Block Public Access prevents anonymous access to OSS resources at the account, bucket, access point, or Object FC Access Point level. When enabled, existing public permissions are ignored and new ones cannot be created.
Check for public access in bucket policies and ACLs
Review bucket policies and ACLs to check whether objects are publicly accessible. If any grant public access, enable Block Public Access.
Bucket policy
(Recommended) Call the GetBucketPolicyStatus operation
Call GetBucketPolicyStatus to check whether a bucket policy grants public access.
If IsPublic is true, the bucket policy grants public access.
If IsPublic is false, the bucket policy does not grant public access.
For more information, see GetBucketPolicyStatus.
Manually review bucket policy settings
Conditions and examples for non-public access
A bucket policy statement is non-public if its Principal or Condition element meets any of these criteria.
NoteThe Action and Resource elements do not affect public access evaluation.
If the Effect element is Deny, the policy does not grant public access.
Element
Field
Value
Principal
N/A
Specifies one or more fixed values without the asterisk (*) wildcard.
Condition
acs:SourceVpcId
Specifies one or more fixed values without the asterisk (*) wildcard.
acs:SourceVpc
Specifies one or more fixed values without the asterisk (*) wildcard.
acs:AccessId
Specifies one or more fixed values without the asterisk (*) wildcard.
acs:SourceVpcIp
For IPv4 addresses, the mask must be greater than or equal to 8.
For IPv6 addresses, the mask must be greater than or equal to 32.
acs:SourceIp
For IPv4 addresses, the mask must be greater than or equal to 8.
For IPv6 addresses, the mask must be greater than or equal to 32.
The following example bucket policy grants non-public access:
{ "Version":"1", "Statement":[ { "Action":[ "oss:GetObject", "oss:GetObjectAcl", "oss:GetObjectVersion", "oss:GetObjectVersionAcl" ], "Effect":"Allow", "Principal":[ "20214760404935xxxx" ], "Resource":[ "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*", "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*" ] }, { "Action":[ "oss:ListObjects", "oss:ListObjectVersions" ], "Condition":{ "StringLike":{ "oss:Prefix":[ "hangzhou/2020/*", "shanghai/2015/*" ] } }, "Effect":"Allow", "Principal":[ "20214760404935xxxx" ], "Resource":[ "acs:oss:*:174649585760xxxx:examplebucket" ] } ] }
Conditions and examples for public access
A bucket policy grants public access if it does not meet the non-public access criteria. Examples:
Example 1
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Principal": "*", "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*" } ] }Example 2
If a bucket policy contains both a statement allowing access from all VPCs and a non-public statement for specific users, the policy grants public access.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Principal": "*", "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*", "Condition": { "StringLike": { "acs:SourceVpc": [ "vpc-*" ] } } }, { "Effect": "Allow", "Action": "oss:*", "Principal": "27464958576xxxx", "Resource": "*" } ] }
ACL
If the bucket ACL or object ACL is public-read or public-read-write, public access is allowed.
If both the bucket ACL and object ACL are private, public access is denied.
Block Public Access priority
Block Public Access applies at account, bucket, access point, and Object FC Access Point levels. When set at multiple levels, OSS follows this priority:
Account > Bucket > Access point > Object FC Access PointHigher-level settings override lower-level ones. For example, account-level Block Public Access blocks public access for all buckets, access points, and Object FC Access Points, regardless of their individual settings.
To allow public access to a bucket, disable Block Public Access at the global and bucket levels.
To allow public access through an access point, disable Block Public Access at the account, bucket, and access point levels.
To allow public access through an Object FC Access Point, disable Block Public Access at the account, bucket, access point, and Object FC Access Point levels.
Usage notes
A RAM user must have the following permissions to manage Block Public Access:
At the account level:
oss:PutPublicAccessBlock,oss:GetPublicAccessBlock, andoss:DeletePublicAccessBlockFor individual buckets:
oss:PutBucketPublicAccessBlock,oss:GetBucketPublicAccessBlock, andoss:DeleteBucketPublicAccessBlockFor individual access points:
oss:PutAccessPointPublicAccessBlock,oss:GetAccessPointPublicAccessBlock, andoss:DeleteAccessPointPublicAccessBlockFor individual Object FC Access Points:
oss:PutAccessPointConfigForObjectProcess,oss:GetAccessPointConfigForObjectProcess, andoss:DeleteAccessPointForObjectProcess
When enabled, existing public access permissions are ignored and new ones cannot be configured. When disabled, existing permissions resume and new ones can be configured.
If a bucket policy allows all users to manage an access point, users can change its Block Public Access status through the bucket subdomain, even when Block Public Access is enabled for the access point. Access point settings do not apply to requests through bucket subdomains.
During cross-region replication (CRR) and same-region replication (SRR), object ACLs are preserved regardless of Block Public Access settings. If Block Public Access is enabled on the destination bucket, replicated objects cannot be publicly accessed even if their ACL is public-read or public-read-write.
Methods
Use the OSS console
Use ossutil
Related API operations
Call RESTful APIs directly with signature calculation in your code.
Refer to PutPublicAccessBlock to block public access at the account level.
Refer to PutBucketPublicAccessBlock to block public access for a bucket.
Refer to PutAccessPointPublicAccessBlock to block public access for an access point.
Refer to PutAccessPointConfigForObjectProcess to block public access for an Object FC Access Point.
Related topics
To control object-level access within a bucket, combine Block Public Access with bucket policies and object ACLs.