diff --git a/weed/s3api/s3api_acp.go b/weed/s3api/s3api_acp.go
index f77da2156..ff771dc94 100644
--- a/weed/s3api/s3api_acp.go
+++ b/weed/s3api/s3api_acp.go
@@ -358,3 +358,22 @@ func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, objec
 func getObjectEntry(s3a *S3ApiServer, bucket, object string) (*filer_pb.Entry, error) {
 	return s3a.getEntry(util.Join(s3a.option.BucketsPath, bucket), object)
 }
+
+func (s3a *S3ApiServer) ExtractBucketAcp(r *http.Request) (owner string, grants []*s3.Grant, errCode s3err.ErrorCode) {
+	accountId := s3acl.GetAccountId(r)
+
+	ownership := s3_constants.DefaultOwnershipForCreate
+	if ownership == s3_constants.OwnershipBucketOwnerEnforced {
+		return accountId, []*s3.Grant{
+			{
+				Permission: &s3_constants.PermissionFullControl,
+				Grantee: &s3.Grantee{
+					Type: &s3_constants.GrantTypeCanonicalUser,
+					ID:   &accountId,
+				},
+			},
+		}, s3err.ErrNone
+	} else {
+		return s3acl.ParseAndValidateAclHeadersOrElseDefault(r, s3a.accountManager, ownership, accountId, accountId, false)
+	}
+}
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 6089ed6db..378dce00f 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -123,6 +123,12 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request)
 		}
 	}
 
+	acpOwner, acpGrants, errCode := s3a.ExtractBucketAcp(r)
+	if errCode != s3err.ErrNone {
+		s3err.WriteErrorResponse(w, r, errCode)
+		return
+	}
+
 	fn := func(entry *filer_pb.Entry) {
 		if identityId := r.Header.Get(s3_constants.AmzIdentityId); identityId != "" {
 			if entry.Extended == nil {
@@ -130,6 +136,7 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request)
 			}
 			entry.Extended[s3_constants.AmzIdentityId] = []byte(identityId)
 		}
+		s3acl.AssembleEntryWithAcp(entry, acpOwner, acpGrants)
 	}
 
 	// create the folder for bucket, but lazily create actual collection