You can configure bucket policies to restrict access to your Object Storage Service (OSS) resources over the Internet.

Scenario

Enterprise A creates a bucket named examplebucket in the China (Hangzhou) region. A large amount of internal data is stored in the examplefolder directory of examplebucket. Enterprise A does not want specific partners to access resources in the examplefolder directory over the Internet by using RAM users.

To meet the preceding requirements of Enterprise A, you can configure a bucket policy by using the policy syntax.

Procedure

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click examplebucket.
  3. In the left-side navigation pane, click Files. On the page that appears, click Authorize.
  4. On the Syntax tab, click Edit and enter the following policy:
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Deny",
            "Action": [
                "oss:RestoreObject",
                "oss:ListObjects",
                "oss:AbortMultipartUpload",
                "oss:PutObjectAcl",
                "oss:GetObjectAcl",
                "oss:ListParts",
                "oss:DeleteObject",
                "oss:PutObject",
                "oss:GetObject",
                "oss:GetVodPlaylist",
                "oss:PostVodPlaylist",
                "oss:PublishRtmpStream",
                "oss:ListObjectVersions",
                "oss:GetObjectVersion",
                "oss:GetObjectVersionAcl",
                "oss:RestoreObjectVersion"
            ],
            "Principal": [
                <! -- The following sample IDs of RAM users are for your reference. -->
                "26642223584287****",
                "27658173539067****",
                "24430533117653****"
            ],
            "Resource": [
                <! -- 137918634953**** is the user ID of the owner of the examplebucket bucket. -->
                "acs:oss:*:137918634953****:examplebucket/examplefolder/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-*"
                    ]
                }
            }
        }, {
            "Effect": "Deny",
            "Action": [
                "oss:ListObjects",
                "oss:GetObject"
            ],
            "Principal": [
                "26642223584287****",
                "27658173539067****",
                "24430533117653****"
            ],
            "Resource": [
                "acs:oss:*:137918634953****:examplebucket"
            ],
            "Condition": {
                "StringLike": {
                    "oss:Prefix": [
                        "examplefolder/*"
                    ]
                },
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-*"
                    ]
                }
            }
        }]
    }
  5. Click Save.

References

  • Data must be shared across multiple departments or projects. You may want users from other departments to download the data that is shared by your department. However, you do not want the users to write or delete the shared data. In this case, you can implement data sharing across multiple departments based on bucket policies. For more information, see Tutorial: Implement data sharing across departments based on bucket policies.
  • You can grant different permissions, such as read-only and read and write permissions, to anonymous users or RAM users in the same Alibaba Cloud account and across multiple Alibaba Cloud accounts to access or manage bucket resources. For more information, see Examples.