diff --git a/docs/modules/components/pages/outputs/aws_s3.adoc b/docs/modules/components/pages/outputs/aws_s3.adoc
index 1921b5b83e..4583c8910c 100644
--- a/docs/modules/components/pages/outputs/aws_s3.adoc
+++ b/docs/modules/components/pages/outputs/aws_s3.adoc
@@ -81,7 +81,7 @@ output:
     force_path_style_urls: false
     max_in_flight: 64
     timeout: 5s
-    object_canned_acl: private
+    object_canned_acl: ""
     batching:
       count: 0
       byte_size: 0
@@ -387,7 +387,7 @@ The object canned ACL value.
 
 *Type*: `string`
 
-*Default*: `"private"`
+*Default*: `""`
 
 Options:
 `private`
diff --git a/internal/impl/aws/s3/output.go b/internal/impl/aws/s3/output.go
index 310cbd2e8e..531776747e 100644
--- a/internal/impl/aws/s3/output.go
+++ b/internal/impl/aws/s3/output.go
@@ -313,7 +313,7 @@ output:
 					}
 				})...).
 				Description("The object canned ACL value.").
-				Default(string(types.ObjectCannedACLPrivate)).
+				Default("").
 				Advanced(),
 			service.NewBatchPolicyField(s3oFieldBatching),
 		).
@@ -473,7 +473,6 @@ func (a *amazonS3Writer) WriteBatch(wctx context.Context, msg service.MessageBat
 			WebsiteRedirectLocation: websiteRedirectLocation,
 			StorageClass:            tmtypes.StorageClass(storageClass),
 			Metadata:                metadata,
-			ACL:                     tmtypes.ObjectCannedACL(a.conf.ObjectCannedACL),
 		}
 
 		// Prepare tags, escaping keys and values to ensure they're valid query string parameters.
@@ -498,6 +497,10 @@ func (a *amazonS3Writer) WriteBatch(wctx context.Context, msg service.MessageBat
 			uploadInput.ChecksumAlgorithm = tmtypes.ChecksumAlgorithm(a.conf.ChecksumAlgorithm)
 		}
 
+		if a.conf.ObjectCannedACL != "" {
+			uploadInput.ACL = tmtypes.ObjectCannedACL(a.conf.ObjectCannedACL)
+		}
+
 		// NOTE: This overrides the ServerSideEncryption set above. We need this to preserve
 		// backwards compatibility, where it is allowed to only set kms_key_id in the config and
 		// the ServerSideEncryption value of "aws:kms" is implied.