartsAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// parse the part number marker
+	if partNumberMarker != "" {
+		n, err := strconv.Atoi(partNumberMarker)
+		if err != nil || n < 0 {
+			debuglogger.Logf("invalid part number marker %q: %v",
+				partNumberMarker, err)
+
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidPartNumberMarker)
+		}
+	}
+
+	// parse the max parts
+	maxParts, err := utils.ParseUint(maxPartsStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max parts %q: %v",
+			maxPartsStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxParts)
+	}
+
+	res, err := c.be.ListParts(ctx.Context(), &s3.ListPartsInput{
+		Bucket:           &bucket,
+		Key:              &key,
+		UploadId:         &uploadId,
+		PartNumberMarker: &partNumberMarker,
+		MaxParts:         &maxParts,
+	})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectAttributes(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	maxPartsStr := ctx.Get("X-Amz-Max-Parts")
+	partNumberMarker := ctx.Get("X-Amz-Part-Number-Marker")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.GetObjectAttributesAction,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// parse max parts
+	maxParts, err := utils.ParseUint(maxPartsStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max parts %q: %v",
+			maxPartsStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxParts)
+	}
+
+	// parse the object attributes
+	attrs, err := utils.ParseObjectAttributes(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.GetObjectAttributes(ctx.Context(),
+		&s3.GetObjectAttributesInput{
+			Bucket:           &bucket,
+			Key:              &key,
+			PartNumberMarker: &partNumberMarker,
+			MaxParts:         &maxParts,
+			VersionId:        &versionId,
+		})
+	if err != nil {
+		headers := map[string]*string{
+			"x-amz-version-id": res.VersionId,
+		}
+		if res.DeleteMarker != nil && *res.DeleteMarker {
+			headers["x-amz-delete-marker"] = utils.GetStringPtr("true")
+		}
+		return &Response{
+			Headers: headers,
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	headers := map[string]*string{
+		"x-amz-version-id": res.VersionId,
+		"Last-Modified":    utils.FormatDatePtrToString(res.LastModified, iso8601TimeFormatExtended),
+	}
+	if res.DeleteMarker != nil && *res.DeleteMarker {
+		headers["x-amz-delete-marker"] = utils.GetStringPtr("true")
+	}
+
+	return &Response{
+		Headers: headers,
+		Data:    utils.FilterObjectAttributes(attrs, res),
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acceptRange := ctx.Get("Range")
+	checksumMode := types.ChecksumMode(ctx.Get("x-amz-checksum-mode"))
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	utils.ContextKeySkipResBodyLog.Set(ctx, true)
+
+	action := auth.GetObjectAction
+	if ctx.Request().URI().QueryArgs().Has("versionId") {
+		action = auth.GetObjectVersionAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionRead,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         action,
+		IsBucketPublic: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// validate the checksum mode
+	if checksumMode != "" && checksumMode != types.ChecksumModeEnabled {
+		debuglogger.Logf("invalid x-amz-checksum-mode header value: %v", checksumMode)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode")
+	}
+
+	res, err := c.be.GetObject(ctx.Context(), &s3.GetObjectInput{
+		Bucket:       &bucket,
+		Key:          &key,
+		Range:        &acceptRange,
+		VersionId:    &versionId,
+		ChecksumMode: checksumMode,
+	})
+	if err != nil {
+		var headers map[string]*string
+		if res != nil {
+			headers = map[string]*string{
+				"x-amz-delete-marker": utils.GetStringPtr("true"),
+				"Last-Modified":       utils.FormatDatePtrToString(res.LastModified, timefmt),
+			}
+		}
+		return &Response{
+			Headers: headers,
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// Set x-amz-meta-... headers
+	utils.SetMetaHeaders(ctx, res.Metadata)
+
+	status := http.StatusOK
+	if acceptRange != "" {
+		status = http.StatusPartialContent
+	}
+
+	if res.Body != nil {
+		// -1 will stream response body until EOF if content length not set
+		contentLen := -1
+		if res.ContentLength != nil {
+			if *res.ContentLength > int64(math.MaxInt) {
+				debuglogger.Logf("content length %v int overflow",
+					*res.ContentLength)
+				return &Response{
+					MetaOpts: &MetaOptions{
+						ContentLength: utils.GetInt64(res.ContentLength),
+						BucketOwner:   parsedAcl.Owner,
+						Status:        status,
+					},
+				}, s3err.GetAPIError(s3err.ErrInvalidRange)
+			}
+			contentLen = int(*res.ContentLength)
+		}
+		utils.StreamResponseBody(ctx, res.Body, contentLen)
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"ETag":                                res.ETag,
+			"x-amz-restore":                       res.Restore,
+			"accept-ranges":                       res.AcceptRanges,
+			"Content-Range":                       res.ContentRange,
+			"Content-Disposition":                 res.ContentDisposition,
+			"Content-Encoding":                    res.ContentEncoding,
+			"Content-Language":                    res.ContentLanguage,
+			"Cache-Control":                       res.CacheControl,
+			"Expires":                             res.ExpiresString,
+			"x-amz-checksum-crc32":                res.ChecksumCRC32,
+			"x-amz-checksum-crc64nvme":            res.ChecksumCRC64NVME,
+			"x-amz-checksum-crc32c":               res.ChecksumCRC32C,
+			"x-amz-checksum-sha1":                 res.ChecksumSHA1,
+			"x-amz-checksum-sha256":               res.ChecksumSHA256,
+			"Content-Type":                        res.ContentType,
+			"x-amz-version-id":                    res.VersionId,
+			"Content-Length":                      utils.ConvertPtrToStringPtr(res.ContentLength),
+			"x-amz-mp-parts-count":                utils.ConvertPtrToStringPtr(res.PartsCount),
+			"x-amz-tagging-count":                 utils.ConvertPtrToStringPtr(res.TagCount),
+			"x-amz-object-lock-mode":              utils.ConvertToStringPtr(res.ObjectLockMode),
+			"x-amz-object-lock-legal-hold":        utils.ConvertToStringPtr(res.ObjectLockLegalHoldStatus),
+			"x-amz-storage-class":                 utils.ConvertToStringPtr(res.StorageClass),
+			"x-amz-checksum-type":                 utils.ConvertToStringPtr(res.ChecksumType),
+			"x-amz-object-lock-retain-until-date": utils.FormatDatePtrToString(res.ObjectLockRetainUntilDate, time.RFC3339),
+			"Last-Modified":                       utils.FormatDatePtrToString(res.LastModified, timefmt),
+		},
+		MetaOpts: &MetaOptions{
+			ContentLength: utils.GetInt64(res.ContentLength),
+			BucketOwner:   parsedAcl.Owner,
+			Status:        status,
+		},
+	}, nil
+}
--- a/s3api/controllers/object-get_test.go
+++ b/s3api/controllers/object-get_test.go
@@ -0,0 +1,820 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_GetObjectTagging(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  map[string]string{},
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes: map[string]string{
+					"key": "val",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.Tagging{
+						TagSet: s3response.TagSet{
+							Tags: []s3response.Tag{
+								{Key: "key", Value: "val"},
+							},
+						},
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectTaggingFunc: func(contextMoqParam context.Context, bucket, object string) (map[string]string, error) {
+					return tt.input.beRes.(map[string]string), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectRetention(t *testing.T) {
+	retBytes, err := json.Marshal(types.ObjectLockRetention{
+		Mode: types.ObjectLockRetentionModeCompliance,
+	})
+	assert.NoError(t, err)
+
+	var retention *types.ObjectLockRetention
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  []byte{},
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "invalid data from backend",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  []byte{},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: retention,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: fmt.Errorf("parse object lock retention: "),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  retBytes,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: &types.ObjectLockRetention{
+						Mode: types.ObjectLockRetentionModeCompliance,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectRetentionFunc: func(contextMoqParam context.Context, bucket, object, versionId string) ([]byte, error) {
+					return tt.input.beRes.([]byte), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectRetention,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectLegalHold(t *testing.T) {
+	var legalHold *bool
+	var emptyLegalHold *s3response.GetObjectLegalHoldResult
+	status := true
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  legalHold,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: emptyLegalHold,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  &status,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: &s3response.GetObjectLegalHoldResult{
+						Status: types.ObjectLockLegalHoldStatusOn,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectLegalHoldFunc: func(contextMoqParam context.Context, bucket, object, versionId string) (*bool, error) {
+					return tt.input.beRes.(*bool), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectLegalHold,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectAcl(t *testing.T) {
+	var emptyRes *s3.GetObjectAclOutput
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  emptyRes,
+				beErr:  s3err.GetAPIError(s3err.ErrNotImplemented),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: emptyRes,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNotImplemented),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes: &s3.GetObjectAclOutput{
+					Owner: &types.Owner{
+						ID: utils.GetStringPtr("something"),
+					},
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: &s3.GetObjectAclOutput{
+						Owner: &types.Owner{
+							ID: utils.GetStringPtr("something"),
+						},
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectAclFunc: func(contextMoqParam context.Context, getObjectAclInput *s3.GetObjectAclInput) (*s3.GetObjectAclOutput, error) {
+					return tt.input.beRes.(*s3.GetObjectAclOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectAcl,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_ListParts(t *testing.T) {
+	listPartsResult := s3response.ListPartsResult{
+		Bucket:      "my-bucket",
+		Key:         "obj",
+		IsTruncated: false,
+		Parts: []s3response.Part{
+			{ETag: "ETag"},
+		},
+	}
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid part number marker",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"part-number-marker": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidPartNumberMarker),
+			},
+		},
+		{
+			name: "invalid max parts",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"max-parts": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxParts),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  s3response.ListPartsResult{},
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.ListPartsResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  listPartsResult,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: listPartsResult,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				ListPartsFunc: func(contextMoqParam context.Context, listPartsInput *s3.ListPartsInput) (s3response.ListPartsResult, error) {
+					return tt.input.beRes.(s3response.ListPartsResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.ListParts,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectAttributes(t *testing.T) {
+	delMarker, lastModTime, etag := true, time.Now(), "ETag"
+	timeFormatted := lastModTime.UTC().Format(iso8601TimeFormatExtended)
+
+	validRes := s3response.GetObjectAttributesResponse{
+		DeleteMarker: &delMarker,
+		LastModified: &lastModTime,
+		VersionId:    utils.GetStringPtr("versionId"),
+		ETag:         &etag,
+	}
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid max parts",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Max-Parts": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxParts),
+			},
+		},
+		{
+			name: "invalid object attributes",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Object-Attributes": "invalid_attribute",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidObjectAttributes),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				headers: map[string]string{
+					"X-Amz-Object-Attributes": "ETag",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id":    utils.GetStringPtr("versionId"),
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+					},
+					Data: nil,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				headers: map[string]string{
+					"X-Amz-Object-Attributes": "ETag",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id":    utils.GetStringPtr("versionId"),
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"Last-Modified":       &timeFormatted,
+					},
+					Data: s3response.GetObjectAttributesResponse{
+						ETag: &etag,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectAttributesFunc: func(contextMoqParam context.Context, getObjectAttributesInput *s3.GetObjectAttributesInput) (s3response.GetObjectAttributesResponse, error) {
+					return tt.input.beRes.(s3response.GetObjectAttributesResponse), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectAttributes,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObject(t *testing.T) {
+	tm := time.Now()
+	cLength := int64(11)
+	rdr := io.NopCloser(strings.NewReader("hello world"))
+	delMarker := true
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid checksum mode",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"x-amz-checksum-mode": "invalid_checksum_mode",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode"),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+				beRes: &s3.GetObjectOutput{
+					DeleteMarker: &delMarker,
+					LastModified: &tm,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"Last-Modified":       utils.GetStringPtr(tm.UTC().Format(timefmt)),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		// TODO: add a test case for overflowing content-length
+		// simulate a 32 bit arch to test the case
+		{
+			name: "successful response",
+			input: testInput{
+				headers: map[string]string{
+					"Range": "100-200",
+				},
+				queries: map[string]string{
+					"versionId": "versionId",
+				},
+				locals: defaultLocals,
+				beRes: &s3.GetObjectOutput{
+					ETag:          utils.GetStringPtr("ETag"),
+					ContentType:   utils.GetStringPtr("application/xml"),
+					ContentLength: &cLength,
+					Body:          rdr,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"ETag":                                utils.GetStringPtr("ETag"),
+						"x-amz-restore":                       nil,
+						"accept-ranges":                       nil,
+						"Content-Range":                       nil,
+						"Content-Disposition":                 nil,
+						"Content-Encoding":                    nil,
+						"Content-Language":                    nil,
+						"Cache-Control":                       nil,
+						"Expires":                             nil,
+						"x-amz-checksum-crc32":                nil,
+						"x-amz-checksum-crc64nvme":            nil,
+						"x-amz-checksum-crc32c":               nil,
+						"x-amz-checksum-sha1":                 nil,
+						"x-amz-checksum-sha256":               nil,
+						"x-amz-version-id":                    nil,
+						"x-amz-mp-parts-count":                nil,
+						"x-amz-object-lock-mode":              nil,
+						"x-amz-object-lock-legal-hold":        nil,
+						"x-amz-storage-class":                 nil,
+						"x-amz-checksum-type":                 nil,
+						"x-amz-object-lock-retain-until-date": nil,
+						"Last-Modified":                       nil,
+						"x-amz-tagging-count":                 nil,
+						"Content-Type":                        utils.GetStringPtr("application/xml"),
+						"Content-Length":                      utils.GetStringPtr("11"),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner:   "root",
+						Status:        http.StatusPartialContent,
+						ContentLength: cLength,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectFunc: func(contextMoqParam context.Context, getObjectInput *s3.GetObjectInput) (*s3.GetObjectOutput, error) {
+					return tt.input.beRes.(*s3.GetObjectOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					headers: tt.input.headers,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-head.go
+++ b/s3api/controllers/object-head.go
@@ -0,0 +1,152 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func (c S3ApiController) HeadObject(ctx *fiber.Ctx) (*Response, error) {
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	// url values
+	bucket := ctx.Params("bucket")
+	partNumberQuery := int32(ctx.QueryInt("partNumber", -1))
+	versionId := ctx.Query("versionId")
+	objRange := ctx.Get("Range")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+
+	action := auth.GetObjectAction
+	if ctx.Request().URI().QueryArgs().Has("versionId") {
+		action = auth.GetObjectVersionAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionRead,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         action,
+			IsBucketPublic: isPublicBucket,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var partNumber *int32
+	if ctx.Request().URI().QueryArgs().Has("partNumber") {
+		if partNumberQuery < minPartNumber || partNumberQuery > maxPartNumber {
+			debuglogger.Logf("invalid part number: %d", partNumberQuery)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+		}
+
+		partNumber = &partNumberQuery
+	}
+
+	checksumMode := types.ChecksumMode(ctx.Get("x-amz-checksum-mode"))
+	if checksumMode != "" && checksumMode != types.ChecksumModeEnabled {
+		debuglogger.Logf("invalid x-amz-checksum-mode header value: %v", checksumMode)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode")
+	}
+
+	res, err := c.be.HeadObject(ctx.Context(),
+		&s3.HeadObjectInput{
+			Bucket:       &bucket,
+			Key:          &key,
+			PartNumber:   partNumber,
+			VersionId:    &versionId,
+			ChecksumMode: checksumMode,
+			Range:        &objRange,
+		})
+	if err != nil {
+		var headers map[string]*string
+		if res != nil {
+			headers = map[string]*string{
+				"x-amz-delete-marker": utils.GetStringPtr("true"),
+				"Last-Modified":       utils.GetStringPtr(res.LastModified.UTC().Format(timefmt)),
+			}
+		}
+		return &Response{
+			Headers: headers,
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// Set the metadata headers
+	utils.SetMetaHeaders(ctx, res.Metadata)
+
+	return &Response{
+		Headers: map[string]*string{
+			"ETag":                                res.ETag,
+			"x-amz-restore":                       res.Restore,
+			"accept-ranges":                       res.AcceptRanges,
+			"Content-Range":                       res.ContentRange,
+			"Content-Disposition":                 res.ContentDisposition,
+			"Content-Encoding":                    res.ContentEncoding,
+			"Content-Language":                    res.ContentLanguage,
+			"Cache-Control":                       res.CacheControl,
+			"Expires":                             res.ExpiresString,
+			"x-amz-checksum-crc32":                res.ChecksumCRC32,
+			"x-amz-checksum-crc64nvme":            res.ChecksumCRC64NVME,
+			"x-amz-checksum-crc32c":               res.ChecksumCRC32C,
+			"x-amz-checksum-sha1":                 res.ChecksumSHA1,
+			"x-amz-checksum-sha256":               res.ChecksumSHA256,
+			"Content-Type":                        res.ContentType,
+			"x-amz-version-id":                    res.VersionId,
+			"Content-Length":                      utils.ConvertPtrToStringPtr(res.ContentLength),
+			"x-amz-mp-parts-count":                utils.ConvertPtrToStringPtr(res.PartsCount),
+			"x-amz-object-lock-mode":              utils.ConvertToStringPtr(res.ObjectLockMode),
+			"x-amz-object-lock-legal-hold":        utils.ConvertToStringPtr(res.ObjectLockLegalHoldStatus),
+			"x-amz-storage-class":                 utils.ConvertToStringPtr(res.StorageClass),
+			"x-amz-checksum-type":                 utils.ConvertToStringPtr(res.ChecksumType),
+			"x-amz-object-lock-retain-until-date": utils.FormatDatePtrToString(res.ObjectLockRetainUntilDate, time.RFC3339),
+			"Last-Modified":                       utils.FormatDatePtrToString(res.LastModified, timefmt),
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/object-head_test.go
+++ b/s3api/controllers/object-head_test.go
@@ -0,0 +1,184 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_HeadObject(t *testing.T) {
+	tm := time.Now()
+	cLength := int64(100)
+
+	failingBeRes := &s3.HeadObjectOutput{
+		LastModified: &tm,
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid part number",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"partNumber": "-4",
+					"versionId":  "id",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidPartNumber),
+			},
+		},
+		{
+			name: "invalid checksum mode",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"x-amz-checksum-mode": "invalid_checksum_mode",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode"),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+				beRes:  failingBeRes,
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"Last-Modified":       utils.GetStringPtr(tm.UTC().Format(timefmt)),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				queries: map[string]string{
+					"partNumber": "4",
+				},
+				locals: defaultLocals,
+				beRes: &s3.HeadObjectOutput{
+					ETag:          utils.GetStringPtr("ETag"),
+					ContentType:   utils.GetStringPtr("application/xml"),
+					ContentLength: &cLength,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"ETag":                                utils.GetStringPtr("ETag"),
+						"x-amz-restore":                       nil,
+						"accept-ranges":                       nil,
+						"Content-Range":                       nil,
+						"Content-Disposition":                 nil,
+						"Content-Encoding":                    nil,
+						"Content-Language":                    nil,
+						"Cache-Control":                       nil,
+						"Expires":                             nil,
+						"x-amz-checksum-crc32":                nil,
+						"x-amz-checksum-crc64nvme":            nil,
+						"x-amz-checksum-crc32c":               nil,
+						"x-amz-checksum-sha1":                 nil,
+						"x-amz-checksum-sha256":               nil,
+						"x-amz-version-id":                    nil,
+						"x-amz-mp-parts-count":                nil,
+						"x-amz-object-lock-mode":              nil,
+						"x-amz-object-lock-legal-hold":        nil,
+						"x-amz-storage-class":                 nil,
+						"x-amz-checksum-type":                 nil,
+						"x-amz-object-lock-retain-until-date": nil,
+						"Last-Modified":                       nil,
+						"Content-Type":                        utils.GetStringPtr("application/xml"),
+						"Content-Length":                      utils.GetStringPtr("100"),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				HeadObjectFunc: func(contextMoqParam context.Context, headObjectInput *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
+					return tt.input.beRes.(*s3.HeadObjectOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.HeadObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-post.go
+++ b/s3api/controllers/object-post.go
@@ -0,0 +1,354 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"encoding/xml"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) RestoreObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.RestoreObjectAction,
+			IsBucketPublic: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var restoreRequest types.RestoreRequest
+	if err := xml.Unmarshal(ctx.Body(), &restoreRequest); err != nil {
+		debuglogger.Logf("failed to parse the request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err = c.be.RestoreObject(ctx.Context(), &s3.RestoreObjectInput{
+		Bucket:         &bucket,
+		Key:            &key,
+		RestoreRequest: &restoreRequest,
+	})
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectRestoreCompleted,
+		},
+	}, err
+}
+
+func (c S3ApiController) SelectObjectContent(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionRead,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.GetObjectAction,
+			IsBucketPublic: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var payload s3response.SelectObjectContentPayload
+	err = xml.Unmarshal(ctx.Body(), &payload)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling select object content: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	sw := c.be.SelectObjectContent(ctx.Context(),
+		&s3.SelectObjectContentInput{
+			Bucket:              &bucket,
+			Key:                 &key,
+			Expression:          payload.Expression,
+			ExpressionType:      payload.ExpressionType,
+			InputSerialization:  payload.InputSerialization,
+			OutputSerialization: payload.OutputSerialization,
+			RequestProgress:     payload.RequestProgress,
+			ScanRange:           payload.ScanRange,
+		})
+
+	ctx.Context().SetBodyStreamWriter(sw)
+
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
+
+func (c S3ApiController) CreateMultipartUpload(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	contentType := ctx.Get("Content-Type")
+	contentDisposition := ctx.Get("Content-Disposition")
+	contentLanguage := ctx.Get("Content-Language")
+	cacheControl := ctx.Get("Cache-Control")
+	contentEncoding := ctx.Get("Content-Encoding")
+	tagging := ctx.Get("X-Amz-Tagging")
+	expires := ctx.Get("Expires")
+	metadata := utils.GetUserMetaData(&ctx.Request().Header)
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Object:        key,
+			Action:        auth.PutObjectAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	objLockState, err := utils.ParsObjectLockHdrs(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	checksumAlgorithm, checksumType, err := utils.ParseCreateMpChecksumHeaders(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.CreateMultipartUpload(ctx.Context(),
+		s3response.CreateMultipartUploadInput{
+			Bucket:                    &bucket,
+			Key:                       &key,
+			Tagging:                   &tagging,
+			ContentType:               &contentType,
+			ContentEncoding:           &contentEncoding,
+			ContentDisposition:        &contentDisposition,
+			ContentLanguage:           &contentLanguage,
+			CacheControl:              &cacheControl,
+			Expires:                   &expires,
+			ObjectLockRetainUntilDate: &objLockState.RetainUntilDate,
+			ObjectLockMode:            objLockState.ObjectLockMode,
+			ObjectLockLegalHoldStatus: objLockState.LegalHoldStatus,
+			Metadata:                  metadata,
+			ChecksumAlgorithm:         checksumAlgorithm,
+			ChecksumType:              checksumType,
+		})
+	var headers map[string]*string
+	if err == nil {
+		headers = map[string]*string{
+			"x-amz-checksum-algorithm": utils.ConvertToStringPtr(checksumAlgorithm),
+			"x-amz-checksum-type":      utils.ConvertToStringPtr(checksumType),
+		}
+	}
+	return &Response{
+		Headers: headers,
+		Data:    res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) CompleteMultipartUpload(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	uploadId := ctx.Query("uploadId")
+	mpuObjSizeHdr := ctx.Get("X-Amz-Mp-Object-Size")
+	checksumType := types.ChecksumType(strings.ToUpper(ctx.Get("x-amz-checksum-type")))
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.PutObjectAction,
+			IsBucketPublic: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var body s3response.CompleteMultipartUploadRequestBody
+	err = xml.Unmarshal(ctx.Body(), &body)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling complete multipart upload: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if len(body.Parts) == 0 {
+		debuglogger.Logf("empty parts provided for complete multipart upload")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrEmptyParts)
+	}
+
+	var mpuObjectSize *int64
+	if mpuObjSizeHdr != "" {
+		val, err := strconv.ParseInt(mpuObjSizeHdr, 10, 64)
+		if err != nil {
+			debuglogger.Logf("invalid value for 'x-amz-mp-object-size' header: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetInvalidMpObjectSizeErr(mpuObjSizeHdr)
+		}
+
+		if val < 0 {
+			debuglogger.Logf("value for 'x-amz-mp-object-size' header is less than 0: %v", val)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetNegatvieMpObjectSizeErr(val)
+		}
+
+		mpuObjectSize = &val
+	}
+
+	checksums, err := utils.ParseChecksumHeaders(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.IsChecksumTypeValid(checksumType)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, versid, err := c.be.CompleteMultipartUpload(ctx.Context(),
+		&s3.CompleteMultipartUploadInput{
+			Bucket:   &bucket,
+			Key:      &key,
+			UploadId: &uploadId,
+			MultipartUpload: &types.CompletedMultipartUpload{
+				Parts: body.Parts,
+			},
+			MpuObjectSize:     mpuObjectSize,
+			ChecksumCRC32:     utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32]),
+			ChecksumCRC32C:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32c]),
+			ChecksumSHA1:      utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha1]),
+			ChecksumSHA256:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha256]),
+			ChecksumCRC64NVME: utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc64nvme]),
+			ChecksumType:      checksumType,
+		})
+	return &Response{
+		Data: res,
+		Headers: map[string]*string{
+			"x-amz-version-id": &versid,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			ObjectETag:  res.ETag,
+			EventName:   s3event.EventCompleteMultipartUpload,
+			VersionId:   &versid,
+		},
+	}, err
+}
--- a/s3api/controllers/object-post_test.go
+++ b/s3api/controllers/object-post_test.go
@@ -0,0 +1,563 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"bufio"
+	"context"
+	"encoding/xml"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_RestoreObject(t *testing.T) {
+	validRestoreBody, err := xml.Marshal(types.RestoreRequest{
+		Description: utils.GetStringPtr("description"),
+		Type:        types.RestoreRequestTypeSelect,
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				body:   validRestoreBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRestoreCompleted,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validRestoreBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRestoreCompleted,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				RestoreObjectFunc: func(contextMoqParam context.Context, restoreObjectInput *s3.RestoreObjectInput) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.RestoreObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_SelectObjectContent(t *testing.T) {
+	validSelectBody, err := xml.Marshal(s3response.SelectObjectContentPayload{
+		Expression:     utils.GetStringPtr("expression"),
+		ExpressionType: types.ExpressionTypeSql,
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validSelectBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				SelectObjectContentFunc: func(ctx context.Context, input *s3.SelectObjectContentInput) func(w *bufio.Writer) {
+					return func(w *bufio.Writer) {}
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.SelectObjectContent,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_CreateMultipartUpload(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid object lock headers",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Object-Lock-Mode": string(types.ObjectLockModeGovernance),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLockInvalidHeaders),
+			},
+		},
+		{
+			name: "invalid checksum headers",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Checksum-Algorithm": "invalid_checksum_algo",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidChecksumAlgorithm),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				beRes:  s3response.InitiateMultipartUploadResult{},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.InitiateMultipartUploadResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  s3response.InitiateMultipartUploadResult{},
+				headers: map[string]string{
+					"x-amz-checksum-algorithm": string(types.ChecksumAlgorithmCrc32),
+					"x-amz-checksum-type":      string(types.ChecksumTypeComposite),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.InitiateMultipartUploadResult{},
+					Headers: map[string]*string{
+						"x-amz-checksum-algorithm": utils.ConvertToStringPtr(types.ChecksumAlgorithmCrc32),
+						"x-amz-checksum-type":      utils.ConvertToStringPtr(types.ChecksumTypeComposite),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				CreateMultipartUploadFunc: func(contextMoqParam context.Context, createMultipartUploadInput s3response.CreateMultipartUploadInput) (s3response.InitiateMultipartUploadResult, error) {
+					return tt.input.beRes.(s3response.InitiateMultipartUploadResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.CreateMultipartUpload,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_CompleteMultipartUpload(t *testing.T) {
+	emptyMpPartsBody, err := xml.Marshal(s3response.CompleteMultipartUploadRequestBody{
+		Parts: []types.CompletedPart{},
+	})
+	assert.NoError(t, err)
+	pn := int32(1)
+
+	validMpBody, err := xml.Marshal(s3response.CompleteMultipartUploadRequestBody{
+		Parts: []types.CompletedPart{
+			{
+				PartNumber: &pn,
+				ETag:       utils.GetStringPtr("ETag"),
+			},
+		},
+	})
+	assert.NoError(t, err)
+
+	versionId, ETag := "versionId", "mock-ETag"
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "request body empty mp parts",
+			input: testInput{
+				locals: defaultLocals,
+				body:   emptyMpPartsBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrEmptyParts),
+			},
+		},
+		{
+			name: "invalid mp parts header string",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Mp-Object-Size": "invalid_mp_object_size",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidMpObjectSizeErr("invalid_mp_object_size"),
+			},
+		},
+		{
+			name: "negative mp parts header value",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Mp-Object-Size": "-4",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetNegatvieMpObjectSizeErr(-4),
+			},
+		},
+		{
+			name: "invalid checksum headers",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Checksum-Crc32": "invalid_checksum",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-crc32"),
+			},
+		},
+		{
+			name: "invalid checksum type",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Checksum-Type": "invalid_checksum_type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-type"),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				beRes:  s3response.CompleteMultipartUploadResult{},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.CompleteMultipartUploadResult{},
+					Headers: map[string]*string{
+						"x-amz-version-id": &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventCompleteMultipartUpload,
+						VersionId:   &versionId,
+						ObjectETag:  nil,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				beRes: s3response.CompleteMultipartUploadResult{
+					ETag: &ETag,
+				},
+				headers: map[string]string{
+					"X-Amz-Mp-Object-Size": "3",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.CompleteMultipartUploadResult{
+						ETag: &ETag,
+					},
+					Headers: map[string]*string{
+						"x-amz-version-id": &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventCompleteMultipartUpload,
+						VersionId:   &versionId,
+						ObjectETag:  &ETag,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				CompleteMultipartUploadFunc: func(contextMoqParam context.Context, completeMultipartUploadInput *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
+					return tt.input.beRes.(s3response.CompleteMultipartUploadResult), versionId, tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.CompleteMultipartUpload,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-put.go
+++ b/s3api/controllers/object-put.go
@@ -0,0 +1,737 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"bytes"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) PutObjectTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.PutObjectTaggingAction,
+		IsBucketPublic: IsBucketPublic,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	tagging, err := utils.ParseTagging(ctx.Body(), utils.TagLimitObject)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectTagging(ctx.Context(), bucket, key, tagging)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectTaggingPut,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectRetention(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	bypass := strings.EqualFold(ctx.Get("X-Amz-Bypass-Governance-Retention"), "true")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.PutObjectRetentionAction,
+		IsBucketPublic: IsBucketPublic,
+	}); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if bypass {
+		policy, err := c.be.GetBucketPolicy(ctx.Context(), bucket)
+		if err != nil {
+			bypass = false
+		} else {
+			if err := auth.VerifyBucketPolicy(policy, acct.Access, bucket, key, auth.BypassGovernanceRetentionAction); err != nil {
+				bypass = false
+			}
+		}
+	}
+
+	retention, err := auth.ParseObjectLockRetentionInput(ctx.Body())
+	if err != nil {
+		debuglogger.Logf("failed to parse object lock configuration input: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectRetention(ctx.Context(), bucket, key, versionId, bypass, retention)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectLegalHold(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:       c.readonly,
+		Acl:            parsedAcl,
+		AclPermission:  auth.PermissionWrite,
+		IsRoot:         isRoot,
+		Acc:            acct,
+		Bucket:         bucket,
+		Object:         key,
+		Action:         auth.PutObjectLegalHoldAction,
+		IsBucketPublic: IsBucketPublic,
+	}); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var legalHold types.ObjectLockLegalHold
+	if err := xml.Unmarshal(ctx.Body(), &legalHold); err != nil {
+		debuglogger.Logf("failed to parse request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if legalHold.Status != types.ObjectLockLegalHoldStatusOff && legalHold.Status != types.ObjectLockLegalHoldStatusOn {
+		debuglogger.Logf("invalid legal hold status: %v", legalHold.Status)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err := c.be.PutObjectLegalHold(ctx.Context(), bucket, key, versionId, legalHold.Status == types.ObjectLockLegalHoldStatusOn)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) UploadPart(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	partNumber := int32(ctx.QueryInt("partNumber", -1))
+	uploadId := ctx.Query("uploadId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	contentLengthStr := ctx.Get("Content-Length")
+	if contentLengthStr == "" {
+		contentLengthStr = "0"
+	}
+	// Use decoded content length if available because the
+	// middleware will decode the chunked transfer encoding
+	decodedLength := ctx.Get("X-Amz-Decoded-Content-Length")
+	if decodedLength != "" {
+		contentLengthStr = decodedLength
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.PutObjectAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if partNumber < minPartNumber || partNumber > maxPartNumber {
+		debuglogger.Logf("invalid part number: %d", partNumber)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+	}
+
+	contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
+	if err != nil {
+		debuglogger.Logf("error parsing content length %q: %v", contentLengthStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	algorithm, checksums, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx)
+	if err != nil {
+		debuglogger.Logf("err parsing checksum headers: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var body io.Reader
+	bodyi := utils.ContextKeyBodyReader.Get(ctx)
+	if bodyi != nil {
+		body = bodyi.(io.Reader)
+	} else {
+		body = bytes.NewReader([]byte{})
+	}
+
+	res, err := c.be.UploadPart(ctx.Context(),
+		&s3.UploadPartInput{
+			Bucket:            &bucket,
+			Key:               &key,
+			UploadId:          &uploadId,
+			PartNumber:        &partNumber,
+			ContentLength:     &contentLength,
+			Body:              body,
+			ChecksumAlgorithm: algorithm,
+			ChecksumCRC32:     utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32]),
+			ChecksumCRC32C:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32c]),
+			ChecksumSHA1:      utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha1]),
+			ChecksumSHA256:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha256]),
+			ChecksumCRC64NVME: utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc64nvme]),
+		})
+	var headers map[string]*string
+	if err == nil {
+		headers = map[string]*string{
+			"ETag":                     res.ETag,
+			"x-amz-checksum-crc32":     res.ChecksumCRC32,
+			"x-amz-checksum-crc32c":    res.ChecksumCRC32C,
+			"x-amz-checksum-crc64nvme": res.ChecksumCRC64NVME,
+			"x-amz-checksum-sha1":      res.ChecksumSHA1,
+			"x-amz-checksum-sha256":    res.ChecksumSHA256,
+		}
+	}
+	return &Response{
+		Headers: headers,
+		MetaOpts: &MetaOptions{
+			ContentLength: contentLength,
+			BucketOwner:   parsedAcl.Owner,
+		},
+	}, err
+
+}
+
+func (c S3ApiController) UploadPartCopy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	copySource := strings.TrimPrefix(ctx.Get("X-Amz-Copy-Source"), "/")
+	copySrcRange := ctx.Get("X-Amz-Copy-Source-Range")
+	partNumber := int32(ctx.QueryInt("partNumber", -1))
+	uploadId := ctx.Query("uploadId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := utils.ValidateCopySource(copySource)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.VerifyObjectCopyAccess(ctx.Context(), c.be, copySource,
+		auth.AccessOptions{
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.PutObjectAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if partNumber < minPartNumber || partNumber > maxPartNumber {
+		debuglogger.Logf("invalid part number: %d", partNumber)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+	}
+
+	resp, err := c.be.UploadPartCopy(ctx.Context(),
+		&s3.UploadPartCopyInput{
+			Bucket:          &bucket,
+			Key:             &key,
+			CopySource:      &copySource,
+			PartNumber:      &partNumber,
+			UploadId:        &uploadId,
+			CopySourceRange: &copySrcRange,
+		})
+	var headers map[string]*string
+	if err == nil && resp.CopySourceVersionId != "" {
+		headers = map[string]*string{
+			"x-amz-copy-source-version-id": &resp.CopySourceVersionId,
+		}
+	}
+	return &Response{
+		Headers: headers,
+		Data:    resp,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectAcl(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acl := ctx.Get("X-Amz-Acl")
+	grantFullControl := ctx.Get("X-Amz-Grant-Full-Control")
+	grantRead := ctx.Get("X-Amz-Grant-Read")
+	grantReadACP := ctx.Get("X-Amz-Grant-Read-Acp")
+	grantWrite := ctx.Get("X-Amz-Grant-Write")
+	grantWriteACP := ctx.Get("X-Amz-Grant-Write-Acp")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Object:        key,
+			Action:        auth.PutObjectAclAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectAcl(ctx.Context(), &s3.PutObjectAclInput{
+		Bucket:           &bucket,
+		Key:              &key,
+		GrantFullControl: &grantFullControl,
+		GrantRead:        &grantRead,
+		GrantWrite:       &grantWrite,
+		ACL:              types.ObjectCannedACL(acl),
+		GrantReadACP:     &grantReadACP,
+		GrantWriteACP:    &grantWriteACP,
+	})
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectAclPut,
+		},
+	}, err
+}
+
+func (c S3ApiController) CopyObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	copySource := strings.TrimPrefix(ctx.Get("X-Amz-Copy-Source"), "/")
+	copySrcIfMatch := ctx.Get("X-Amz-Copy-Source-If-Match")
+	copySrcIfNoneMatch := ctx.Get("X-Amz-Copy-Source-If-None-Match")
+	copySrcModifSince := ctx.Get("X-Amz-Copy-Source-If-Modified-Since")
+	copySrcUnmodifSince := ctx.Get("X-Amz-Copy-Source-If-Unmodified-Since")
+	metaDirective := types.MetadataDirective(ctx.Get("X-Amz-Metadata-Directive", string(types.MetadataDirectiveCopy)))
+	taggingDirective := types.TaggingDirective(ctx.Get("X-Amz-Tagging-Directive", string(types.TaggingDirectiveCopy)))
+	contentType := ctx.Get("Content-Type")
+	contentEncoding := ctx.Get("Content-Encoding")
+	contentDisposition := ctx.Get("Content-Disposition")
+	contentLanguage := ctx.Get("Content-Language")
+	cacheControl := ctx.Get("Cache-Control")
+	expires := ctx.Get("Expires")
+	tagging := ctx.Get("x-amz-tagging")
+	storageClass := ctx.Get("X-Amz-Storage-Class")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := utils.ValidateCopySource(copySource)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.VerifyObjectCopyAccess(ctx.Context(), c.be, copySource,
+		auth.AccessOptions{
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Object:        key,
+			Action:        auth.PutObjectAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var mtime *time.Time
+	if copySrcModifSince != "" {
+		tm, err := time.Parse(iso8601Format, copySrcModifSince)
+		if err != nil {
+			debuglogger.Logf("error parsing copy source modified since %q: %v", copySrcModifSince, err)
+			// TODO: check the error type for invalid values
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
+		}
+		mtime = &tm
+	}
+	var umtime *time.Time
+	if copySrcUnmodifSince != "" {
+		tm, err := time.Parse(iso8601Format, copySrcUnmodifSince)
+		if err != nil {
+			debuglogger.Logf("error parsing copy source unmodified since %q: %v", copySrcUnmodifSince, err)
+			// TODO: check the error type for invalid values
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
+		}
+		umtime = &tm
+	}
+
+	metadata := utils.GetUserMetaData(&ctx.Request().Header)
+
+	if metaDirective != "" && metaDirective != types.MetadataDirectiveCopy && metaDirective != types.MetadataDirectiveReplace {
+		debuglogger.Logf("invalid metadata directive: %v", metaDirective)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMetadataDirective)
+	}
+
+	if taggingDirective != "" && taggingDirective != types.TaggingDirectiveCopy && taggingDirective != types.TaggingDirectiveReplace {
+		debuglogger.Logf("invalid tagging directive: %v", taggingDirective)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidTaggingDirective)
+	}
+
+	checksumAlgorithm := types.ChecksumAlgorithm(ctx.Get("x-amz-checksum-algorithm"))
+	err = utils.IsChecksumAlgorithmValid(checksumAlgorithm)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	objLock, err := utils.ParsObjectLockHdrs(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.CopyObject(ctx.Context(),
+		s3response.CopyObjectInput{
+			Bucket:                      &bucket,
+			Key:                         &key,
+			ContentType:                 &contentType,
+			ContentDisposition:          &contentDisposition,
+			ContentEncoding:             &contentEncoding,
+			ContentLanguage:             &contentLanguage,
+			CacheControl:                &cacheControl,
+			Expires:                     &expires,
+			Tagging:                     &tagging,
+			TaggingDirective:            taggingDirective,
+			CopySource:                  &copySource,
+			CopySourceIfMatch:           &copySrcIfMatch,
+			CopySourceIfNoneMatch:       &copySrcIfNoneMatch,
+			CopySourceIfModifiedSince:   mtime,
+			CopySourceIfUnmodifiedSince: umtime,
+			ExpectedBucketOwner:         &acct.Access,
+			Metadata:                    metadata,
+			MetadataDirective:           metaDirective,
+			StorageClass:                types.StorageClass(storageClass),
+			ChecksumAlgorithm:           checksumAlgorithm,
+			ObjectLockRetainUntilDate:   &objLock.RetainUntilDate,
+			ObjectLockLegalHoldStatus:   objLock.LegalHoldStatus,
+			ObjectLockMode:              objLock.ObjectLockMode,
+		})
+
+	var etag *string
+	if err == nil {
+		etag = res.CopyObjectResult.ETag
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"x-amz-version-id":             res.VersionId,
+			"x-amz-copy-source-version-id": res.CopySourceVersionId,
+		},
+		Data: res.CopyObjectResult,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			ObjectETag:  etag,
+			VersionId:   res.VersionId,
+			EventName:   s3event.EventObjectCreatedCopy,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	contentType := ctx.Get("Content-Type")
+	contentEncoding := ctx.Get("Content-Encoding")
+	contentDisposition := ctx.Get("Content-Disposition")
+	contentLanguage := ctx.Get("Content-Language")
+	cacheControl := ctx.Get("Cache-Control")
+	expires := ctx.Get("Expires")
+	tagging := ctx.Get("x-amz-tagging")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	// Content Length
+	contentLengthStr := ctx.Get("Content-Length")
+	if contentLengthStr == "" {
+		contentLengthStr = "0"
+	}
+	// Use decoded content length if available because the
+	// middleware will decode the chunked transfer encoding
+	decodedLength := ctx.Get("X-Amz-Decoded-Content-Length")
+	if decodedLength != "" {
+		contentLengthStr = decodedLength
+	}
+
+	// load the meta headers
+	metadata := utils.GetUserMetaData(&ctx.Request().Header)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:       c.readonly,
+			Acl:            parsedAcl,
+			AclPermission:  auth.PermissionWrite,
+			IsRoot:         isRoot,
+			Acc:            acct,
+			Bucket:         bucket,
+			Object:         key,
+			Action:         auth.PutObjectAction,
+			IsBucketPublic: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, []types.ObjectIdentifier{{Key: &key}}, true, IsBucketPublic, c.be)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
+	if err != nil {
+		debuglogger.Logf("error parsing content length %q: %v", contentLengthStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	objLock, err := utils.ParsObjectLockHdrs(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	algorithm, checksums, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var body io.Reader
+	bodyi := utils.ContextKeyBodyReader.Get(ctx)
+	if bodyi != nil {
+		body = bodyi.(io.Reader)
+	} else {
+		body = bytes.NewReader([]byte{})
+	}
+
+	res, err := c.be.PutObject(ctx.Context(),
+		s3response.PutObjectInput{
+			Bucket:                    &bucket,
+			Key:                       &key,
+			ContentLength:             &contentLength,
+			ContentType:               &contentType,
+			ContentEncoding:           &contentEncoding,
+			ContentDisposition:        &contentDisposition,
+			ContentLanguage:           &contentLanguage,
+			CacheControl:              &cacheControl,
+			Expires:                   &expires,
+			Metadata:                  metadata,
+			Body:                      body,
+			Tagging:                   &tagging,
+			ObjectLockRetainUntilDate: &objLock.RetainUntilDate,
+			ObjectLockMode:            objLock.ObjectLockMode,
+			ObjectLockLegalHoldStatus: objLock.LegalHoldStatus,
+			ChecksumAlgorithm:         algorithm,
+			ChecksumCRC32:             utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32]),
+			ChecksumCRC32C:            utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32c]),
+			ChecksumSHA1:              utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha1]),
+			ChecksumSHA256:            utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha256]),
+			ChecksumCRC64NVME:         utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc64nvme]),
+		})
+	return &Response{
+		Headers: map[string]*string{
+			"ETag":                     &res.ETag,
+			"x-amz-checksum-crc32":     res.ChecksumCRC32,
+			"x-amz-checksum-crc32c":    res.ChecksumCRC32C,
+			"x-amz-checksum-crc64nvme": res.ChecksumCRC64NVME,
+			"x-amz-checksum-sha1":      res.ChecksumSHA1,
+			"x-amz-checksum-sha256":    res.ChecksumSHA256,
+			"x-amz-checksum-type":      utils.ConvertToStringPtr(res.ChecksumType),
+			"x-amz-version-id":         &res.VersionID,
+		},
+		MetaOpts: &MetaOptions{
+			ContentLength: contentLength,
+			BucketOwner:   parsedAcl.Owner,
+			ObjectETag:    &res.ETag,
+			ObjectSize:    contentLength,
+			EventName:     s3event.EventObjectCreatedPut,
+		},
+	}, err
+}
--- a/s3api/controllers/object-put_test.go
+++ b/s3api/controllers/object-put_test.go
--- a/s3api/controllers/options.go
+++ b/s3api/controllers/options.go
@@ -0,0 +1,113 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"errors"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func (s S3ApiController) CORSOptions(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	// get headers
+	origin := ctx.Get("Origin")
+	method := auth.CORSHTTPMethod(ctx.Get("Access-Control-Request-Method"))
+	headers := ctx.Get("Access-Control-Request-Headers")
+
+	// Origin is required
+	if origin == "" {
+		debuglogger.Logf("origin is missing: %v", origin)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMissingCORSOrigin)
+	}
+
+	// check if allowed method is valid
+	if !method.IsValid() {
+		debuglogger.Logf("invalid cors method: %s", method)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetInvalidCORSMethodErr(method.String())
+	}
+
+	// parse and validate headers
+	parsedHeaders, err := auth.ParseCORSHeaders(headers)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	cors, err := s.be.GetBucketCors(ctx.Context(), bucket)
+	if err != nil {
+		debuglogger.Logf("failed to get bucket cors: %v", err)
+		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)) {
+			err = s3err.GetAPIError(s3err.ErrCORSIsNotEnabled)
+			debuglogger.Logf("bucket cors is not set: %v", err)
+		}
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	corsConfig, err := auth.ParseCORSOutput(cors)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	allowConfig, err := corsConfig.IsAllowed(origin, method, parsedHeaders)
+	if err != nil {
+		debuglogger.Logf("cors access forbidden: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"Access-Control-Allow-Origin":      &allowConfig.Origin,
+			"Access-Control-Allow-Methods":     &allowConfig.Methods,
+			"Access-Control-Expose-Headers":    &allowConfig.ExposedHeaders,
+			"Access-Control-Allow-Credentials": &allowConfig.AllowCredentials,
+			"Access-Control-Allow-Headers":     &allowConfig.AllowHeaders,
+			"Access-Control-Max-Age":           utils.ConvertPtrToStringPtr(allowConfig.MaxAge),
+			"Vary":                             &middlewares.VaryHdr,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/options_test.go
+++ b/s3api/controllers/options_test.go
@@ -0,0 +1,241 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/xml"
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_CORSOptions(t *testing.T) {
+	maxAge := int32(10000)
+	cors, err := xml.Marshal(auth.CORSConfiguration{
+		Rules: []auth.CORSRule{
+			{
+				AllowedOrigins: []string{"example.com"},
+				AllowedMethods: []auth.CORSHTTPMethod{http.MethodGet, http.MethodPost},
+				AllowedHeaders: []auth.CORSHeader{"Content-Type", "Content-Disposition"},
+				ExposeHeaders:  []auth.CORSHeader{"Content-Encoding", "date"},
+				MaxAgeSeconds:  &maxAge,
+			},
+		},
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "missing origin",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMissingCORSOrigin),
+			},
+		},
+		{
+			name: "invalid method",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "invalid_method",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidCORSMethodErr("invalid_method"),
+			},
+		},
+		{
+			name: "invalid headers",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content Type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidCORSRequestHeaderErr("Content Type"),
+			},
+		},
+		{
+			name: "fails to get bucket cors",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: []byte{},
+				beErr: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "bucket cors is not enabled",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: []byte{},
+				beErr: s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrCORSIsNotEnabled),
+			},
+		},
+		{
+			name: "fails to parse bucket cors",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: []byte("invalid_cors"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: errors.New("failed to parse cors config:"),
+			},
+		},
+		{
+			name: "cors is not allowed",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "PUT",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: cors,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+		{
+			name: "success: cors is allowed",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "content-type, Content-Disposition",
+				},
+				beRes: cors,
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"Access-Control-Allow-Origin":      utils.GetStringPtr("example.com"),
+						"Access-Control-Allow-Methods":     utils.GetStringPtr("GET, POST"),
+						"Access-Control-Expose-Headers":    utils.GetStringPtr("Content-Encoding, date"),
+						"Access-Control-Allow-Credentials": utils.GetStringPtr("true"),
+						"Access-Control-Allow-Headers":     utils.GetStringPtr("content-type, content-disposition"),
+						"Access-Control-Max-Age":           utils.ConvertToStringPtr(maxAge),
+						"Vary":                             &middlewares.VaryHdr,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetBucketCorsFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return tt.input.beRes.([]byte), tt.input.beErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.CORSOptions,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
--- a/s3api/debuglogger/logger.go
+++ b/s3api/debuglogger/logger.go
@@ -45,9 +45,9 @@ func LogFiberRequestDetails(ctx *fiber.Ctx) {

 	// log request headers
 	wrapInBox(green, "REQUEST HEADERS", boxWidth, func() {
-		ctx.Request().Header.VisitAll(func(key, value []byte) {
+		for key, value := range ctx.Request().Header.All() {
 			printWrappedLine(yellow, string(key), string(value))
-		})
+		}
 	})
 	// skip request body log for PutObject and UploadPart
 	skipBodyLog := isLargeDataAction(ctx)
@@ -61,18 +61,18 @@ func LogFiberRequestDetails(ctx *fiber.Ctx) {
 	}

 	if ctx.Request().URI().QueryArgs().Len() != 0 {
-		ctx.Request().URI().QueryArgs().VisitAll(func(key, val []byte) {
-			log.Printf("%s: %s", key, val)
-		})
+		for key, value := range ctx.Request().URI().QueryArgs().All() {
+			log.Printf("%s: %s", key, value)
+		}
 	}
 }

 // Logs http response details: body, headers
 func LogFiberResponseDetails(ctx *fiber.Ctx) {
 	wrapInBox(green, "RESPONSE HEADERS", boxWidth, func() {
-		ctx.Response().Header.VisitAll(func(key, value []byte) {
+		for key, value := range ctx.Response().Header.All() {
 			printWrappedLine(yellow, string(key), string(value))
-		})
+		}
 	})

 	_, ok := ctx.Locals("skip-res-body-log").(bool)
--- a/s3api/middlewares/acl-parser.go
+++ b/s3api/middlewares/acl-parser.go
@@ -15,72 +15,34 @@
 package middlewares

 import (
-	"net/http"
-	"regexp"
-	"strings"
-
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
-	"github.com/versity/versitygw/s3api/controllers"
-	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
+	"github.com/versity/versitygw/s3api/utils"
 )

-var (
-	singlePath = regexp.MustCompile(`^/[^/]+/?$`)
-)
-
-func AclParser(be backend.Backend, logger s3log.AuditLogger, readonly bool) fiber.Handler {
+// ParseAcl retreives the bucket acl and stores in the context locals
+// if no bucket is found, it returns 'NoSuchBucket'
+func ParseAcl(be backend.Backend) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
-		isRoot, acct := ctx.Locals("isRoot").(bool), ctx.Locals("account").(auth.Account)
-		path := ctx.Path()
-		pathParts := strings.Split(path, "/")
-		bucket := pathParts[1]
-		if path == "/" && ctx.Method() == http.MethodGet {
-			return ctx.Next()
-		}
-		if ctx.Method() == http.MethodPatch {
-			return ctx.Next()
-		}
-		if singlePath.MatchString(path) &&
-			ctx.Method() == http.MethodPut &&
-			!ctx.Request().URI().QueryArgs().Has("acl") &&
-			!ctx.Request().URI().QueryArgs().Has("tagging") &&
-			!ctx.Request().URI().QueryArgs().Has("versioning") &&
-			!ctx.Request().URI().QueryArgs().Has("policy") &&
-			!ctx.Request().URI().QueryArgs().Has("object-lock") &&
-			!ctx.Request().URI().QueryArgs().Has("ownershipControls") &&
-			!ctx.Request().URI().QueryArgs().Has("cors") {
-			if err := auth.MayCreateBucket(acct, isRoot); err != nil {
-				return controllers.SendXMLResponse(ctx, nil, err, &controllers.MetaOpts{Logger: logger, Action: "CreateBucket"})
-			}
-			if readonly {
-				return controllers.SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrAccessDenied),
-					&controllers.MetaOpts{
-						Logger: logger,
-						Action: "CreateBucket",
-					})
-			}
-			return ctx.Next()
-		}
+		bucket := ctx.Params("bucket")
 		data, err := be.GetBucketAcl(ctx.Context(), &s3.GetBucketAclInput{Bucket: &bucket})
 		if err != nil {
-			return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
+			return err
 		}

 		parsedAcl, err := auth.ParseACL(data)
 		if err != nil {
-			return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
+			return err
 		}

 		// if owner is not set, set default owner to root account
 		if parsedAcl.Owner == "" {
-			parsedAcl.Owner = ctx.Locals("rootAccess").(string)
+			parsedAcl.Owner = utils.ContextKeyRootAccessKey.Get(ctx).(string)
 		}

-		ctx.Locals("parsedAcl", parsedAcl)
-		return ctx.Next()
+		utils.ContextKeyParsedAcl.Set(ctx, parsedAcl)
+		return nil
 	}
 }
--- a/s3api/middlewares/admin.go
+++ b/s3api/middlewares/admin.go
@@ -15,45 +15,20 @@
 package middlewares

 import (
-	"strings"
-
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
-	"github.com/versity/versitygw/metrics"
-	"github.com/versity/versitygw/s3api/controllers"
+	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
 )

-func IsAdmin(logger s3log.AuditLogger) fiber.Handler {
+// IsAdmin is a middleware that restricts access to admin APIs, allowing only admin users
+func IsAdmin(action string) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
-		acct := ctx.Locals("account").(auth.Account)
+		acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
 		if acct.Role != auth.RoleAdmin {
-			path := ctx.Path()
-			return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminAccessDenied),
-				&controllers.MetaOpts{
-					Logger: logger,
-					Action: detectAction(path),
-				})
+			return s3err.GetAPIError(s3err.ErrAdminAccessDenied)
 		}

-		return ctx.Next()
+		return nil
 	}
 }
-
-func detectAction(path string) (action string) {
-	if strings.Contains(path, "create-user") {
-		action = metrics.ActionAdminCreateUser
-	} else if strings.Contains(path, "update-user") {
-		action = metrics.ActionAdminUpdateUser
-	} else if strings.Contains(path, "delete-user") {
-		action = metrics.ActionAdminDeleteUser
-	} else if strings.Contains(path, "list-user") {
-		action = metrics.ActionAdminListUsers
-	} else if strings.Contains(path, "list-buckets") {
-		action = metrics.ActionAdminListBuckets
-	} else if strings.Contains(path, "change-bucket-owner") {
-		action = metrics.ActionAdminChangeBucketOwner
-	}
-	return action
-}
--- a/s3api/middlewares/apply-bucket-cors.go
+++ b/s3api/middlewares/apply-bucket-cors.go
@@ -0,0 +1,105 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package middlewares
+
+import (
+	"fmt"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/s3api/debuglogger"
+	"github.com/versity/versitygw/s3err"
+)
+
+// Vary http response header is always the same below
+var VaryHdr = "Origin, Access-Control-Request-Headers, Access-Control-Request-Method"
+
+// ApplyBucketCORS retreives the bucket CORS configuration,
+// checks if origin and method meets the cors rules and
+// adds the necessary response headers.
+// CORS check is applied only when 'Origin' request header is present
+func ApplyBucketCORS(be backend.Backend) fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		bucket := ctx.Params("bucket")
+		origin := ctx.Get("Origin")
+		// if the origin request header is empty, skip cors validation
+		if origin == "" {
+			return nil
+		}
+
+		// if bucket cors is not set, skip the check
+		data, err := be.GetBucketCors(ctx.Context(), bucket)
+		if err != nil {
+			// If CORS is not configured, S3Error will have code NoSuchCORSConfiguration.
+			// In this case, we can safely continue. For any other error, we should log it.
+			s3Err, ok := err.(s3err.APIError)
+			if !ok || s3Err.Code != "NoSuchCORSConfiguration" {
+				debuglogger.Logf("failed to get bucket cors for bucket %q: %v", bucket, err)
+			}
+			return nil
+		}
+
+		cors, err := auth.ParseCORSOutput(data)
+		if err != nil {
+			return nil
+		}
+
+		method := auth.CORSHTTPMethod(ctx.Get("Access-Control-Request-Method"))
+		headers := ctx.Get("Access-Control-Request-Headers")
+
+		// if request method is not specified with Access-Control-Request-Method
+		// override it with the actual request method
+		if method.IsEmpty() {
+			method = auth.CORSHTTPMethod(ctx.Request().Header.Method())
+		} else if !method.IsValid() {
+			// check if allowed method is valid
+			debuglogger.Logf("invalid cors method: %s", method)
+			return s3err.GetInvalidCORSMethodErr(method.String())
+		}
+
+		// parse and validate headers
+		parsedHeaders, err := auth.ParseCORSHeaders(headers)
+		if err != nil {
+			return err
+		}
+
+		allowConfig, err := cors.IsAllowed(origin, method, parsedHeaders)
+		if err != nil {
+			// if bucket cors rules doesn't grant access, skip
+			// and don't add any response headers
+			return nil
+		}
+
+		if allowConfig.MaxAge != nil {
+			ctx.Response().Header.Add("Access-Control-Max-Age", fmt.Sprint(*allowConfig.MaxAge))
+		}
+
+		for key, val := range map[string]string{
+			"Access-Control-Allow-Origin":      allowConfig.Origin,
+			"Access-Control-Allow-Methods":     allowConfig.Methods,
+			"Access-Control-Expose-Headers":    allowConfig.ExposedHeaders,
+			"Access-Control-Allow-Credentials": allowConfig.AllowCredentials,
+			"Access-Control-Allow-Headers":     allowConfig.AllowHeaders,
+			"Vary":                             VaryHdr,
+		} {
+			if val != "" {
+				ctx.Response().Header.Add(key, val)
+			}
+		}
+
+		return nil
+	}
+}
--- a/s3api/middlewares/authentication.go
+++ b/s3api/middlewares/authentication.go
@@ -25,11 +25,8 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
-	"github.com/versity/versitygw/metrics"
-	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
 )

 const (
@@ -42,68 +39,69 @@ type RootUserConfig struct {
 	Secret string
 }

-func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, mm *metrics.Manager, region string, debug bool) fiber.Handler {
+func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, debug bool) fiber.Handler {
 	acct := accounts{root: root, iam: iam}

 	return func(ctx *fiber.Ctx) error {
-		// If account is set in context locals, it means it was presigned url case
-		_, ok := ctx.Locals("account").(auth.Account)
-		if ok {
-			return ctx.Next()
+		// The bucket is public, no need to check this signature
+		if utils.ContextKeyPublicBucket.IsSet(ctx) {
+			return nil
+		}
+		// If ContextKeyAuthenticated is set in context locals, it means it was presigned url case
+		if utils.ContextKeyAuthenticated.IsSet(ctx) {
+			return nil
 		}

-		ctx.Locals("region", region)
-		ctx.Locals("startTime", time.Now())
 		authorization := ctx.Get("Authorization")
 		if authorization == "" {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrAuthHeaderEmpty), logger, mm)
+			return s3err.GetAPIError(s3err.ErrAuthHeaderEmpty)
 		}

 		authData, err := utils.ParseAuthorization(authorization)
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}

 		if authData.Region != region {
-			return sendResponse(ctx, s3err.APIError{
+			return s3err.APIError{
 				Code:           "SignatureDoesNotMatch",
 				Description:    fmt.Sprintf("Credential should be scoped to a valid Region, not %v", authData.Region),
 				HTTPStatusCode: http.StatusForbidden,
-			}, logger, mm)
+			}
 		}

-		ctx.Locals("isRoot", authData.Access == root.Access)
-		ctx.Locals("rootAccess", root.Access)
+		utils.ContextKeyIsRoot.Set(ctx, authData.Access == root.Access)

 		account, err := acct.getAccount(authData.Access)
 		if err == auth.ErrNoSuchUser {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)
+			return s3err.GetAPIError(s3err.ErrInvalidAccessKeyID)
 		}
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}
-		ctx.Locals("account", account)
+
+		utils.ContextKeyAccount.Set(ctx, account)

 		// Check X-Amz-Date header
 		date := ctx.Get("X-Amz-Date")
 		if date == "" {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingDateHeader), logger, mm)
+			return s3err.GetAPIError(s3err.ErrMissingDateHeader)
 		}

 		// Parse the date and check the date validity
 		tdate, err := time.Parse(iso8601Format, date)
 		if err != nil {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedDate), logger, mm)
+			return s3err.GetAPIError(s3err.ErrMalformedDate)
 		}

 		if date[:8] != authData.Date {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureDateDoesNotMatch), logger, mm)
+			return s3err.GetAPIError(s3err.ErrSignatureDateDoesNotMatch)
 		}

 		// Validate the dates difference
 		err = utils.ValidateDate(tdate)
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}

 		var contentLength int64
@@ -112,11 +110,14 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au
 			contentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
 			//TODO: not sure if InvalidRequest should be returned in this case
 			if err != nil {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), logger, mm)
+				return s3err.GetAPIError(s3err.ErrInvalidRequest)
 			}
 		}

 		hashPayload := ctx.Get("X-Amz-Content-Sha256")
+		if !utils.IsValidSh256PayloadHeader(hashPayload) {
+			return s3err.GetAPIError(s3err.ErrInvalidSHA256Paylod)
+		}
 		if utils.IsBigDataAction(ctx) {
 			// for streaming PUT actions, authorization is deferred
 			// until end of stream due to need to get length and
@@ -135,23 +136,23 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au
 					return cr
 				})
 				if err != nil {
-					return sendResponse(ctx, err, logger, mm)
+					return err
 				}

-				return ctx.Next()
+				return nil
 			}

 			// Content-Length has to be set for data uploads: PutObject, UploadPart
 			if contentLengthStr == "" {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingContentLength), logger, mm)
+				return s3err.GetAPIError(s3err.ErrMissingContentLength)
 			}
 			// the upload limit for big data actions: PutObject, UploadPart
 			// is 5gb. If the size exceeds the limit, return 'EntityTooLarge' err
 			if contentLength > maxObjSizeLimit {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrEntityTooLarge), logger, mm)
+				return s3err.GetAPIError(s3err.ErrEntityTooLarge)
 			}

-			return ctx.Next()
+			return nil
 		}

 		if !utils.IsSpecialPayload(hashPayload) {
@@ -161,16 +162,16 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au

 			// Compare the calculated hash with the hash provided
 			if hashPayload != hexPayload {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch), logger, mm)
+				return s3err.GetAPIError(s3err.ErrContentSHA256Mismatch)
 			}
 		}

 		err = utils.CheckValidSignature(ctx, authData, account.Secret, hashPayload, tdate, contentLength, debug)
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}

-		return ctx.Next()
+		return nil
 	}
 }

@@ -184,13 +185,9 @@ func (a accounts) getAccount(access string) (auth.Account, error) {
 		return auth.Account{
 			Access: a.root.Access,
 			Secret: a.root.Secret,
-			Role:   "admin",
+			Role:   auth.RoleAdmin,
 		}, nil
 	}

 	return a.iam.GetUserAccount(access)
 }
-
-func sendResponse(ctx *fiber.Ctx, err error, logger s3log.AuditLogger, mm *metrics.Manager) error {
-	return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger, MetricsMng: mm})
-}
--- a/s3api/middlewares/body-reader.go
+++ b/s3api/middlewares/body-reader.go
@@ -15,17 +15,24 @@
 package middlewares

 import (
+	"bytes"
 	"io"

 	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/s3api/utils"
 )

 func wrapBodyReader(ctx *fiber.Ctx, wr func(io.Reader) io.Reader) {
-	r, ok := ctx.Locals("body-reader").(io.Reader)
+	r, ok := utils.ContextKeyBodyReader.Get(ctx).(io.Reader)
 	if !ok {
 		r = ctx.Request().BodyStream()
+		// Override the body reader with an empty reader to prevent panics
+		// in case of unexpected or malformed HTTP requests.
+		if r == nil {
+			r = bytes.NewBuffer([]byte{})
+		}
 	}

 	r = wr(r)
-	ctx.Locals("body-reader", r)
+	utils.ContextKeyBodyReader.Set(ctx, r)
 }
--- a/s3api/middlewares/bucket-object-name-validator.go
+++ b/s3api/middlewares/bucket-object-name-validator.go
@@ -0,0 +1,42 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package middlewares
+
+import (
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+// BucketObjectNameValidator extracts and validates
+// the bucket and object names from the request URI.
+func BucketObjectNameValidator() fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		bucket, object := parsePath(ctx.Path())
+
+		// check if the provided bucket name is valid
+		if !utils.IsValidBucketName(bucket) {
+			return s3err.GetAPIError(s3err.ErrInvalidBucketName)
+		}
+
+		// check if the provided object name is valid
+		// skip for empty objects: e.g bucket operations: HeadBucket...
+		if object != "" && !utils.IsObjectNameValid(object) {
+			return s3err.GetAPIError(s3err.ErrBadRequest)
+		}
+
+		return nil
+	}
+}
--- a/s3api/middlewares/md5.go
+++ b/s3api/middlewares/md5.go
@@ -19,17 +19,15 @@ import (
 	"io"

 	"github.com/gofiber/fiber/v2"
-	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
 )

-func VerifyMD5Body(logger s3log.AuditLogger) fiber.Handler {
+func VerifyMD5Body() fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
 		incomingSum := ctx.Get("Content-Md5")
 		if incomingSum == "" {
-			return ctx.Next()
+			return nil
 		}

 		if utils.IsBigDataAction(ctx) {
@@ -39,18 +37,18 @@ func VerifyMD5Body(logger s3log.AuditLogger) fiber.Handler {
 				return r
 			})
 			if err != nil {
-				return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
+				return err
 			}
-			return ctx.Next()
+			return nil
 		}

 		sum := md5.Sum(ctx.Body())
 		calculatedSum := utils.Base64SumString(sum[:])

 		if incomingSum != calculatedSum {
-			return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidDigest), &controllers.MetaOpts{Logger: logger})
+			return s3err.GetAPIError(s3err.ErrInvalidDigest)
 		}

-		return ctx.Next()
+		return nil
 	}
 }
--- a/s3api/middlewares/presign-auth.go
+++ b/s3api/middlewares/presign-auth.go
@@ -17,43 +17,44 @@ package middlewares
 import (
 	"io"
 	"strconv"
-	"time"

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
-	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
 )

-func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, mm *metrics.Manager, region string, debug bool) fiber.Handler {
+func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, region string, debug bool) fiber.Handler {
 	acct := accounts{root: root, iam: iam}

 	return func(ctx *fiber.Ctx) error {
+		// The bucket is public, no need to check this signature
+		if utils.ContextKeyPublicBucket.IsSet(ctx) {
+			return nil
+		}
 		if ctx.Query("X-Amz-Signature") == "" {
-			return ctx.Next()
+			return nil
 		}

-		ctx.Locals("region", region)
-		ctx.Locals("startTime", time.Now())
+		// Set in the context the "authenticated" key, in case the authentication succeeds,
+		// otherwise the middleware will return the caucht error
+		utils.ContextKeyAuthenticated.Set(ctx, true)

 		authData, err := utils.ParsePresignedURIParts(ctx)
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}

-		ctx.Locals("isRoot", authData.Access == root.Access)
-		ctx.Locals("rootAccess", root.Access)
+		utils.ContextKeyIsRoot.Set(ctx, authData.Access == root.Access)

 		account, err := acct.getAccount(authData.Access)
 		if err == auth.ErrNoSuchUser {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)
+			return s3err.GetAPIError(s3err.ErrInvalidAccessKeyID)
 		}
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}
-		ctx.Locals("account", account)
+		utils.ContextKeyAccount.Set(ctx, account)

 		var contentLength int64
 		contentLengthStr := ctx.Get("Content-Length")
@@ -61,32 +62,32 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger
 			contentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
 			//TODO: not sure if InvalidRequest should be returned in this case
 			if err != nil {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), logger, mm)
+				return err
 			}
 		}

 		if utils.IsBigDataAction(ctx) {
 			// Content-Length has to be set for data uploads: PutObject, UploadPart
 			if contentLengthStr == "" {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingContentLength), logger, mm)
+				return s3err.GetAPIError(s3err.ErrMissingContentLength)
 			}
 			// the upload limit for big data actions: PutObject, UploadPart
 			// is 5gb. If the size exceeds the limit, return 'EntityTooLarge' err
 			if contentLength > maxObjSizeLimit {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrEntityTooLarge), logger, mm)
+				return s3err.GetAPIError(s3err.ErrEntityTooLarge)
 			}
 			wrapBodyReader(ctx, func(r io.Reader) io.Reader {
 				return utils.NewPresignedAuthReader(ctx, r, authData, account.Secret, debug)
 			})

-			return ctx.Next()
+			return nil
 		}

 		err = utils.CheckPresignedSignature(ctx, authData, account.Secret, debug)
 		if err != nil {
-			return sendResponse(ctx, err, logger, mm)
+			return err
 		}

-		return ctx.Next()
+		return nil
 	}
 }
--- a/s3api/middlewares/public-bucket.go
+++ b/s3api/middlewares/public-bucket.go
@@ -0,0 +1,97 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package middlewares
+
+import (
+	"io"
+	"strings"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/metrics"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+// AuthorizePublicBucketAccess checks if the bucket grants public
+// access to anonymous requesters
+func AuthorizePublicBucketAccess(be backend.Backend, s3action string, policyPermission auth.Action, permission auth.Permission) fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		// skip for auhtneicated requests
+		if ctx.Query("X-Amz-Algorithm") != "" || ctx.Get("Authorization") != "" {
+			return nil
+		}
+
+		switch s3action {
+		case metrics.ActionListAllMyBuckets:
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		case metrics.ActionGetBucketOwnershipControls:
+			return s3err.GetAPIError(s3err.ErrAnonymousGetBucketOwnership)
+		case metrics.ActionPutBucketOwnershipControls, metrics.ActionDeleteBucketOwnershipControls:
+			return s3err.GetAPIError(s3err.ErrAnonymousPutBucketOwnership)
+		case metrics.ActionPutBucketAcl, metrics.ActionPutObjectAcl, metrics.ActionSelectObjectContent, metrics.ActionCreateBucket:
+			return s3err.GetAPIError(s3err.ErrAnonymousRequest)
+		case metrics.ActionCopyObject:
+			return s3err.GetAPIError(s3err.ErrAnonymousCopyObject)
+		case metrics.ActionCreateMultipartUpload:
+			return s3err.GetAPIError(s3err.ErrAnonymousCreateMp)
+		case metrics.ActionUploadPartCopy, metrics.ActionDeleteObjects:
+			// TODO: should be fixed with https://github.com/versity/versitygw/issues/1327
+			// TODO: should be fixed with https://github.com/versity/versitygw/issues/1338
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		}
+
+		bucket, object := parsePath(ctx.Path())
+		err := auth.VerifyPublicAccess(ctx.Context(), be, policyPermission, permission, bucket, object)
+		if err != nil {
+			return err
+		}
+
+		if utils.IsBigDataAction(ctx) {
+			payloadType := ctx.Get("X-Amz-Content-Sha256")
+			if utils.IsUnsignedStreamingPayload(payloadType) {
+				checksumType, err := utils.ExtractChecksumType(ctx)
+				if err != nil {
+					return err
+				}
+
+				wrapBodyReader(ctx, func(r io.Reader) io.Reader {
+					var cr io.Reader
+					cr, err = utils.NewUnsignedChunkReader(r, checksumType)
+					return cr
+				})
+				if err != nil {
+					return err
+				}
+			} else {
+				utils.ContextKeyBodyReader.Set(ctx, ctx.Request().BodyStream())
+			}
+
+		}
+
+		utils.ContextKeyPublicBucket.Set(ctx, true)
+
+		return nil
+	}
+}
+
+// parsePath extracts the bucket and object names from the path
+func parsePath(path string) (string, string) {
+	p := strings.TrimPrefix(path, "/")
+	bucket, object, _ := strings.Cut(p, "/")
+
+	return bucket, object
+}
--- a/s3api/middlewares/router-utilities.go
+++ b/s3api/middlewares/router-utilities.go
@@ -0,0 +1,67 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package middlewares
+
+import (
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/s3api/utils"
+)
+
+// Evaluates/Matches the provided requst query params
+func MatchQueryArgs(args ...string) fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		if utils.ContextKeySkip.IsSet(ctx) {
+			return ctx.Next()
+		}
+		for _, query := range args {
+			if !ctx.Request().URI().QueryArgs().Has(query) {
+				utils.ContextKeySkip.Set(ctx, true)
+				break
+			}
+		}
+		return ctx.Next()
+	}
+}
+
+// Evaluates/Matches the requst header
+func MatchHeader(key string) fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		if utils.ContextKeySkip.IsSet(ctx) {
+			return ctx.Next()
+		}
+
+		val := ctx.Get(key)
+		if val == "" {
+			utils.ContextKeySkip.Set(ctx, true)
+		}
+
+		return ctx.Next()
+	}
+}
+
+// Evaluates/Matches the requst query param and value
+func MatchQueryArgWithValue(key, val string) fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		if utils.ContextKeySkip.IsSet(ctx) {
+			return ctx.Next()
+		}
+
+		if ctx.Query(key) != val {
+			utils.ContextKeySkip.Set(ctx, true)
+		}
+
+		return ctx.Next()
+	}
+}
--- a/s3api/middlewares/set-default-keys.go
+++ b/s3api/middlewares/set-default-keys.go
@@ -0,0 +1,37 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package middlewares
+
+import (
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+)
+
+func SetDefaultValues(root RootUserConfig, region string) fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		// These are necessary for the server access logs
+		utils.ContextKeyRegion.Set(ctx, region)
+		utils.ContextKeyStartTime.Set(ctx, time.Now())
+		utils.ContextKeyRootAccessKey.Set(ctx, root.Access)
+		// Set the account and isRoot to some defulat values, to avoid panics
+		// in case of public buckets
+		utils.ContextKeyAccount.Set(ctx, auth.Account{})
+		utils.ContextKeyIsRoot.Set(ctx, false)
+		return ctx.Next()
+	}
+}
--- a/s3api/middlewares/url-decoder.go
+++ b/s3api/middlewares/url-decoder.go
@@ -18,19 +18,15 @@ import (
 	"net/url"

 	"github.com/gofiber/fiber/v2"
-	"github.com/versity/versitygw/metrics"
-	"github.com/versity/versitygw/s3api/controllers"
-	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
 )

-func DecodeURL(logger s3log.AuditLogger, mm *metrics.Manager) fiber.Handler {
-	return func(ctx *fiber.Ctx) error {
-		unescp, err := url.PathUnescape(string(ctx.Request().URI().PathOriginal()))
-		if err != nil {
-			return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidURI), &controllers.MetaOpts{Logger: logger, MetricsMng: mm})
-		}
-		ctx.Path(unescp)
-		return ctx.Next()
+// DecodeURL url path unescapes the request url for the gateway
+// to handle some special characters
+func DecodeURL(ctx *fiber.Ctx) error {
+	unescp, err := url.PathUnescape(string(ctx.Request().URI().PathOriginal()))
+	if err != nil {
+		return err
 	}
+	ctx.Path(unescp)
+	return nil
 }
--- a/s3api/router.go
+++ b/s3api/router.go
--- a/s3api/router_test.go
+++ b/s3api/router_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/s3api/middlewares"
 )

 func TestS3ApiRouter_Init(t *testing.T) {
@@ -45,7 +46,7 @@ func TestS3ApiRouter_Init(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tt.sa.Init(tt.args.app, tt.args.be, tt.args.iam, nil, nil, nil, nil, false, false)
+			tt.sa.Init(tt.args.app, tt.args.be, tt.args.iam, nil, nil, nil, nil, false, false, "us-east-1", middlewares.RootUserConfig{})
 		})
 	}
 }
--- a/s3api/server.go
+++ b/s3api/server.go
@@ -23,6 +23,7 @@ import (
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
 	"github.com/versity/versitygw/metrics"
+	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3api/middlewares"
 	"github.com/versity/versitygw/s3event"
 	"github.com/versity/versitygw/s3log"
@@ -50,7 +51,7 @@ func New(
 	l s3log.AuditLogger,
 	adminLogger s3log.AuditLogger,
 	evs s3event.S3EventSender,
-	mm *metrics.Manager,
+	mm metrics.Manager,
 	opts ...Option,
 ) (*S3ApiServer, error) {
 	server := &S3ApiServer{
@@ -76,7 +77,13 @@ func New(
 			return ctx.SendStatus(http.StatusOK)
 		})
 	}
-	app.Use(middlewares.DecodeURL(l, mm))
+
+	// initilaze the default value setter middleware
+	app.Use(middlewares.SetDefaultValues(root, region))
+
+	// initialize the 'DecodeURL' middleware which
+	// path unescapes the url
+	app.Use(controllers.WrapMiddleware(middlewares.DecodeURL, l, mm))

 	// initialize host-style parser in virtual domain is specified
 	if server.virtualDomain != "" {
@@ -88,13 +95,7 @@ func New(
 		app.Use(middlewares.DebugLogger())
 	}

-	// Authentication middlewares
-	app.Use(middlewares.VerifyPresignedV4Signature(root, iam, l, mm, region, server.debug))
-	app.Use(middlewares.VerifyV4Signature(root, iam, l, mm, region, server.debug))
-	app.Use(middlewares.VerifyMD5Body(l))
-	app.Use(middlewares.AclParser(be, l, server.readonly))
-
-	server.router.Init(app, be, iam, l, adminLogger, evs, mm, server.debug, server.readonly)
+	server.router.Init(app, be, iam, l, adminLogger, evs, mm, server.debug, server.readonly, region, root)

 	return server, nil
 }
--- a/s3api/utils/chunk-reader.go
+++ b/s3api/utils/chunk-reader.go
@@ -15,6 +15,7 @@
 package utils

 import (
+	"encoding/hex"
 	"fmt"
 	"io"
 	"net/http"
@@ -88,11 +89,50 @@ func (c checksumType) isValid() bool {
 		c == checksumTypeCrc64nvme
 }

+// Extracts and validates the checksum type from the 'X-Amz-Trailer' header
+func ExtractChecksumType(ctx *fiber.Ctx) (checksumType, error) {
+	trailer := ctx.Get("X-Amz-Trailer")
+	chType := checksumType(strings.ToLower(trailer))
+	if chType != "" && !chType.isValid() {
+		debuglogger.Logf("invalid value for 'X-Amz-Trailer': %v", chType)
+		return "", s3err.GetAPIError(s3err.ErrTrailerHeaderNotSupported)
+	}
+
+	return chType, nil
+}
+
 // IsSpecialPayload checks for special authorization types
 func IsSpecialPayload(str string) bool {
 	return specialValues[payloadType(str)]
 }

+// IsValidSh256PayloadHeader checks if the provided x-amz-content-sha256
+// paylod header is valid special paylod type or a valid sh256 hash
+func IsValidSh256PayloadHeader(value string) bool {
+	// empty header is valid
+	if value == "" {
+		return true
+	}
+	// special values are valid
+	if specialValues[payloadType(value)] {
+		return true
+	}
+
+	// check to be a valid sha256
+	if len(value) != 64 {
+		return false
+	}
+
+	// decode the string as hex
+	_, err := hex.DecodeString(value)
+	return err == nil
+}
+
+// Checks if the provided string is unsigned payload trailer type
+func IsUnsignedStreamingPayload(str string) bool {
+	return payloadType(str) == payloadTypeStreamingUnsignedTrailer
+}
+
 // IsChunkEncoding checks for streaming/unsigned authorization types
 func IsStreamingPayload(str string) bool {
 	pt := payloadType(str)
@@ -126,9 +166,12 @@ func NewChunkReader(ctx *fiber.Ctx, r io.Reader, authdata AuthData, region, secr
 		return nil, fmt.Errorf("invalid x-amz-content-sha256: %v", string(contentSha256))
 	}

-	checksumType := checksumType(strings.ToLower(ctx.Get("X-Amz-Trailer")))
-	if contentSha256 != payloadTypeStreamingSigned && !checksumType.isValid() {
-		debuglogger.Logf("invalid value for 'X-Amz-Trailer': %v", checksumType)
+	checksumType, err := ExtractChecksumType(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if contentSha256 != payloadTypeStreamingSigned && checksumType == "" {
+		debuglogger.Logf("empty value for required trailer header 'X-Amz-Trailer': %v", checksumType)
 		return nil, s3err.GetAPIError(s3err.ErrTrailerHeaderNotSupported)
 	}

--- a/s3api/utils/chunk-reader_test.go
+++ b/s3api/utils/chunk-reader_test.go
@@ -0,0 +1,43 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package utils
+
+import "testing"
+
+func TestIsValidSh256PayloadHeader(t *testing.T) {
+	tests := []struct {
+		name string
+		hash string
+		want bool
+	}{
+		{"empty header", "", true},
+		{"special payload type 1", "UNSIGNED-PAYLOAD", true},
+		{"special payload type 2", "STREAMING-UNSIGNED-PAYLOAD-TRAILER", true},
+		{"special payload type 3", "STREAMING-AWS4-HMAC-SHA256-PAYLOAD", true},
+		{"special payload type 4", "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER", true},
+		{"special payload type 5", "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD", true},
+		{"special payload type 6", "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER", true},
+		{"invalid hext", "invalid_hex", false},
+		{"valid hex, but not sha256", "d41d8cd98f00b204e9800998ecf8427e", false},
+		{"valid sh256", "9c56cc51b374bb0f2f8d55af2b34d2a6f8f7f42dd4bbcccbbf8e3279b6e1e6d4", true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := IsValidSh256PayloadHeader(tt.hash); got != tt.want {
+				t.Errorf("IsValidSh256PayloadHeader() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/s3api/utils/context-keys.go
+++ b/s3api/utils/context-keys.go
@@ -0,0 +1,70 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package utils
+
+import (
+	"github.com/gofiber/fiber/v2"
+)
+
+// Region, StartTime, IsRoot, Account, AccessKey context locals
+// are set to defualut values in middlewares.SetDefaultValues
+// to avoid the nil interface conversions
+type ContextKey string
+
+const (
+	ContextKeyRegion         ContextKey = "region"
+	ContextKeyStartTime      ContextKey = "start-time"
+	ContextKeyIsRoot         ContextKey = "is-root"
+	ContextKeyRootAccessKey  ContextKey = "root-access-key"
+	ContextKeyAccount        ContextKey = "account"
+	ContextKeyAuthenticated  ContextKey = "authenticated"
+	ContextKeyPublicBucket   ContextKey = "public-bucket"
+	ContextKeyParsedAcl      ContextKey = "parsed-acl"
+	ContextKeySkipResBodyLog ContextKey = "skip-res-body-log"
+	ContextKeyBodyReader     ContextKey = "body-reader"
+	ContextKeySkip           ContextKey = "__skip"
+)
+
+func (ck ContextKey) Values() []ContextKey {
+	return []ContextKey{
+		ContextKeyRegion,
+		ContextKeyStartTime,
+		ContextKeyIsRoot,
+		ContextKeyRootAccessKey,
+		ContextKeyAccount,
+		ContextKeyAuthenticated,
+		ContextKeyPublicBucket,
+		ContextKeyParsedAcl,
+		ContextKeySkipResBodyLog,
+		ContextKeyBodyReader,
+	}
+}
+
+func (ck ContextKey) Set(ctx *fiber.Ctx, val any) {
+	ctx.Locals(string(ck), val)
+}
+
+func (ck ContextKey) IsSet(ctx *fiber.Ctx) bool {
+	val := ctx.Locals(string(ck))
+	return val != nil
+}
+
+func (ck ContextKey) Delete(ctx *fiber.Ctx) {
+	ctx.Locals(string(ck), nil)
+}
+
+func (ck ContextKey) Get(ctx *fiber.Ctx) any {
+	return ctx.Locals(string(ck))
+}
--- a/s3api/utils/crc.go
+++ b/s3api/utils/crc.go
@@ -0,0 +1,180 @@
+// Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
+//
+// This software is provided 'as-is', without any express or implied
+// warranty.  In no event will the authors be held liable for any damages
+// arising from the use of this software.
+//
+// Permission is granted to anyone to use this software for any purpose,
+// including commercial applications, and to alter it and redistribute it
+// freely, subject to the following restrictions:
+//
+// 1. The origin of this software must not be misrepresented; you must not
+//    claim that you wrote the original software. If you use this software
+//    in a product, an acknowledgment in the product documentation would be
+//    appreciated but is not required.
+// 2. Altered source versions must be plainly marked as such, and must not be
+//    misrepresented as being the original software.
+// 3. This notice may not be removed or altered from any source distribution.
+//
+// Jean-loup Gailly        Mark Adler
+// jloup@gzip.org          madler@alumni.caltech.edu
+
+// Original implementation is from
+// https://github.com/vimeo/go-util/blob/8cd4c737f091d9317f72b25df78ce6cf869f7d30/crc32combine/crc32combine.go
+// extended for crc64 support.
+
+// Following is ported from C to Go in 2016 by Justin Ruggles, with minimal alteration.
+// Used uint for unsigned long. Used uint32 for input arguments in order to match
+// the Go hash/crc32 package. zlib CRC32 combine (https://github.com/madler/zlib)
+
+package utils
+
+import (
+	"hash/crc64"
+)
+
+const crc64NVME = 0x9a6c_9329_ac4b_c9b5
+
+var crc64NVMETable = crc64.MakeTable(crc64NVME)
+
+func gf2MatrixTimes(mat []uint64, vec uint64) uint64 {
+	var sum uint64
+
+	for vec != 0 {
+		if vec&1 != 0 {
+			sum ^= mat[0]
+		}
+		vec >>= 1
+		mat = mat[1:]
+	}
+	return sum
+}
+
+func gf2MatrixSquare(square, mat []uint64) {
+	if len(square) != len(mat) {
+		panic("square matrix size mismatch")
+	}
+	for n := range mat {
+		square[n] = gf2MatrixTimes(mat, mat[n])
+	}
+}
+
+// crc32Combine returns the combined CRC-32 hash value of the two passed CRC-32
+// hash values crc1 and crc2. poly represents the generator polynomial
+// and len2 specifies the byte length that the crc2 hash covers.
+func crc32Combine(poly uint32, crc1, crc2 uint32, len2 int64) uint32 {
+	// degenerate case (also disallow negative lengths)
+	if len2 <= 0 {
+		return crc1
+	}
+
+	even := make([]uint64, 32) // even-power-of-two zeros operator
+	odd := make([]uint64, 32)  // odd-power-of-two zeros operator
+
+	// put operator for one zero bit in odd
+	odd[0] = uint64(poly) // CRC-32 polynomial
+	row := uint64(1)
+	for n := 1; n < 32; n++ {
+		odd[n] = row
+		row <<= 1
+	}
+
+	// put operator for two zero bits in even
+	gf2MatrixSquare(even, odd)
+
+	// put operator for four zero bits in odd
+	gf2MatrixSquare(odd, even)
+
+	// apply len2 zeros to crc1 (first square will put the operator for one
+	// zero byte, eight zero bits, in even)
+	crc1n := uint64(crc1)
+	for {
+		// apply zeros operator for this bit of len2
+		gf2MatrixSquare(even, odd)
+		if len2&1 != 0 {
+			crc1n = gf2MatrixTimes(even, crc1n)
+		}
+		len2 >>= 1
+
+		// if no more bits set, then done
+		if len2 == 0 {
+			break
+		}
+
+		// another iteration of the loop with odd and even swapped
+		gf2MatrixSquare(odd, even)
+		if len2&1 != 0 {
+			crc1n = gf2MatrixTimes(odd, crc1n)
+		}
+		len2 >>= 1
+
+		// if no more bits set, then done
+		if len2 == 0 {
+			break
+		}
+	}
+
+	// return combined crc
+	crc1n ^= uint64(crc2)
+	return uint32(crc1n)
+}
+
+// crc64Combine returns the combined CRC-64 hash value of the two passed CRC-64
+// hash values crc1 and crc2. poly represents the generator polynomial
+// and len2 specifies the byte length that the crc2 hash covers.
+func crc64Combine(poly uint64, crc1, crc2 uint64, len2 int64) uint64 {
+	// degenerate case (also disallow negative lengths)
+	if len2 <= 0 {
+		return crc1
+	}
+
+	even := make([]uint64, 64) // even-power-of-two zeros operator
+	odd := make([]uint64, 64)  // odd-power-of-two zeros operator
+
+	// put operator for one zero bit in odd
+	odd[0] = poly // CRC-64 polynomial
+	row := uint64(1)
+	for n := 1; n < 64; n++ {
+		odd[n] = row
+		row <<= 1
+	}
+
+	// put operator for two zero bits in even
+	gf2MatrixSquare(even, odd)
+
+	// put operator for four zero bits in odd
+	gf2MatrixSquare(odd, even)
+
+	// apply len2 zeros to crc1 (first square will put the operator for one
+	// zero byte, eight zero bits, in even)
+	crc1n := crc1
+	for {
+		// apply zeros operator for this bit of len2
+		gf2MatrixSquare(even, odd)
+		if len2&1 != 0 {
+			crc1n = gf2MatrixTimes(even, crc1n)
+		}
+		len2 >>= 1
+
+		// if no more bits set, then done
+		if len2 == 0 {
+			break
+		}
+
+		// another iteration of the loop with odd and even swapped
+		gf2MatrixSquare(odd, even)
+		if len2&1 != 0 {
+			crc1n = gf2MatrixTimes(odd, crc1n)
+		}
+		len2 >>= 1
+
+		// if no more bits set, then done
+		if len2 == 0 {
+			break
+		}
+	}
+
+	// return combined crc
+	crc1n ^= crc2
+	return crc1n
+}
--- a/s3api/utils/crc_test.go
+++ b/s3api/utils/crc_test.go
@@ -0,0 +1,57 @@
+// Copyright 2025 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package utils
+
+import (
+	"hash/crc32"
+	"hash/crc64"
+	"testing"
+)
+
+func TestCRC32Combine(t *testing.T) {
+	data := []byte("The quick brown fox jumps over the lazy dog")
+	mid := len(data) / 2
+	part1 := data[:mid]
+	part2 := data[mid:]
+
+	var poly uint32 = crc32.IEEE
+	tab := crc32.MakeTable(poly)
+	crc1 := crc32.Checksum(part1, tab)
+	crc2 := crc32.Checksum(part2, tab)
+	combined := crc32Combine(poly, crc1, crc2, int64(len(part2)))
+	full := crc32.Checksum(data, tab)
+
+	if combined != full {
+		t.Errorf("crc32Combine failed: got %08x, want %08x", combined, full)
+	}
+}
+
+func TestCRC64Combine(t *testing.T) {
+	data := []byte("The quick brown fox jumps over the lazy dog")
+	mid := len(data) / 2
+	part1 := data[:mid]
+	part2 := data[mid:]
+
+	var poly uint64 = crc64NVME
+	tab := crc64NVMETable
+	crc1 := crc64.Checksum(part1, tab)
+	crc2 := crc64.Checksum(part2, tab)
+	combined := crc64Combine(poly, crc1, crc2, int64(len(part2)))
+	full := crc64.Checksum(data, tab)
+
+	if combined != full {
+		t.Errorf("crc64Combine failed: got %016x, want %016x", combined, full)
+	}
+}
--- a/s3api/utils/csum-reader.go
+++ b/s3api/utils/csum-reader.go
@@ -26,7 +26,6 @@ import (
 	"hash/crc32"
 	"hash/crc64"
 	"io"
-	"math/bits"

 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/versity/versitygw/s3err"
@@ -89,7 +88,7 @@ func NewHashReader(r io.Reader, expectedSum string, ht HashType) (*HashReader, e
 	case HashTypeCRC32C:
 		hash = crc32.New(crc32.MakeTable(crc32.Castagnoli))
 	case HashTypeCRC64NVME:
-		hash = crc64.New(crc64.MakeTable(bits.Reverse64(0xad93d23594c93659)))
+		hash = crc64.New(crc64NVMETable)
 	case HashTypeNone:
 		hash = noop{}
 	default:
@@ -185,7 +184,7 @@ func (hr *HashReader) Type() HashType {
 	return hr.hashType
 }

-// Md5SumString converts the hash bytes to the string checksum value
+// Base64SumString converts the hash bytes to the b64 encoded string checksum value
 func Base64SumString(b []byte) string {
 	return base64.StdEncoding.EncodeToString(b)
 }
@@ -198,6 +197,108 @@ func (n noop) Reset()                      {}
 func (n noop) Size() int                   { return 0 }
 func (n noop) BlockSize() int              { return 1 }

+// IsChecksumComposable tests if the final foll object crc can be calculated
+// based on the part crc values.
+func IsChecksumComposable(algo types.ChecksumAlgorithm) bool {
+	switch algo {
+	case types.ChecksumAlgorithmCrc32, types.ChecksumAlgorithmCrc32c, types.ChecksumAlgorithmCrc64nvme:
+		return true
+	default:
+		return false
+	}
+}
+
+// AddCRCChecksum calculates the composite CRC checksum after adding the part crc.
+// Only CRC32, CRC32C, and CRC64NVME are supported. The input checksums must be base64-encoded strings.
+func AddCRCChecksum(algo types.ChecksumAlgorithm, crc, partCrc string, partLen int64) (string, error) {
+	switch algo {
+	case types.ChecksumAlgorithmCrc32:
+		data, err := base64.StdEncoding.DecodeString(partCrc)
+		if err != nil {
+			return "", fmt.Errorf("base64 decode partCrc: %w", err)
+		}
+		if len(data) != 4 {
+			return "", fmt.Errorf("invalid crc32 part checksum length: %d", len(data))
+		}
+		currentCRC, err := base64.StdEncoding.DecodeString(crc)
+		if err != nil {
+			return "", fmt.Errorf("base64 decode crc: %w", err)
+		}
+		if len(currentCRC) != 4 {
+			return "", fmt.Errorf("invalid crc32 checksum length: %d", len(currentCRC))
+		}
+
+		currentVal := uint32(currentCRC[0])<<24 | uint32(currentCRC[1])<<16 | uint32(currentCRC[2])<<8 | uint32(currentCRC[3])
+		val := uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
+		composite := crc32Combine(crc32.IEEE, currentVal, val, partLen)
+
+		out := []byte{
+			byte(composite >> 24),
+			byte(composite >> 16),
+			byte(composite >> 8),
+			byte(composite),
+		}
+		return base64.StdEncoding.EncodeToString(out), nil
+	case types.ChecksumAlgorithmCrc32c:
+		data, err := base64.StdEncoding.DecodeString(partCrc)
+		if err != nil {
+			return "", fmt.Errorf("base64 decode partCrc: %w", err)
+		}
+		if len(data) != 4 {
+			return "", fmt.Errorf("invalid crc32 part checksum length: %d", len(data))
+		}
+		currentCRC, err := base64.StdEncoding.DecodeString(crc)
+		if err != nil {
+			return "", fmt.Errorf("base64 decode crc: %w", err)
+		}
+		if len(currentCRC) != 4 {
+			return "", fmt.Errorf("invalid crc32 checksum length: %d", len(currentCRC))
+		}
+
+		currentVal := uint32(currentCRC[0])<<24 | uint32(currentCRC[1])<<16 | uint32(currentCRC[2])<<8 | uint32(currentCRC[3])
+		val := uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
+		composite := crc32Combine(crc32.Castagnoli, currentVal, val, partLen)
+
+		// Convert composite to big-endian bytes
+		out := []byte{
+			byte(composite >> 24),
+			byte(composite >> 16),
+			byte(composite >> 8),
+			byte(composite),
+		}
+		return base64.StdEncoding.EncodeToString(out), nil
+	case types.ChecksumAlgorithmCrc64nvme:
+		data, err := base64.StdEncoding.DecodeString(partCrc)
+		if err != nil {
+			return "", fmt.Errorf("base64 decode partCrc: %w", err)
+		}
+		if len(data) != 8 {
+			return "", fmt.Errorf("invalid crc64 part checksum length: %d", len(data))
+		}
+		currentCRC, err := base64.StdEncoding.DecodeString(crc)
+		if err != nil {
+			return "", fmt.Errorf("base64 decode crc: %w", err)
+		}
+		if len(currentCRC) != 8 {
+			return "", fmt.Errorf("invalid crc64 checksum length: %d", len(currentCRC))
+		}
+
+		currentVal := uint64(currentCRC[0])<<56 | uint64(currentCRC[1])<<48 | uint64(currentCRC[2])<<40 | uint64(currentCRC[3])<<32 |
+			uint64(currentCRC[4])<<24 | uint64(currentCRC[5])<<16 | uint64(currentCRC[6])<<8 | uint64(currentCRC[7])
+		val := uint64(data[0])<<56 | uint64(data[1])<<48 | uint64(data[2])<<40 | uint64(data[3])<<32 |
+			uint64(data[4])<<24 | uint64(data[5])<<16 | uint64(data[6])<<8 | uint64(data[7])
+		composite := crc64Combine(crc64NVME, currentVal, val, partLen)
+
+		out := []byte{
+			byte(composite >> 56), byte(composite >> 48), byte(composite >> 40), byte(composite >> 32),
+			byte(composite >> 24), byte(composite >> 16), byte(composite >> 8), byte(composite),
+		}
+		return base64.StdEncoding.EncodeToString(out), nil
+	default:
+		return "", fmt.Errorf("composite checksum not supported for algorithm: %v", algo)
+	}
+}
+
 // NewCompositeChecksumReader initializes a composite checksum
 // processor, which decodes and validates the provided
 // checksums and returns the final checksum based on
--- a/s3api/utils/csum-reader_test.go
+++ b/s3api/utils/csum-reader_test.go
@@ -0,0 +1,120 @@
+// Copyright 2025 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package utils
+
+import (
+	"encoding/base64"
+	"hash/crc32"
+	"hash/crc64"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+)
+
+func TestAddCRCChecksum_CRC32(t *testing.T) {
+	data := []byte("this is a test buffer for crc32")
+	mid := len(data) / 2
+	part1 := data[:mid]
+	part2 := data[mid:]
+
+	crc1 := crc32.Checksum(part1, crc32.IEEETable)
+	crc2 := crc32.Checksum(part2, crc32.IEEETable)
+	crcFull := crc32.Checksum(data, crc32.IEEETable)
+
+	crc1b := []byte{byte(crc1 >> 24), byte(crc1 >> 16), byte(crc1 >> 8), byte(crc1)}
+	crc2b := []byte{byte(crc2 >> 24), byte(crc2 >> 16), byte(crc2 >> 8), byte(crc2)}
+	crc1b64 := base64.StdEncoding.EncodeToString(crc1b)
+	crc2b64 := base64.StdEncoding.EncodeToString(crc2b)
+
+	combined, err := AddCRCChecksum(types.ChecksumAlgorithmCrc32, crc1b64, crc2b64, int64(len(part2)))
+	if err != nil {
+		t.Fatalf("AddCRCChecksum failed: %v", err)
+	}
+	combinedBytes, err := base64.StdEncoding.DecodeString(combined)
+	if err != nil {
+		t.Fatalf("base64 decode failed: %v", err)
+	}
+	combinedVal := uint32(combinedBytes[0])<<24 | uint32(combinedBytes[1])<<16 | uint32(combinedBytes[2])<<8 | uint32(combinedBytes[3])
+	if combinedVal != crcFull {
+		t.Errorf("CRC32 combine mismatch: got %x, want %x", combinedVal, crcFull)
+	}
+}
+
+func TestAddCRCChecksum_CRC32c(t *testing.T) {
+	data := []byte("this is a test buffer for crc32c")
+	mid := len(data) / 2
+	part1 := data[:mid]
+	part2 := data[mid:]
+
+	castagnoli := crc32.MakeTable(crc32.Castagnoli)
+	crc1 := crc32.Checksum(part1, castagnoli)
+	crc2 := crc32.Checksum(part2, castagnoli)
+	crcFull := crc32.Checksum(data, castagnoli)
+
+	crc1b := []byte{byte(crc1 >> 24), byte(crc1 >> 16), byte(crc1 >> 8), byte(crc1)}
+	crc2b := []byte{byte(crc2 >> 24), byte(crc2 >> 16), byte(crc2 >> 8), byte(crc2)}
+	crc1b64 := base64.StdEncoding.EncodeToString(crc1b)
+	crc2b64 := base64.StdEncoding.EncodeToString(crc2b)
+
+	combined, err := AddCRCChecksum(types.ChecksumAlgorithmCrc32c, crc1b64, crc2b64, int64(len(part2)))
+	if err != nil {
+		t.Fatalf("AddCRCChecksum failed: %v", err)
+	}
+	combinedBytes, err := base64.StdEncoding.DecodeString(combined)
+	if err != nil {
+		t.Fatalf("base64 decode failed: %v", err)
+	}
+	combinedVal := uint32(combinedBytes[0])<<24 | uint32(combinedBytes[1])<<16 | uint32(combinedBytes[2])<<8 | uint32(combinedBytes[3])
+	if combinedVal != crcFull {
+		t.Errorf("CRC32c combine mismatch: got %x, want %x", combinedVal, crcFull)
+	}
+}
+
+func TestAddCRCChecksum_CRC64NVME(t *testing.T) {
+	data := []byte("this is a test buffer for crc64nvme")
+	mid := len(data) / 2
+	part1 := data[:mid]
+	part2 := data[mid:]
+
+	table := crc64NVMETable
+	crc1 := crc64.Checksum(part1, table)
+	crc2 := crc64.Checksum(part2, table)
+	crcFull := crc64.Checksum(data, table)
+
+	crc1b := []byte{
+		byte(crc1 >> 56), byte(crc1 >> 48), byte(crc1 >> 40), byte(crc1 >> 32),
+		byte(crc1 >> 24), byte(crc1 >> 16), byte(crc1 >> 8), byte(crc1),
+	}
+	crc2b := []byte{
+		byte(crc2 >> 56), byte(crc2 >> 48), byte(crc2 >> 40), byte(crc2 >> 32),
+		byte(crc2 >> 24), byte(crc2 >> 16), byte(crc2 >> 8), byte(crc2),
+	}
+	crc1b64 := base64.StdEncoding.EncodeToString(crc1b)
+	crc2b64 := base64.StdEncoding.EncodeToString(crc2b)
+
+	combined, err := AddCRCChecksum(types.ChecksumAlgorithmCrc64nvme, crc1b64, crc2b64, int64(len(part2)))
+	if err != nil {
+		t.Fatalf("AddCRCChecksum failed: %v", err)
+	}
+	combinedBytes, err := base64.StdEncoding.DecodeString(combined)
+	if err != nil {
+		t.Fatalf("base64 decode failed: %v", err)
+	}
+	combinedVal := uint64(combinedBytes[0])<<56 | uint64(combinedBytes[1])<<48 | uint64(combinedBytes[2])<<40 | uint64(combinedBytes[3])<<32 |
+		uint64(combinedBytes[4])<<24 | uint64(combinedBytes[5])<<16 | uint64(combinedBytes[6])<<8 | uint64(combinedBytes[7])
+	if combinedVal != crcFull {
+		t.Errorf("CRC64NVME combine mismatch: got %x, want %x", combinedVal, crcFull)
+	}
+}
--- a/s3api/utils/presign-auth-reader.go
+++ b/s3api/utils/presign-auth-reader.go
@@ -180,7 +180,7 @@ func ParsePresignedURIParts(ctx *fiber.Ctx) (AuthData, error) {
 		return a, s3err.GetAPIError(s3err.ErrSignatureDateDoesNotMatch)
 	}

-	if ctx.Locals("region") != creds[2] {
+	if ContextKeyRegion.Get(ctx) != creds[2] {
 		return a, s3err.APIError{
 			Code:           "SignatureDoesNotMatch",
 			Description:    fmt.Sprintf("Credential should be scoped to a valid Region, not %v", creds[2]),
--- a/s3api/utils/utils.go
+++ b/s3api/utils/utils.go
@@ -44,14 +44,14 @@ var (
 func GetUserMetaData(headers *fasthttp.RequestHeader) (metadata map[string]string) {
 	metadata = make(map[string]string)
 	headers.DisableNormalizing()
-	headers.VisitAllInOrder(func(key, value []byte) {
+	for key, value := range headers.AllInOrder() {
 		hKey := string(key)
 		if strings.HasPrefix(strings.ToLower(hKey), "x-amz-meta-") {
 			trimmedKey := hKey[11:]
 			headerValue := string(value)
 			metadata[trimmedKey] = headerValue
 		}
-	})
+	}
 	headers.EnableNormalizing()

 	return
@@ -74,12 +74,12 @@ func createHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, contentLength
 	}

 	// Set the request headers
-	req.Header.VisitAll(func(key, value []byte) {
+	for key, value := range req.Header.All() {
 		keyStr := string(key)
 		if includeHeader(keyStr, signedHdrs) {
 			httpReq.Header.Add(keyStr, string(value))
 		}
-	})
+	}

 	// make sure all headers in the signed headers are present
 	for _, header := range signedHdrs {
@@ -124,7 +124,7 @@ func createPresignedHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, cont
 	uri, _, _ := strings.Cut(ctx.OriginalURL(), "?")
 	isFirst := true

-	ctx.Request().URI().QueryArgs().VisitAll(func(key, value []byte) {
+	for key, value := range ctx.Request().URI().QueryArgs().All() {
 		_, ok := signedQueryArgs[string(key)]
 		if !ok {
 			escapeValue := url.QueryEscape(string(value))
@@ -135,19 +135,19 @@ func createPresignedHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, cont
 				uri += fmt.Sprintf("&%s=%s", key, escapeValue)
 			}
 		}
-	})
+	}

 	httpReq, err := http.NewRequest(string(req.Header.Method()), uri, body)
 	if err != nil {
 		return nil, errors.New("error in creating an http request")
 	}
 	// Set the request headers
-	req.Header.VisitAll(func(key, value []byte) {
+	for key, value := range req.Header.All() {
 		keyStr := string(key)
 		if includeHeader(keyStr, signedHdrs) {
 			httpReq.Header.Add(keyStr, string(value))
 		}
-	})
+	}

 	// Check if Content-Length in signed headers
 	// If content length is non 0, then the header will be included
@@ -297,10 +297,10 @@ func FilterObjectAttributes(attrs map[s3response.ObjectAttributes]struct{}, outp
 func ParseObjectAttributes(ctx *fiber.Ctx) (map[s3response.ObjectAttributes]struct{}, error) {
 	attrs := map[s3response.ObjectAttributes]struct{}{}
 	var err error
-	ctx.Request().Header.VisitAll(func(key, value []byte) {
+	for key, value := range ctx.Request().Header.All() {
 		if string(key) == "X-Amz-Object-Attributes" {
 			if len(value) == 0 {
-				return
+				break
 			}
 			oattrs := strings.Split(string(value), ",")
 			for _, a := range oattrs {
@@ -313,7 +313,7 @@ func ParseObjectAttributes(ctx *fiber.Ctx) (map[s3response.ObjectAttributes]stru
 				attrs[attr] = struct{}{}
 			}
 		}
-	})
+	}

 	if err != nil {
 		return nil, err
@@ -413,23 +413,23 @@ func (cv ChecksumValues) Headers() string {
 	return result
 }

-func ParseChecksumHeaders(ctx *fiber.Ctx) (types.ChecksumAlgorithm, ChecksumValues, error) {
-	sdkAlgorithm := types.ChecksumAlgorithm(strings.ToUpper(ctx.Get("X-Amz-Sdk-Checksum-Algorithm")))
-
-	err := IsChecksumAlgorithmValid(sdkAlgorithm)
-	if err != nil {
-		debuglogger.Logf("invalid checksum algorithm: %v\n", sdkAlgorithm)
-		return "", nil, err
-	}
-
+// ParseCalculatedChecksumHeaders parses and validates x-amz-checksum-x header keys
+// e.g x-amz-checksum-crc32, x-amz-checksum-sha256 ...
+func ParseCalculatedChecksumHeaders(ctx *fiber.Ctx) (ChecksumValues, error) {
 	checksums := ChecksumValues{}

 	var hdrErr error
 	// Parse and validate checksum headers
-	ctx.Request().Header.VisitAll(func(key, value []byte) {
-		// Skip `X-Amz-Checksum-Type` as it's a special header
-		if hdrErr != nil || !strings.HasPrefix(string(key), "X-Amz-Checksum-") || string(key) == "X-Amz-Checksum-Type" {
-			return
+	for key, value := range ctx.Request().Header.All() {
+		// only check the headers with 'X-Amz-Checksum-' prefix
+		if !strings.HasPrefix(string(key), "X-Amz-Checksum-") {
+			continue
+		}
+		//  "X-Amz-Checksum-Type" and "X-Amz-Checksum-Algorithm" aren't considered
+		// as invalid values, even if the s3 action doesn't expect these headers
+		switch string(key) {
+		case "X-Amz-Checksum-Type", "X-Amz-Checksum-Algorithm":
+			continue
 		}

 		algo := types.ChecksumAlgorithm(strings.ToUpper(strings.TrimPrefix(string(key), "X-Amz-Checksum-")))
@@ -437,19 +437,55 @@ func ParseChecksumHeaders(ctx *fiber.Ctx) (types.ChecksumAlgorithm, ChecksumValu
 		if err != nil {
 			debuglogger.Logf("invalid checksum header: %s\n", key)
 			hdrErr = s3err.GetAPIError(s3err.ErrInvalidChecksumHeader)
-			return
+			break
 		}

 		checksums[algo] = string(value)
-	})
+	}

 	if hdrErr != nil {
-		return sdkAlgorithm, nil, hdrErr
+		return checksums, hdrErr
 	}

 	if len(checksums) > 1 {
 		debuglogger.Logf("multiple checksum headers provided: %v\n", checksums.Headers())
-		return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrMultipleChecksumHeaders)
+		return checksums, s3err.GetAPIError(s3err.ErrMultipleChecksumHeaders)
+	}
+
+	return checksums, nil
+}
+
+// ParseChecksumHeaders parses/validates x-amz-checksum-x headers key/values
+func ParseChecksumHeaders(ctx *fiber.Ctx) (ChecksumValues, error) {
+	// first parse/validate 'x-amz-checksum-x' headers
+	checksums, err := ParseCalculatedChecksumHeaders(ctx)
+	if err != nil {
+		return checksums, err
+	}
+
+	// check if the values are valid
+	for al, val := range checksums {
+		if !IsValidChecksum(val, al) {
+			return checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al))))
+		}
+	}
+
+	return checksums, nil
+}
+
+// ParseChecksumHeadersAndSdkAlgo parses/validates 'x-amz-sdk-checksum-algorithm' and
+// 'x-amz-checksum-x' precalculated request headers
+func ParseChecksumHeadersAndSdkAlgo(ctx *fiber.Ctx) (types.ChecksumAlgorithm, ChecksumValues, error) {
+	sdkAlgorithm := types.ChecksumAlgorithm(strings.ToUpper(ctx.Get("X-Amz-Sdk-Checksum-Algorithm")))
+	err := IsChecksumAlgorithmValid(sdkAlgorithm)
+	if err != nil {
+		debuglogger.Logf("invalid checksum algorithm: %v\n", sdkAlgorithm)
+		return "", nil, err
+	}
+
+	checksums, err := ParseCalculatedChecksumHeaders(ctx)
+	if err != nil {
+		return sdkAlgorithm, checksums, err
 	}

 	for al, val := range checksums {
@@ -569,12 +605,12 @@ func checkChecksumTypeAndAlgo(algo types.ChecksumAlgorithm, t types.ChecksumType

 // Parses and validates the x-amz-checksum-algorithm and x-amz-checksum-type headers
 func ParseCreateMpChecksumHeaders(ctx *fiber.Ctx) (types.ChecksumAlgorithm, types.ChecksumType, error) {
-	algo := types.ChecksumAlgorithm(ctx.Get("x-amz-checksum-algorithm"))
+	algo := types.ChecksumAlgorithm(strings.ToUpper(ctx.Get("x-amz-checksum-algorithm")))
 	if err := IsChecksumAlgorithmValid(algo); err != nil {
 		return "", "", err
 	}

-	chType := types.ChecksumType(ctx.Get("x-amz-checksum-type"))
+	chType := types.ChecksumType(strings.ToUpper(ctx.Get("x-amz-checksum-type")))
 	if err := IsChecksumTypeValid(chType); err != nil {
 		return "", "", err
 	}
@@ -664,3 +700,82 @@ func ParseTagging(data []byte, limit TagLimit) (map[string]string, error) {

 	return tagSet, nil
 }
+
+// Returns the provided string pointer
+func GetStringPtr(str string) *string {
+	if str == "" {
+		return nil
+	}
+
+	return &str
+}
+
+// Converts any type to a string pointer
+func ConvertToStringPtr[T any](val T) *string {
+	str := fmt.Sprint(val)
+	if str == "" {
+		return nil
+	}
+	return &str
+}
+
+// Converst any pointer to a string pointer
+func ConvertPtrToStringPtr[T any](val *T) *string {
+	if val == nil {
+		return nil
+	}
+	str := fmt.Sprint(*val)
+	return &str
+}
+
+// Formats the date with the given formatting and returns a string pointer
+func FormatDatePtrToString(date *time.Time, format string) *string {
+	if date == nil {
+		return nil
+	}
+	if date.IsZero() {
+		return nil
+	}
+
+	formatted := date.UTC().Format(format)
+	return &formatted
+}
+
+// GetInt64 returns the value of int64 pointer
+func GetInt64(n *int64) int64 {
+	if n == nil {
+		return 0
+	}
+
+	return *n
+}
+
+// ValidateCopySource parses and validates the copy-source
+func ValidateCopySource(copysource string) error {
+	var err error
+	copysource, err = url.QueryUnescape(copysource)
+	if err != nil {
+		debuglogger.Logf("invalid copy source encoding: %s", copysource)
+		return s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)
+	}
+
+	bucket, rest, _ := strings.Cut(copysource, "/")
+	if !IsValidBucketName(bucket) {
+		debuglogger.Logf("invalid copy source bucket: %s", bucket)
+		return s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
+	}
+
+	// cut till the versionId as it's the only query param
+	// that is recognized in copy source
+	object, _, _ := strings.Cut(rest, "?versionId=")
+
+	// objects containing '../', '...../' ... are considered valid in AWS
+	// but for the security purposes these should be considered as invalid
+	// in the gateway
+	if !IsObjectNameValid(object) {
+		debuglogger.Logf("invalid copy source object: %s", object)
+		return s3err.GetAPIError(s3err.ErrInvalidCopySourceObject)
+	}
+
+	return nil
+}
--- a/s3api/utils/utils_test.go
+++ b/s3api/utils/utils_test.go
@@ -26,6 +26,7 @@ import (

 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
 	"github.com/valyala/fasthttp"
 	"github.com/versity/versitygw/backend"
 	"github.com/versity/versitygw/s3err"
@@ -898,3 +899,51 @@ func TestParseTagging(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateCopySource(t *testing.T) {
+	tests := []struct {
+		name       string
+		copysource string
+		err        error
+	}{
+		// invalid encoding
+		{"invalid encoding 1", "%", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 2", "%2", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 3", "%G1", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 4", "%1Z", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 5", "%0H", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 6", "%XY", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 7", "%E", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 8", "hello%", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 9", "%%", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 10", "%2Gmore", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 11", "100%%sure", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 12", "%#00", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 13", "%0%0", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		{"invalid encoding 14", "%?versionId=id", s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding)},
+		// invalid bucket name
+		{"invalid bucket name 1", "168.200.1.255/obj/foo", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)},
+		{"invalid bucket name 2", "/0000:0db8:85a3:0000:0000:8a2e:0370:7224/smth", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)},
+		{"invalid bucket name 3", "", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)},
+		{"invalid bucket name 4", "//obj/foo", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)},
+		{"invalid bucket name 5", "//obj/foo?versionId=id", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)},
+		// invalid object name
+		{"invalid object name 1", "bucket/../foo", s3err.GetAPIError(s3err.ErrInvalidCopySourceObject)},
+		{"invalid object name 2", "bucket/", s3err.GetAPIError(s3err.ErrInvalidCopySourceObject)},
+		{"invalid object name 3", "bucket", s3err.GetAPIError(s3err.ErrInvalidCopySourceObject)},
+		{"invalid object name 4", "bucket/../foo/dir/../../../", s3err.GetAPIError(s3err.ErrInvalidCopySourceObject)},
+		{"invalid object name 5", "bucket/.?versionId=smth", s3err.GetAPIError(s3err.ErrInvalidCopySourceObject)},
+		// success
+		{"no error 1", "bucket/object", nil},
+		{"no error 2", "bucket/object/key", nil},
+		{"no error 3", "bucket/4*&(*&(89765))", nil},
+		{"no error 4", "bucket/foo/../bar", nil},
+		{"no error 5", "bucket/foo/bar/baz?versionId=id", nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateCopySource(tt.copysource)
+			assert.Equal(t, tt.err, err)
+		})
+	}
+}
--- a/s3err/s3err.go
+++ b/s3err/s3err.go
@@ -59,6 +59,11 @@ type ErrorCode int
 const (
 	ErrNone ErrorCode = iota
 	ErrAccessDenied
+	ErrAnonymousRequest
+	ErrAnonymousCreateMp
+	ErrAnonymousCopyObject
+	ErrAnonymousPutBucketOwnership
+	ErrAnonymousGetBucketOwnership
 	ErrMethodNotAllowed
 	ErrBucketNotEmpty
 	ErrVersionedBucketNotEmpty
@@ -82,8 +87,10 @@ const (
 	ErrInvalidCompleteMpPartNumber
 	ErrInternalError
 	ErrInvalidCopyDest
-	ErrInvalidCopySource
 	ErrInvalidCopySourceRange
+	ErrInvalidCopySourceBucket
+	ErrInvalidCopySourceObject
+	ErrInvalidCopySourceEncoding
 	ErrInvalidTagKey
 	ErrInvalidTagValue
 	ErrDuplicateTagKey
@@ -118,6 +125,7 @@ const (
 	ErrSignatureTerminationStr
 	ErrSignatureIncorrService
 	ErrContentSHA256Mismatch
+	ErrInvalidSHA256Paylod
 	ErrMissingContentLength
 	ErrInvalidAccessKeyID
 	ErrRequestNotReadyYet
@@ -162,6 +170,12 @@ const (
 	ErrChecksumTypeWithAlgo
 	ErrInvalidChecksumHeader
 	ErrTrailerHeaderNotSupported
+	ErrBadRequest
+	ErrMissingUploadId
+	ErrNoSuchCORSConfiguration
+	ErrCORSForbidden
+	ErrMissingCORSOrigin
+	ErrCORSIsNotEnabled

 	// Non-AWS errors
 	ErrExistingObjectIsDirectory
@@ -186,6 +200,31 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "Access Denied.",
 		HTTPStatusCode: http.StatusForbidden,
 	},
+	ErrAnonymousRequest: {
+		Code:           "AccessDenied",
+		Description:    "Anonymous users cannot invoke this API. Please authenticate.",
+		HTTPStatusCode: http.StatusForbidden,
+	},
+	ErrAnonymousCreateMp: {
+		Code:           "AccessDenied",
+		Description:    "Anonymous users cannot initiate multipart uploads. Please authenticate.",
+		HTTPStatusCode: http.StatusForbidden,
+	},
+	ErrAnonymousCopyObject: {
+		Code:           "AccessDenied",
+		Description:    "Anonymous users cannot copy objects. Please authenticate.",
+		HTTPStatusCode: http.StatusForbidden,
+	},
+	ErrAnonymousPutBucketOwnership: {
+		Code:           "AccessDenied",
+		Description:    "s3:PutBucketOwnershipControls does not support Anonymous requests!",
+		HTTPStatusCode: http.StatusForbidden,
+	},
+	ErrAnonymousGetBucketOwnership: {
+		Code:           "AccessDenied",
+		Description:    "s3:GetBucketOwnershipControls does not support Anonymous requests!",
+		HTTPStatusCode: http.StatusForbidden,
+	},
 	ErrMethodNotAllowed: {
 		Code:           "MethodNotAllowed",
 		Description:    "The specified method is not allowed against this resource.",
@@ -243,7 +282,7 @@ var errorCodeResponse = map[ErrorCode]APIError{
 	},
 	ErrInvalidPartNumberMarker: {
 		Code:           "InvalidArgument",
-		Description:    "Argument partNumberMarker must be an integer.",
+		Description:    "Argument part-number-marker must be an integer between 0 and 2147483647",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
 	ErrInvalidObjectAttributes: {
@@ -301,16 +340,26 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "This copy request is illegal because it is trying to copy an object to itself without changing the object's metadata, storage class, website redirect location or encryption attributes.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
-	ErrInvalidCopySource: {
-		Code:           "InvalidArgument",
-		Description:    "Copy Source must mention the source bucket and key: sourcebucket/sourcekey.",
-		HTTPStatusCode: http.StatusBadRequest,
-	},
 	ErrInvalidCopySourceRange: {
 		Code:           "InvalidArgument",
 		Description:    "The x-amz-copy-source-range value must be of the form bytes=first-last where first and last are the zero-based offsets of the first and last bytes to copy",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrInvalidCopySourceBucket: {
+		Code:           "InvalidArgument",
+		Description:    "Invalid copy source bucket name",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrInvalidCopySourceObject: {
+		Code:           "InvalidArgument",
+		Description:    "Invalid copy source object key",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrInvalidCopySourceEncoding: {
+		Code:           "InvalidArgument",
+		Description:    "Invalid copy source encoding",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrInvalidTagKey: {
 		Code:           "InvalidTag",
 		Description:    "The TagKey you have provided is invalid",
@@ -486,6 +535,11 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "The provided 'x-amz-content-sha256' header does not match what was computed.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrInvalidSHA256Paylod: {
+		Code:           "InvalidArgument",
+		Description:    "x-amz-content-sha256 must be UNSIGNED-PAYLOAD, STREAMING-UNSIGNED-PAYLOAD-TRAILER, STREAMING-AWS4-HMAC-SHA256-PAYLOAD, STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER, STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD, STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER or a valid sha256 value.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrMissingContentLength: {
 		Code:           "MissingContentLength",
 		Description:    "You must provide the Content-Length HTTP header.",
@@ -602,8 +656,8 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		HTTPStatusCode: http.StatusForbidden,
 	},
 	ErrInvalidBucketAclWithObjectOwnership: {
-		Code:           "ErrInvalidBucketAclWithObjectOwnership",
-		Description:    "Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting.",
+		Code:           "InvalidBucketAclWithObjectOwnership",
+		Description:    "Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
 	ErrBothCannedAndHeaderGrants: {
@@ -696,6 +750,36 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "The value specified in the x-amz-trailer header is not supported",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrBadRequest: {
+		Code:           "400",
+		Description:    "Bad Request",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrMissingUploadId: {
+		Code:           "InvalidArgument",
+		Description:    "This operation does not accept partNumber without uploadId",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrNoSuchCORSConfiguration: {
+		Code:           "NoSuchCORSConfiguration",
+		Description:    "The CORS configuration does not exist",
+		HTTPStatusCode: http.StatusNotFound,
+	},
+	ErrCORSForbidden: {
+		Code:           "AccessForbidden",
+		Description:    "CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec.",
+		HTTPStatusCode: http.StatusForbidden,
+	},
+	ErrMissingCORSOrigin: {
+		Code:           "BadRequest",
+		Description:    "Insufficient information. Origin request header needed.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrCORSIsNotEnabled: {
+		Code:           "AccessForbidden",
+		Description:    "CORSResponse: CORS is not enabled for this bucket.",
+		HTTPStatusCode: http.StatusForbidden,
+	},

 	// non aws errors
 	ErrExistingObjectIsDirectory: {
@@ -852,7 +936,7 @@ func GetIncorrectMpObjectSizeErr(expected, actual int64) APIError {
 	}
 }

-func GetInvalidMpObjectSizeErr(val int64) APIError {
+func GetNegatvieMpObjectSizeErr(val int64) APIError {
 	return APIError{
 		Code:           "InvalidRequest",
 		Description:    fmt.Sprintf("Value for x-amz-mp-object-size header is less than zero: '%v'", val),
@@ -860,6 +944,14 @@ func GetInvalidMpObjectSizeErr(val int64) APIError {
 	}
 }

+func GetInvalidMpObjectSizeErr(val string) APIError {
+	return APIError{
+		Code:           "InvalidRequest",
+		Description:    fmt.Sprintf("Value for x-amz-mp-object-size header is invalid: '%s'", val),
+		HTTPStatusCode: http.StatusBadRequest,
+	}
+}
+
 func CreateExceedingRangeErr(objSize int64) APIError {
 	return APIError{
 		Code:           "InvalidArgument",
@@ -867,3 +959,35 @@ func CreateExceedingRangeErr(objSize int64) APIError {
 		HTTPStatusCode: http.StatusBadRequest,
 	}
 }
+
+func GetInvalidCORSHeaderErr(header string) APIError {
+	return APIError{
+		Code:           "InvalidRequest",
+		Description:    fmt.Sprintf(`AllowedHeader "%s" contains invalid character.`, header),
+		HTTPStatusCode: http.StatusBadRequest,
+	}
+}
+
+func GetInvalidCORSRequestHeaderErr(header string) APIError {
+	return APIError{
+		Code:           "BadRequest",
+		Description:    fmt.Sprintf(`Access-Control-Request-Headers "%s" contains invalid character.`, header),
+		HTTPStatusCode: http.StatusBadRequest,
+	}
+}
+
+func GetUnsopportedCORSMethodErr(method string) APIError {
+	return APIError{
+		Code:           "InvalidRequest",
+		Description:    fmt.Sprintf("Found unsupported HTTP method in CORS config. Unsupported method is %s", method),
+		HTTPStatusCode: http.StatusBadRequest,
+	}
+}
+
+func GetInvalidCORSMethodErr(method string) APIError {
+	return APIError{
+		Code:           "BadRequest",
+		Description:    fmt.Sprintf("Invalid Access-Control-Request-Method: %s", method),
+		HTTPStatusCode: http.StatusBadRequest,
+	}
+}
--- a/s3event/event.go
+++ b/s3event/event.go
@@ -22,6 +22,7 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
 )

 type S3EventSender interface {
@@ -71,9 +72,10 @@ type ConfigurationId string

 // This field will be changed after implementing per bucket notifications
 const (
-	ConfigurationIdKafka   ConfigurationId = "kafka-global"
-	ConfigurationIdNats    ConfigurationId = "nats-global"
-	ConfigurationIdWebhook ConfigurationId = "webhook-global"
+	ConfigurationIdKafka    ConfigurationId = "kafka-global"
+	ConfigurationIdNats     ConfigurationId = "nats-global"
+	ConfigurationIdWebhook  ConfigurationId = "webhook-global"
+	ConfigurationIdRabbitMQ ConfigurationId = "rabbitmq-global"
 )

 type EventS3Data struct {
@@ -112,6 +114,9 @@ type EventConfig struct {
 	KafkaTopicKey        string
 	NatsURL              string
 	NatsTopic            string
+	RabbitmqURL          string
+	RabbitmqExchange     string
+	RabbitmqRoutingKey   string
 	WebhookURL           string
 	FilterConfigFilePath string
 }
@@ -132,6 +137,9 @@ func InitEventSender(cfg *EventConfig) (S3EventSender, error) {
 	case cfg.NatsURL != "":
 		evSender, err = InitNatsEventService(cfg.NatsURL, cfg.NatsTopic, filter)
 		fmt.Printf("initializing S3 Event Notifications with Nats. URL: %v, topic: %v\n", cfg.NatsURL, cfg.NatsTopic)
+	case cfg.RabbitmqURL != "":
+		evSender, err = InitRabbitmqEventService(cfg.RabbitmqURL, cfg.RabbitmqExchange, cfg.RabbitmqRoutingKey, filter)
+		fmt.Printf("initializing S3 Event Notifications with RabbitMQ. URL: %v, exchange: %v, routing key: %v\n", cfg.RabbitmqURL, cfg.RabbitmqExchange, cfg.RabbitmqRoutingKey)
 	default:
 		return nil, nil
 	}
@@ -147,14 +155,14 @@ func createEventSchema(ctx *fiber.Ctx, meta EventMeta, configId ConfigurationId)
 		bucket, object = path[1], strings.Join(path[2:], "/")
 	}

-	acc := ctx.Locals("account").(auth.Account)
+	acc := utils.ContextKeyAccount.Get(ctx).(auth.Account)

 	return EventSchema{
 		Records: []EventRecord{
 			{
 				EventVersion: "2.2",
 				EventSource:  "aws:s3",
-				AwsRegion:    ctx.Locals("region").(string),
+				AwsRegion:    utils.ContextKeyRegion.Get(ctx).(string),
 				EventTime:    time.Now().Format(time.RFC3339),
 				EventName:    meta.EventName,
 				UserIdentity: EventUserIdentity{
--- a/s3event/rabbitmq.go
+++ b/s3event/rabbitmq.go
@@ -0,0 +1,150 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package s3event
+
+import (
+	"encoding/json"
+	"encoding/xml"
+	"fmt"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/google/uuid"
+	amqp "github.com/rabbitmq/amqp091-go"
+	"github.com/versity/versitygw/s3response"
+)
+
+// RabbitmqEventSender sends S3 events to a RabbitMQ exchange/queue.
+// It mirrors the behavior of the Kafka and NATS implementations: send a
+// test event on initialization to validate configuration, filter events,
+// and handle multi-delete payloads.
+type RabbitmqEventSender struct {
+	url        string
+	exchange   string
+	routingKey string
+	conn       *amqp.Connection
+	channel    *amqp.Channel
+	mu         sync.Mutex
+	filter     EventFilter
+}
+
+// InitRabbitmqEventService creates a RabbitMQ sender. If exchange is blank the
+// default (empty string) exchange is used. If routingKey is blank we publish
+// with an empty routing key; for delete object multi-events we override the
+// routing key with the bucket name (object key not suitable as key routinely has '/')
+func InitRabbitmqEventService(url, exchange, routingKey string, filter EventFilter) (S3EventSender, error) {
+	if url == "" {
+		return nil, fmt.Errorf("rabbitmq url should be specified")
+	}
+
+	conn, err := amqp.Dial(url)
+	if err != nil {
+		return nil, fmt.Errorf("rabbitmq connect: %w", err)
+	}
+
+	ch, err := conn.Channel()
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("rabbitmq channel: %w", err)
+	}
+
+	// Send a test event to validate publishing works. Use a transient message.
+	testMsg, err := generateTestEvent()
+	if err != nil {
+		ch.Close()
+		conn.Close()
+		return nil, fmt.Errorf("rabbitmq generate test event: %w", err)
+	}
+
+	pub := amqp.Publishing{Timestamp: time.Now(), ContentType: fiber.MIMEApplicationJSON, Body: testMsg, MessageId: uuid.NewString()}
+	if err := ch.Publish(exchange, routingKey, false, false, pub); err != nil {
+		ch.Close()
+		conn.Close()
+		return nil, fmt.Errorf("rabbitmq publish test event: %w", err)
+	}
+
+	return &RabbitmqEventSender{
+		url:        url,
+		exchange:   exchange,
+		routingKey: routingKey,
+		conn:       conn,
+		channel:    ch,
+		filter:     filter,
+	}, nil
+}
+
+func (rs *RabbitmqEventSender) SendEvent(ctx *fiber.Ctx, meta EventMeta) {
+	rs.mu.Lock()
+	defer rs.mu.Unlock()
+
+	if rs.filter != nil && !rs.filter.Filter(meta.EventName) {
+		return
+	}
+
+	if meta.EventName == EventObjectRemovedDeleteObjects {
+		var dObj s3response.DeleteObjects
+		if err := xml.Unmarshal(ctx.Body(), &dObj); err != nil {
+			fmt.Fprintf(os.Stderr, "failed to parse delete objects input payload: %v\n", err.Error())
+			return
+		}
+		for _, obj := range dObj.Objects {
+			key := *obj.Key
+			schema := createEventSchema(ctx, meta, ConfigurationIdRabbitMQ)
+			schema.Records[0].S3.Object.Key = key
+			schema.Records[0].S3.Object.VersionId = obj.VersionId
+			go rs.send(schema)
+		}
+		return
+	}
+
+	schema := createEventSchema(ctx, meta, ConfigurationIdRabbitMQ)
+	go rs.send(schema)
+}
+
+func (rs *RabbitmqEventSender) Close() error {
+	var firstErr error
+	if rs.channel != nil {
+		if err := rs.channel.Close(); err != nil {
+			firstErr = err
+		}
+	}
+	if rs.conn != nil {
+		if err := rs.conn.Close(); err != nil && firstErr == nil {
+			firstErr = err
+		}
+	}
+	return firstErr
+}
+
+func (rs *RabbitmqEventSender) send(event EventSchema) {
+	body, err := json.Marshal(event)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to marshal event data: %v\n", err.Error())
+		return
+	}
+
+	msg := amqp.Publishing{
+		Timestamp:   time.Now(),
+		ContentType: fiber.MIMEApplicationJSON,
+		Body:        body,
+		MessageId:   uuid.NewString(),
+	}
+
+	if err := rs.channel.Publish(rs.exchange, rs.routingKey, false, false, msg); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to send rabbitmq event: %v\n", err.Error())
+	}
+}
--- a/s3log/file.go
+++ b/s3log/file.go
@@ -24,6 +24,7 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
 )

@@ -74,7 +75,7 @@ func (f *FileLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMeta) {
 	}
 	errorCode := ""
 	httpStatus := 200
-	startTime, ok := ctx.Locals("startTime").(time.Time)
+	startTime, ok := utils.ContextKeyStartTime.Get(ctx).(time.Time)
 	if !ok {
 		startTime = time.Now()
 	}
@@ -95,9 +96,14 @@ func (f *FileLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMeta) {
 		}
 	}

-	switch ctx.Locals("account").(type) {
-	case auth.Account:
-		access = ctx.Locals("account").(auth.Account).Access
+	acct, ok := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	if ok {
+		access = acct.Access
+	}
+
+	region, ok := utils.ContextKeyRegion.Get(ctx).(string)
+	if ok {
+		lf.HostHeader = fmt.Sprintf("s3.%v.amazonaws.com", region)
 	}

 	lf.BucketOwner = meta.BucketOwner
@@ -121,7 +127,6 @@ func (f *FileLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMeta) {
 	lf.HostID = ctx.Get("X-Amz-Id-2")
 	lf.SignatureVersion = "SigV4"
 	lf.AuthenticationType = "AuthHeader"
-	lf.HostHeader = fmt.Sprintf("s3.%v.amazonaws.com", ctx.Locals("region").(string))
 	lf.AccessPointARN = fmt.Sprintf("arn:aws:s3:::%v", strings.Join(path, "/"))
 	lf.AclRequired = "Yes"

--- a/s3log/file_admin.go
+++ b/s3log/file_admin.go
@@ -22,6 +22,7 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
 )

 // FileLogger is a local file audit log
@@ -57,7 +58,10 @@ func (f *AdminFileLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMe
 	access := "-"
 	reqURI := ctx.OriginalURL()
 	errorCode := ""
-	startTime := ctx.Locals("startTime").(time.Time)
+	startTime, ok := utils.ContextKeyStartTime.Get(ctx).(time.Time)
+	if !ok {
+		startTime = time.Now()
+	}
 	tlsConnState := ctx.Context().TLSConnectionState()
 	if tlsConnState != nil {
 		lf.CipherSuite = tls.CipherSuiteName(tlsConnState.CipherSuite)
@@ -68,9 +72,9 @@ func (f *AdminFileLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMe
 		errorCode = err.Error()
 	}

-	switch ctx.Locals("account").(type) {
+	switch utils.ContextKeyAccount.Get(ctx).(type) {
 	case auth.Account:
-		access = ctx.Locals("account").(auth.Account).Access
+		access = utils.ContextKeyAccount.Get(ctx).(auth.Account).Access
 	}

 	lf.Time = time.Now()
--- a/s3log/webhook.go
+++ b/s3log/webhook.go
@@ -28,6 +28,7 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
 )

@@ -71,7 +72,10 @@ func (wl *WebhookLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMet
 	}
 	errorCode := ""
 	httpStatus := 200
-	startTime := ctx.Locals("startTime").(time.Time)
+	startTime, ok := utils.ContextKeyStartTime.Get(ctx).(time.Time)
+	if !ok {
+		startTime = time.Now()
+	}
 	tlsConnState := ctx.Context().TLSConnectionState()
 	if tlsConnState != nil {
 		lf.CipherSuite = tls.CipherSuiteName(tlsConnState.CipherSuite)
@@ -89,9 +93,9 @@ func (wl *WebhookLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMet
 		}
 	}

-	switch ctx.Locals("account").(type) {
-	case auth.Account:
-		access = ctx.Locals("account").(auth.Account).Access
+	acct, ok := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	if ok {
+		access = acct.Access
 	}

 	lf.BucketOwner = meta.BucketOwner
@@ -115,7 +119,7 @@ func (wl *WebhookLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMet
 	lf.HostID = ctx.Get("X-Amz-Id-2")
 	lf.SignatureVersion = "SigV4"
 	lf.AuthenticationType = "AuthHeader"
-	lf.HostHeader = fmt.Sprintf("s3.%v.amazonaws.com", ctx.Locals("region").(string))
+	lf.HostHeader = fmt.Sprintf("s3.%v.amazonaws.com", utils.ContextKeyRegion.Get(ctx).(string))
 	lf.AccessPointARN = fmt.Sprintf("arn:aws:s3:::%v", strings.Join(path, "/"))
 	lf.AclRequired = "Yes"

--- a/s3response/s3response.go
+++ b/s3response/s3response.go
@@ -317,6 +317,7 @@ type ListAllMyBucketsResult struct {

 type ListAllMyBucketsEntry struct {
 	Name         string
+	BucketRegion string
 	CreationDate time.Time
 }

@@ -412,6 +413,10 @@ func (r CopyPartResult) MarshalXML(e *xml.Encoder, start xml.StartElement) error
 	return e.EncodeElement(aux, start)
 }

+type CompleteMultipartUploadRequestBody struct {
+	Parts []types.CompletedPart `xml:"Part"`
+}
+
 type CompleteMultipartUploadResult struct {
 	XMLName           xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ CompleteMultipartUploadResult" json:"-"`
 	Location          *string
--- a/tests/commands/complete_multipart_upload.sh
+++ b/tests/commands/complete_multipart_upload.sh
@@ -28,4 +28,76 @@ complete_multipart_upload() {
  fi
  log 5 "complete multipart upload error: $error"
  return 0
+}
+
+complete_multipart_upload_rest() {
+  if ! check_param_count_gt "bucket, key, upload ID, parts, additional params" 4 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 OBJECT_KEY=$2 UPLOAD_ID=$3 PARTS=$4 $5"
+  if ! send_rest_command_expect_success "$env_vars" "./tests/rest_scripts/complete_multipart_upload.sh" "200"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
+
+complete_multipart_upload_rest_expect_error() {
+  if ! check_param_count_gt "bucket, key, upload ID, parts, additional params, response code, error code, message" 8 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 OBJECT_KEY=$2 UPLOAD_ID=$3 PARTS=$4 $5"
+  if ! send_rest_command_expect_error "$env_vars" "./tests/rest_scripts/complete_multipart_upload.sh" "$6" "$7" "$8"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
+
+complete_multipart_upload_rest_nonexistent_param() {
+  if ! check_param_count_v2 "bucket, key, upload ID, parts payload" 4 $#; then
+    return 1
+  fi
+  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OBJECT_KEY="$2" UPLOAD_ID="$3" PARTS="$4" ALGORITHM_PARAMETER="true" CHECKSUM_ALGORITHM="crc32c" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/complete_multipart_upload.sh 2>&1); then
+    log 2 "error completing multipart upload: $result"
+    return 1
+  fi
+  if [ "$result" != "200" ]; then
+    log 2 "complete multipart upload returned code $result: $(cat "$TEST_FILE_FOLDER/result.txt")"
+    return 1
+  fi
+}
+
+complete_multipart_upload_rest_incorrect_checksum() {
+  if ! check_param_count_v2 "bucket, key, upload ID, parts payload, type, algorithm, correct hash" 7 $#; then
+    return 1
+  fi
+  checksum="$7"
+  if [ "${checksum:0:1}" == "a" ]; then
+    checksum="b${checksum:1}"
+  else
+    checksum="a${checksum:1}"
+  fi
+  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OBJECT_KEY="$2" UPLOAD_ID="$3" PARTS="$4" CHECKSUM_TYPE="$5" CHECKSUM_ALGORITHM="$6" CHECKSUM_HASH="$checksum" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/complete_multipart_upload.sh 2>&1); then
+    log 2 "error completing multipart upload: $result"
+    return 1
+  fi
+  if ! check_rest_expected_error "$result" "$TEST_FILE_FOLDER/result.txt" 400 "BadDigest" "did not match"; then
+    log 2 "expected '400', was $result: $(cat "$TEST_FILE_FOLDER/result.txt")"
+    return 1
+  fi
+}
+
+complete_multipart_upload_rest_invalid_checksum() {
+  if ! check_param_count_v2 "bucket, key, upload ID, parts payload, type, algorithm, correct hash" 7 $#; then
+    return 1
+  fi
+  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OBJECT_KEY="$2" UPLOAD_ID="$3" PARTS="$4" CHECKSUM_TYPE="$5" CHECKSUM_ALGORITHM="$6" CHECKSUM_HASH="$7" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/complete_multipart_upload.sh 2>&1); then
+    log 2 "error completing multipart upload: $result"
+    return 1
+  fi
+  if ! check_rest_expected_error "$result" "$TEST_FILE_FOLDER/result.txt" 400 "InvalidRequest" "header is invalid"; then
+    log 2 "expected '400', was $result: $(cat "$TEST_FILE_FOLDER/result.txt")"
+    return 1
+  fi
 }
--- a/tests/commands/create_bucket.sh
+++ b/tests/commands/create_bucket.sh
@@ -89,3 +89,39 @@ create_bucket_object_lock_enabled() {
  fi
  return 0
 }
+
+create_bucket_rest_with_invalid_acl() {
+  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$BUCKET_ONE_NAME" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ACL="public-reads" OBJECT_OWNERSHIP="BucketOwnerPreferred" ./tests/rest_scripts/create_bucket.sh 2>&1); then
+    log 2 "error creating bucket: $result"
+    return 1
+  fi
+  if ! check_rest_expected_error "$result" "$TEST_FILE_FOLDER/result.txt" "400" "InvalidArgument" ""; then
+    log 2 "error checking XML CreateBucket error"
+    return 1
+  fi
+  return 0
+}
+
+create_bucket_rest_expect_error() {
+  if ! check_param_count_v2 "bucket name, params, response code, error code, message" 5 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_error "$env_vars" "./tests/rest_scripts/create_bucket.sh" "$3" "$4" "$5"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
+
+create_bucket_rest_expect_success() {
+  if ! check_param_count_v2 "bucket name, params" 2 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_success "$env_vars" "./tests/rest_scripts/create_bucket.sh" "200"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/create_multipart_upload.sh
+++ b/tests/commands/create_multipart_upload.sh
@@ -14,13 +14,35 @@
 # specific language governing permissions and limitations
 # under the License.

-# initialize a multipart upload
-# params:  bucket, key
-# return 0 for success, 1 for failure
-create_multipart_upload() {
+create_multipart_upload_rest() {
+  if ! check_param_count_v2 "bucket name, key, additional params, callback" 4 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 OBJECT_KEY=$2 $3"
+  if ! send_rest_command_expect_success_callback "$env_vars" "./tests/rest_scripts/create_multipart_upload.sh" "200" "$4"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
+
+create_multipart_upload_rest_with_checksum_type_and_algorithm_error() {
+  if ! check_param_count_v2 "bucket, key, checksum type, checksum algorithm, handle fn, response, code, error" 8 $#; then
+    return 1
+  fi
+  if ! result=$(COMMAND_LOG=$COMMAND_LOG BUCKET_NAME="$1" OBJECT_KEY="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/output.txt" CHECKSUM_TYPE="$3" CHECKSUM_ALGORITHM="$4" ./tests/rest_scripts/create_multipart_upload.sh 2>&1); then
+    log 2 "error creating multipart upload: $result"
+    return 1
+  fi
+  if ! "$5" "$result" "$TEST_FILE_FOLDER/output.txt" "$6" "$7" "$8"; then
+    log 2 "error checking result"
+    return 1
+  fi
+}
+
+create_multipart_upload_s3api() {
  record_command "create-multipart-upload" "client:s3api"
-  if [ $# -ne 2 ]; then
-    log 2 "create multipart upload function must have bucket, key"
+  if ! check_param_count_v2 "bucket, key" 2 $#; then
    return 1
  fi

@@ -37,57 +59,8 @@ create_multipart_upload() {
  return 0
 }

-create_multipart_upload_with_user() {
-  record_command "create-multipart-upload" "client:s3api"
-  if [ $# -ne 4 ]; then
-    log 2 "create multipart upload function must have bucket, key, username, password"
-    return 1
-  fi
-
-  if ! multipart_data=$(AWS_ACCESS_KEY_ID="$3" AWS_SECRET_ACCESS_KEY="$4" send_command aws --no-verify-ssl s3api create-multipart-upload --bucket "$1" --key "$2" 2>&1); then
-    log 2 "Error creating multipart upload: $multipart_data"
-    return 1
-  fi
-
-  if ! upload_id=$(echo "$multipart_data" | grep -v "InsecureRequestWarning" | jq -r '.UploadId' 2>&1); then
-    log 2 "error parsing upload ID: $upload_id"
-    return 1
-  fi
-  upload_id="${upload_id//\"/}"
-  echo "$upload_id"
-  return 0
-}
-
-create_multipart_upload_params() {
-  record_command "create-multipart-upload" "client:s3api"
-  if [ $# -ne 8 ]; then
-    log 2 "create multipart upload function with params must have bucket, key, content type, metadata, object lock legal hold status, " \
-      "object lock mode, object lock retain until date, and tagging"
-    return 1
-  fi
-  local multipart_data
-  multipart_data=$(send_command aws --no-verify-ssl s3api create-multipart-upload \
-    --bucket "$1" \
-    --key "$2" \
-    --content-type "$3" \
-    --metadata "$4" \
-    --object-lock-legal-hold-status "$5" \
-    --object-lock-mode "$6" \
-    --object-lock-retain-until-date "$7" \
-    --tagging "$8" 2>&1) || local create_result=$?
-  if [[ $create_result -ne 0 ]]; then
-    log 2 "error creating multipart upload with params: $multipart_data"
-    return 1
-  fi
-  upload_id=$(echo "$multipart_data" | grep -v "InsecureRequestWarning" | jq '.UploadId')
-  upload_id="${upload_id//\"/}"
-  return 0
-}
-
-create_multipart_upload_custom() {
-  record_command "create-multipart-upload" "client:s3api"
-  if [ $# -lt 2 ]; then
-    log 2 "create multipart upload custom function must have at least bucket and key"
+create_multipart_upload_s3api_custom() {
+  if ! check_param_count_gt "at least bucket and key" 2 $#; then
    return 1
  fi
  local multipart_data
@@ -109,24 +82,47 @@ create_multipart_upload_custom() {
  return 0
 }

-create_multipart_upload_rest() {
-  if [ $# -ne 2 ]; then
-    log 2 "'create_multipart_upload_rest' requires bucket name, key"
+create_multipart_upload_s3api_params() {
+  record_command "create-multipart-upload" "client:s3api"
+  if ! check_param_count_v2 "bucket, key, content type, metadata, object lock legal hold status, \
+    object lock mode, object lock retain until date, and tagging" 8 $#; then
    return 1
  fi
-  if ! result=$(BUCKET_NAME="$1" OBJECT_KEY="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/output.txt" COMMAND_LOG=$COMMAND_LOG ./tests/rest_scripts/create_multipart_upload.sh); then
-    log 2 "error creating multipart upload: $result"
+  local multipart_data
+  multipart_data=$(send_command aws --no-verify-ssl s3api create-multipart-upload \
+    --bucket "$1" \
+    --key "$2" \
+    --content-type "$3" \
+    --metadata "$4" \
+    --object-lock-legal-hold-status "$5" \
+    --object-lock-mode "$6" \
+    --object-lock-retain-until-date "$7" \
+    --tagging "$8" 2>&1) || local create_result=$?
+  if [[ $create_result -ne 0 ]]; then
+    log 2 "error creating multipart upload with params: $multipart_data"
    return 1
  fi
-  if [ "$result" != "200" ]; then
-    log 2 "put-object-retention returned code $result: $(cat "$TEST_FILE_FOLDER/output.txt")"
+  upload_id=$(echo "$multipart_data" | grep -v "InsecureRequestWarning" | jq '.UploadId')
+  upload_id="${upload_id//\"/}"
+  return 0
+}
+
+create_multipart_upload_s3api_with_user() {
+  record_command "create-multipart-upload" "client:s3api"
+  if ! check_param_count_v2 "bucket, key, username, password" 4 $#; then
    return 1
  fi
-  log 5 "result: $(cat "$TEST_FILE_FOLDER/output.txt")"
-  if ! upload_id=$(get_element_text "$TEST_FILE_FOLDER/output.txt" "InitiateMultipartUploadResult" "UploadId"); then
-    log 2 "error getting upload ID: $upload_id"
+
+  if ! multipart_data=$(AWS_ACCESS_KEY_ID="$3" AWS_SECRET_ACCESS_KEY="$4" send_command aws --no-verify-ssl s3api create-multipart-upload --bucket "$1" --key "$2" 2>&1); then
+    log 2 "Error creating multipart upload: $multipart_data"
    return 1
  fi
+
+  if ! upload_id=$(echo "$multipart_data" | grep -v "InsecureRequestWarning" | jq -r '.UploadId' 2>&1); then
+    log 2 "error parsing upload ID: $upload_id"
+    return 1
+  fi
+  upload_id="${upload_id//\"/}"
  echo "$upload_id"
  return 0
 }
--- a/tests/commands/delete_bucket.sh
+++ b/tests/commands/delete_bucket.sh
@@ -53,16 +53,26 @@ delete_bucket() {
 }

 delete_bucket_rest() {
-  if ! check_param_count "delete_bucket_rest" "bucket" 1 $#; then
+  if ! check_param_count_gt "bucket, env vars (optional)" 1 $#; then
    return 1
  fi
-  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/delete_bucket.sh 2>&1); then
-    log 2 "error deleting bucket: $result"
-    return 1
-  fi
-  if [ "$result" != "204" ]; then
-    log 2 "expected '204', was '$result' ($(cat "$TEST_FILE_FOLDER/result.txt"))"
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_success "$env_vars" "./tests/rest_scripts/delete_bucket.sh" "204"; then
+    log 2 "error sending REST command and checking error"
    return 1
  fi
  return 0
+}
+
+delete_bucket_rest_expect_error() {
+  if ! check_param_count_gt "bucket, env vars, response code, error code, message" 5 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_error "$env_vars" "./tests/rest_scripts/delete_bucket.sh" "$3" "$4" "$5"; then
+    log 2 "error sending delete bucket command or error mismatch"
+    return 1
+  fi
+  return 0
+
 }
--- a/tests/commands/delete_object.sh
+++ b/tests/commands/delete_object.sh
@@ -45,40 +45,16 @@ delete_object() {
  return 0
 }

-# shellcheck disable=SC2317
-delete_object_rest() {
-  if ! check_param_count "delete_object_rest" "bucket, key" 2 $#; then
+delete_object_bypass_retention() {
+  if ! check_param_count "delete_object_bypass_retention" "bucket, key, user, password" 4 $#; then
    return 1
  fi
-  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OBJECT_KEY="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/delete_object.sh 2>&1); then
+  if ! result=$(AWS_ACCESS_KEY_ID="$3" AWS_SECRET_ACCESS_KEY="$4" \
+      COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OBJECT_KEY="$2" BYPASS_GOVERNANCE_RETENTION="true" \
+      OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/delete_object.sh 2>&1); then
    log 2 "error deleting object: $result"
    return 1
  fi
-  if [ "$result" != "204" ]; then
-    delete_object_error=$(cat "$TEST_FILE_FOLDER/result.txt")
-    log 2 "expected '204', was '$result' ($delete_object_error)"
-    return 1
-  fi
-  return 0
-}
-
-delete_object_bypass_retention() {
-  if ! check_param_count "delete_object_bypass_retention" "client, bucket, key, user, password" 5 $#; then
-    return 1
-  fi
-  if [ "$1" == "rest" ]; then
-    if ! result=$(AWS_ACCESS_KEY_ID="$4" AWS_SECRET_ACCESS_KEY="$5" \
-        COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$2" OBJECT_KEY="$3" BYPASS_GOVERNANCE_RETENTION="true" \
-        OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/delete_object.sh 2>&1); then
-      log 2 "error deleting object: $result"
-      return 1
-    fi
-  else
-    if ! delete_object_error=$(AWS_ACCESS_KEY_ID="$4" AWS_SECRET_ACCESS_KEY="$5" send_command aws --no-verify-ssl s3api delete-object --bucket "$2" --key "$3" --bypass-governance-retention 2>&1); then
-      log 2 "error deleting object with bypass retention: $delete_object_error"
-      return 1
-    fi
-  fi
  return 0
 }

--- a/tests/commands/get_bucket_acl.sh
+++ b/tests/commands/get_bucket_acl.sh
@@ -47,4 +47,28 @@ get_bucket_acl_with_user() {
    return 1
  fi
  return 0
+}
+
+get_bucket_acl_rest() {
+  if ! check_param_count_v2 "bucket, env vars, callback fn" 3 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_success_callback "$env_vars" "./tests/rest_scripts/get_bucket_acl.sh" "200" "$3"; then
+    log 2 "error getting bucket ACL"
+    return 1
+  fi
+  return 0
+}
+
+get_bucket_acl_rest_expect_error() {
+  if ! check_param_count_v2 "bucket, env vars, expected response code, expected error, expected message" 5 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_error "$env_vars" "./tests/rest_scripts/get_bucket_acl.sh" "$3" "$4" "$5"; then
+    log 2 "error checking for get bucket acl error"
+    return 1
+  fi
+  return 0
 }
--- a/Show More
+++ b/Show More