Block public access

Updated at:
Copy as MD

Block Public Access prevents anonymous access to OSS resources at the account, bucket, access point, or Object FC Access Point level. When enabled, existing public permissions are ignored and new ones cannot be created.

Check for public access in bucket policies and ACLs

Review bucket policies and ACLs to check whether objects are publicly accessible. If any grant public access, enable Block Public Access.

Bucket policy

(Recommended) Call the GetBucketPolicyStatus operation

Call GetBucketPolicyStatus to check whether a bucket policy grants public access.

  • If IsPublic is true, the bucket policy grants public access.

  • If IsPublic is false, the bucket policy does not grant public access.

For more information, see GetBucketPolicyStatus.

Manually review bucket policy settings

Conditions and examples for non-public access

  • A bucket policy statement is non-public if its Principal or Condition element meets any of these criteria.

    Note
    • The Action and Resource elements do not affect public access evaluation.

    • If the Effect element is Deny, the policy does not grant public access.

    Element

    Field

    Value

    Principal

    N/A

    Specifies one or more fixed values without the asterisk (*) wildcard.

    Condition

    acs:SourceVpcId

    Specifies one or more fixed values without the asterisk (*) wildcard.

    acs:SourceVpc

    Specifies one or more fixed values without the asterisk (*) wildcard.

    acs:AccessId

    Specifies one or more fixed values without the asterisk (*) wildcard.

    acs:SourceVpcIp

    For IPv4 addresses, the mask must be greater than or equal to 8.

    For IPv6 addresses, the mask must be greater than or equal to 32.

    acs:SourceIp

    For IPv4 addresses, the mask must be greater than or equal to 8.

    For IPv6 addresses, the mask must be greater than or equal to 32.

  • The following example bucket policy grants non-public access:

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "oss:GetObject",
                    "oss:GetObjectAcl",
                    "oss:GetObjectVersion",
                    "oss:GetObjectVersionAcl"
                ],
                "Effect":"Allow",
                "Principal":[
                    "20214760404935xxxx"
                ],
                "Resource":[
                    "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                    "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
                ]
            },
            {
                "Action":[
                    "oss:ListObjects",
                    "oss:ListObjectVersions"
                ],
                "Condition":{
                    "StringLike":{
                        "oss:Prefix":[
                            "hangzhou/2020/*",
                            "shanghai/2015/*"
                        ]
                    }
                },
                "Effect":"Allow",
                "Principal":[
                    "20214760404935xxxx"
                ],
                "Resource":[
                    "acs:oss:*:174649585760xxxx:examplebucket"
                ]
            }
        ]
    }

Conditions and examples for public access

A bucket policy grants public access if it does not meet the non-public access criteria. Examples:

  • Example 1

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Principal": "*",
                "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*"
            }
        ]
    }
  • Example 2

    If a bucket policy contains both a statement allowing access from all VPCs and a non-public statement for specific users, the policy grants public access.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Principal": "*",
                "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*",
                "Condition": {
                    "StringLike": {
                        "acs:SourceVpc": [
                            "vpc-*"
                            ]
                    }
                }
            },
          	{
                "Effect": "Allow",
                "Action": "oss:*",
                "Principal": "27464958576xxxx",
                "Resource": "*"
            }
        ]
    }

ACL

  • If the bucket ACL or object ACL is public-read or public-read-write, public access is allowed.

  • If both the bucket ACL and object ACL are private, public access is denied.

Block Public Access priority

Block Public Access applies at account, bucket, access point, and Object FC Access Point levels. When set at multiple levels, OSS follows this priority:

Account > Bucket > Access point > Object FC Access Point

Higher-level settings override lower-level ones. For example, account-level Block Public Access blocks public access for all buckets, access points, and Object FC Access Points, regardless of their individual settings.

  • To allow public access to a bucket, disable Block Public Access at the global and bucket levels.

  • To allow public access through an access point, disable Block Public Access at the account, bucket, and access point levels.

  • To allow public access through an Object FC Access Point, disable Block Public Access at the account, bucket, access point, and Object FC Access Point levels.

Usage notes

  • A RAM user must have the following permissions to manage Block Public Access:

    • At the account level: oss:PutPublicAccessBlock, oss:GetPublicAccessBlock, and oss:DeletePublicAccessBlock

    • For individual buckets: oss:PutBucketPublicAccessBlock, oss:GetBucketPublicAccessBlock, and oss:DeleteBucketPublicAccessBlock

    • For individual access points: oss:PutAccessPointPublicAccessBlock, oss:GetAccessPointPublicAccessBlock, and oss:DeleteAccessPointPublicAccessBlock

    • For individual Object FC Access Points: oss:PutAccessPointConfigForObjectProcess, oss:GetAccessPointConfigForObjectProcess, and oss:DeleteAccessPointForObjectProcess

  • When enabled, existing public access permissions are ignored and new ones cannot be configured. When disabled, existing permissions resume and new ones can be configured.

  • If a bucket policy allows all users to manage an access point, users can change its Block Public Access status through the bucket subdomain, even when Block Public Access is enabled for the access point. Access point settings do not apply to requests through bucket subdomains.

  • During cross-region replication (CRR) and same-region replication (SRR), object ACLs are preserved regardless of Block Public Access settings. If Block Public Access is enabled on the destination bucket, replicated objects cannot be publicly accessed even if their ACL is public-read or public-read-write.

Methods

Use the OSS console

Enable Block Public Access at the global level

  1. Log on to the OSS console.

  2. In the left-side navigation pane, choose Data Service > Block Public Access.

  3. On the Block Public Access page, turn on Block Public Access and complete the on-screen instructions.

Enable Block Public Access for a bucket

  1. Log on to the OSS console.

  2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

  3. In the left-side navigation tree, choose Permission Control > Block Public Access.

  4. On the Block Public Access tab, turn on Block Public Access and complete the on-screen instructions.

Enable Block Public Access for an access point

  1. Log on to the OSS console.

  2. In the left-side navigation pane, click Access Points. Click the target access point.

  3. In the Basic Information section, click Enable next to Block Public Access and complete the on-screen instructions.

Enable Block Public Access for an Object FC Access Point

  1. Log on to the OSS console.

  2. In the left-side navigation pane, click Object FC Access Points. Click the target Object FC Access Point.

  3. In the Basic Information section, click Enable next to Block Public Access and complete the on-screen instructions.

Use ossutil

Use ossutil to enable Block Public Access. To install ossutil, see Install ossutil.

  • Enable Block Public Access at the account level:

    ossutil api put-public-access-block --public-access-block-configuration "{\"BlockPublicAccess\":\"true\"}"

    For more information, see put-public-access-block.

  • Enable Block Public Access for examplebucket:

    ossutil api put-bucket-public-access-block --bucket examplebucket --public-access-block-configuration "{\"BlockPublicAccess\":\"true\"}"

    For more information, see put-bucket-public-access-block.

  • Enable Block Public Access for access point ap-01:

    ossutil api put-access-point-public-access-block --bucket examplebucket --access-point-name ap-01 --public-access-block-configuration "{\"BlockPublicAccess\":\"true\"}"

    For more information, see put-access-point-public-access-block.

Related API operations

Call RESTful APIs directly with signature calculation in your code.

Related topics

To control object-level access within a bucket, combine Block Public Access with bucket policies and object ACLs.