OSS provides you with the following access control policies to manage access to objects in buckets:

ACL OSS provides access control lists (ACLs) for you to control access permissions. An ACL is set based on resources. You can specify ACLs for buckets or objects. You can configure an ACL for a bucket when you create the bucket or for an object when you upload the object to OSS. You can also modify the ACL for a created bucket or an uploaded object at any time.
RAM Policy Resource Access Management (RAM) is a resource access control service provided by Alibaba Cloud. RAM policies are configured based on users. You can manage users by configuring RAM policies. You can control which resources are accessible to users such as employees, systems, or applications. For example, you can create a RAM policy to grant users read permissions on a bucket.
Bucket Policy Bucket policies provide resource-based authorization for users. Compared with RAM policies, bucket policies can be configured by bucket owners who do not have RAM operation permissions in the OSS console. By configuring bucket policies, you can grant access permissions to RAM users in other Alibaba Cloud accounts and to anonymous users from specified IP addresses or IP ranges.
Use STS to authorize temporary access OSS allows you to use Alibaba Cloud Security Token Service (STS) to authorize temporary access. You can use STS to grant a third-party application or your RAM user an access credential that has a custom validity period and permissions.
Hotlink protection You can configure a Referer whitelist for a bucket to prevent your resources in the bucket from unauthorized access.
If multiple access control policies are configured for a bucket, the policies take effect based on their priorities:
  • Access a bucket without using a browser

    If you configure a RAM policy, a bucket policy, and hotlink protection for a bucket, the hotlink protection configuration is ignored. An object can be accessed only when permissions are granted in both the RAM policy and the bucket policy.

  • Access a bucket by using a browser

    If you configure a RAM policy, a bucket policy, and hotlink protection for an object, the object can be accessed only when permissions are granted in all policies.