All Products
Search

This Product

    Object Storage Service:Access control

    Document Center

    Object Storage Service:Access control

    Last Updated:May 10, 2024

    Object Storage Service (OSS) provides access control lists (ACLs), RAM and bucket policies, and hotlink protection based on Referer whitelists to control and manage access to your OSS resources.

    ACLs

    OSS provides ACLs for access control. You can configure ACL for buckets and objects to control access. You can set the bucket or object ACL when you create a bucket or upload an object. You can also modify the ACL of a created bucket or an uploaded object at any time.

    • Bucket ACLs

      Bucket ACLs are used to control access to buckets. The following table describes the ACLs that you can configure for a bucket.

      ACL

      Description

      Access control

      Public Read/Write

      Public-read-write

      All users, including anonymous users, can read data from, write data to, and delete objects in the bucket. The bucket owner is charged for these operations. Exercise caution when you set the bucket ACL to Public Read/Write.

      Warning

      If you set the ACL of a bucket to public read/write, all users can access the objects in the bucket and write data to the bucket over the Internet. This may result in unauthorized access to the data in your bucket and high costs. If a user uploads prohibited data or information, your legitimate interests and rights may be infringed. Therefore, we recommend that you do not set the ACL of a bucket to public-read-write unless necessary.

      Public Read

      Public-read

      Only the bucket owner and authorized users can write data to and delete objects in the bucket. Other users, including anonymous users, can only read the objects in the bucket.

      Warning

      This may result in unexpected access to the data in your bucket and unexpectedly high costs. Exercise caution when you set your bucket ACL to this value.

      Private

      Private

      Only the bucket owner and authorized users can read data from, write data to, and delete objects in the bucket. Other users cannot access the objects in the bucket.

    • Object ACLs

      Object ACLs are used to control access to objects. The following table describes the ACLs that you can configure for an object.

      ACL

      Description

      Access control

      Public Read/Write

      Public-read-write

      All users can read data from and write data to the object.

      Warning

      If you set the object ACL to this value, all users can access the object and write data to the object over the Internet. This may result in unauthorized access to data in your bucket and high costs. If a user uploads prohibited data or information to the bucket, your legitimate interests and rights may be infringed. Therefore, we recommend that you do not set the ACL of a bucket to public-read-write unless necessary.

      Public Read

      Public-read

      Only the object owner can read data from and write data to the object. Other users can only read the object.

      Warning

      This may result in unauthorized access to data in your bucket and high costs. Exercise caution when you set the object ACL to public-read.

      Private

      Private

      Only the object owner can read data from and write data to the object. Other users cannot access the object.

      Inherited from Bucket

      Default

      The ACL of the object is the same as that of the bucket in which the object is stored.

      Note

      By default, the ACL of an object is inherited from the bucket. The ACL of an object takes precedence over that of the bucket in which the object is stored. For example, if the ACL of an object is set to public-read, all authenticated and anonymous users can read the object regardless of the bucket ACL.

    For more information, see Object ACLs.

    RAM policies based on users

    RAM is a resource access control service provided by Alibaba Cloud. You can configure RAM policies based on users. You can configure RAM policies to manage your users, such as employees, systems, or applications, by specifying the resources that are accessible to the users in the RAM policies. For example, you can create a RAM policy to grant users the read permissions on only specific objects in a bucket.

    A RAM policy is in the JSON format. You can configure a RAM policy by specifying the Action, Effect, Resource, and Condition elements in the statements. You can specify multiple statements in a RAM policy to help you manage authorization in a more efficient manner. For more information, see System policies for OSS and Custom policies for OSS.

    Temporary access authorization based on STS

    RAM policies allow you to manage long-term access permissions. If you want to allow users to access resources only for a short period of time, you can use Security Token Service (STS) to create temporary access credentials. You can obtain temporary access credentials which consist of an AccessKey pair and a security token from environment variables by using STS SDKS, and send them to temporary users to access the corresponding resources. The permissions that are obtained by using STS are restricted and have time limits. The leak of temporary access credentials causes lower-level risks than the leak of other credentials.

    You can use STS to authorize temporary access to OSS. You can use STS to grant temporary access credentials that have a custom validity period and custom permissions to a third-party application or a RAM user that is managed by you. For more information, see Use OSS with RAM.

    Bucket policies based on resources

    A bucket policy is a resource-based authorization policy. Compared with RAM policies, bucket policies can be configured in the OSS console. The bucket owner can grant other users permissions to access OSS resources.

    By configuring bucket policies, you can authorize RAM users of another Alibaba Cloud account to access your OSS resources or authorize anonymous users from specific IP addresses to access your OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.

    Hotlink protection based on Referer whitelists

    You are charged for OSS based on resource usage. To prevent additional fees caused by unauthorized access to the data in your bucket, you can configure hotlink protection for your buckets based on the Referer field in HTTP and HTTPS requests.

    You can configure a Referer whitelist to allow only requests from specific domain names or HTTP and HTTPS requests that contain the Referer header to access your OSS resources. Hotlink protection can prevent the data in public-read or public-read-write buckets from being hotlinked to protect your legal rights. For more information, see Hotlink protection.