diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1309a51..3f92dad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,3 +46,6 @@ Provides standard and t26 S3 bucket construction.
 * v2.3.0 -- 20211117
   - add submodule kms_key to be able to create a key, and then use it for later bucket
   - allow kms_key_arn to passed in for standard and title26 buckets
+
+* v2.4.0 -- 20220118
+  - add bucket_owner controls (default BucketOwnerPreferred)
diff --git a/common/resources.tf b/common/resources.tf
index 23caa0c..e84117d 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -21,6 +21,11 @@ locals {
     "variable" : "aws:sourceVpce"
     "values" : var.allowed_endpoints
   }
+  condition_bucket_owner = {
+    "test" : "StringEquals"
+    "variable" : "s3:x-amz-acl"
+    "values" : var.bucket_owner == "BucketOwnerPreferred" ? "bucket-owner-full-control" : ""
+  }
   s3_bucket_conditions_list = list(local.condition_allowed_cidr, local.condition_allowed_endpoints)
   s3_bucket_conditions      = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0]
 
@@ -197,3 +202,15 @@ data "aws_iam_policy_document" "bucket_policy_combined" {
   ]
 }
 
+#---
+# set ownership controls
+# see documentation:
+#  https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls
+#  
+resource "aws_s3_bucket_ownership_controls" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  rule {
+    object_ownership = var.bucket_owner
+  }
+}
diff --git a/common/variables.s3.tf b/common/variables.s3.tf
index 6f15cf3..9e8599d 100644
--- a/common/variables.s3.tf
+++ b/common/variables.s3.tf
@@ -60,3 +60,9 @@ variable "require_explicit_encryption" {
 # TBD
 # variable "kms_policy_read_arns" { }
 # variable "kms_policy_write_arns" { }
+
+variable "bucket_owner" {
+  description = "One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading"
+  type        = string
+  default     = "BucketOwnerPreferred"
+}
diff --git a/common/versions.tf b/common/versions.tf
new file mode 100644
index 0000000..70d5487
--- /dev/null
+++ b/common/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.66.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.1.0"
+    }
+  }
+  #  required_version = ">= 0.13"
+}