OSS provides multiple access control methods, including ACLs, bucket policies, and RAM policies, for access to objects stored in buckets.
- ACL: OSS provides access control lists (ACLs) for access control. An ACL is set based on resources. You can specify ACLs for buckets or objects. You can specify an ACL for a bucket when you create the bucket or for an object when you upload the object to OSS. You can also modify the ACLs of objects and buckets at any time.
- RAM policy: Resource Access Management (RAM) is a service provided by Alibaba Cloud for resource access control. RAM policies are configured based on users. By configuring RAM policies, you can manage multiple users in a centralized manner and control the resources that can be accessed by the users. For example, you can create a RAM policy to grant users read-only permissions on a bucket. A RAM user belongs to the Alibaba Cloud account under which it was created, and does not actually own any resources. All resources belong to the corresponding Alibaba Cloud account. RAM policy-based operations are complex. We recommend that you use bucket policies.
- Bucket policy: Bucket policies are configured based on resources. Compared with RAM policies, bucket policies can be directly configured on the graphical interface of the console. By configuring bucket policies, you can authorize users to access your buckets even if you have not granted permissions for RAM operations. By configuring bucket policies, you can grant access permissions to RAM users under other Alibaba Cloud accounts and to anonymous users from specified IP addresses or IP ranges.