An external user has access to our s3 bucket, using these actions in our bucket policy:
I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:
aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt
Yeah, I think you have to do that once for each object, I don't think there is a recursive option.
AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.
I don't know of any policy that will automagically transfer ownership to the bucket owner.