Final answer:
To ensure objects uploaded by Iam users from an external account to an S3 bucket are owned by your account, use a bucket policy with 'Bucket Owner Preferred' Object Ownership settings. Identity policies in both accounts and an Iam role in your account can also be used for better permission control.
Step-by-step explanation:
To allow Iam users from an external account to access an S3 bucket in your account while ensuring that objects uploaded are owned by your account, you should use a combination of bucket policies and Object Ownership settings. A bucket policy applied to your S3 bucket can grant the necessary permissions to the external account's Iam users. Furthermore, by setting the Object Ownership to 'Bucket Owner Preferred' in the S3 bucket's permissions, it ensures that your account retains ownership of all uploaded objects, regardless of who uploads them.
In addition, you may need to incorporate identity policies in both accounts for finer-grained permission control and an Iam role in your account to delegate permissions to the external account securely. But most critically, the combination of a bucket policy with the correct Object Ownership setting ensures the requirement that uploaded objects are owned by your account, not the external account.