All Products
Search

This Product

    Object Storage Service:Block Public Access

    Document Center

    Object Storage Service:Block Public Access

    Last Updated:Apr 28, 2024

    You can allow public access to Object Storage Service (OSS) resources by configuring bucket policies and access control lists (ACLs). Public access specifies access to OSS resources without specific permissions or authentication. Public access can easily cause data breaches and generate a large amount of outbound traffic over the Internet due to malicious access. To prevent risks caused by public access, OSS allows you to enable Block Public Access with a few steps for OSS, a bucket, an access point, and an Object FC Access Point. If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. This disables public data access channels and ensures data security.

    Check whether public access is allowed in bucket policies and ACLs

    You must view the bucket policies and ACLs, including bucket ACLs and object ACLs, to check whether public access to OSS, a bucket, an access point, or an Object FC Access Point is allowed. If a bucket policy or ACL allows public access, your resources may be exposed to unauthorized users. To prevent public access, you can enable Block Public Access.

    Bucket Policy

    (Recommended) Call an API operation to check whether public access is allowed in bucket policies

    You can call the GetBucketPolicyStatus operation to check whether public access is allowed in a bucket policy.

    • If the value of the IsPublic response parameter is true, public access is allowed in the bucket policy.

    • If the value of the IsPublic response parameter is false, public access is denied in the bucket policy.

    For more information, see GetBucketPolicyStatus.

    View bucket policies to check whether public access is allowed in the bucket policies

    Conditions and examples for non-public access

    • Public access is not allowed in a bucket policy only if specific conditions are met. The following table describes the conditions.

      Note

      • The Action and Resource elements are not used as conditions to check whether public access is allowed in the bucket policy.

      • If the value of the Effect element in the bucket policy is Deny, public access is denied in the bucket policy.

      Element

      Field

      Example

      Principal

      N/A

      Set one or more fields to fixed values. The values cannot contain the asterisk (*) wildcard character.

      Condition

      acs:SourceVpcId

      acs:SourceVpcIp

      acs:SourceVpc

      acs:AccessId

      acs:SourceIp

      • For IPv4 addresses, the mask must be greater than or equal to 8.

      • For IPv6 addresses, the mask must be greater than or equal to 32.

    • The following sample code provides an example of a bucket policy that denies public access:

      {
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "oss:GetObject",
                "oss:GetObjectAcl",
                "oss:GetObjectVersion",
                "oss:GetObjectVersionAcl"
            ],
            "Effect":"Allow",
            "Principal":[
                "20214760404935xxxx"
            ],
            "Resource":[
                "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
            ]
        },
        {
            "Action":[
                "oss:ListObjects",
                "oss:ListObjectVersions"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "hangzhou/2020/*",
                        "shanghai/2015/*"
                    ]
                }
            },
            "Effect":"Allow",
            "Principal":[
                "20214760404935xxxx"
            ],
            "Resource":[
                "acs:oss:*:174649585760xxxx:examplebucket"
            ]
        }
    ]
}

    Conditions and examples for public access

    Public access is allowed in a bucket policy if one of the conditions for non-public access is not met. Examples:

    • Example 1

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:GetObject",
            "Principal": "*",
            "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*"
        }
    ]
}

    • Example 2

      If a bucket policy contains both public access statements in which all virtual private clouds (VPCs) are allowed and non-public access statements in which only specific users are allowed, public access is allowed in the bucket policy. 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:GetObject",
            "Principal": "*",
            "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*",
            "Condition": {
                "StringLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                }
            }
        },
      	{
            "Effect": "Allow",
            "Action": "oss:*",
            "Principal": "27464958576xxxx",
            "Resource": "*"
        }
    ]
}

    ACL

    • If the bucket ACL or object ACL is set to public-read or public-read-write, public access is allowed.

    • If both the bucket ACL and the object ACL are set to private, public access is denied.

    Priority of the Block Public Access configurations

    OSS allows you to enable Block Public Access for OSS, a bucket, an access point, or an Object FC Access Point. If the configurations of Block Public Access are different, OSS applies the following priorities: 

    OSS > A bucket > An access point > An Object FC Access Point

    Whether public access is allowed at the next level varies based on the Block Public Access configurations at the previous level. If Block Public Access is enabled for OSS, public access to a bucket, an access point, or an Object FC Access Point is not allowed.

    • If you want to allow public access to a bucket, you must disable Block Public Access for OSS and the bucket.

    • If you want to allow public access to a bucket by using an access point, you must disable Block Public Access for OSS, the bucket with which the access point is associated, and the access point.

    • If you want to allow public access to a bucket by using an Object FC Access Point, you must disable Block Public Access for OSS, the access points of the bucket, the bucket with which the access points are associated, and the Object FC Access Point.

    Usage notes

    • To use a RAM user to enable Block Public Access for a bucket and an access point, the RAM user must have the following permissions:

      • Enable Block Public Access for OSS: oss:PutPublicAccessBlock, oss:GetPublicAccessBlock, and oss:DeletePublicAccessBlock.

      • Enable Block Public Access for a bucket: oss:PutBucketPublicAccessBlock, oss:GetBucketPublicAccessBlock, and oss:DeleteBucketPublicAccessBlock.

      • Enable Block Public Access for an access point: oss:PutAccessPointPublicAccessBlock, oss:GetAccessPointPublicAccessBlock, and oss:DeleteAccessPointPublicAccessBlock.

      • Enable Block Public Access for an Object FC Access Point: oss:PutAccessPointConfigForObjectProcess, oss:GetAccessPointConfigForObjectProcess, and oss:DeleteAccessPointForObjectProcess.

    • If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. If you disable Block Public Access, existing public access permissions take effect and you can configure public access permissions.

    • If you configure a bucket policy that allows all users to manage an access point of a bucket, users can change the status of Block Public Access of the access point by using the third-level domain name of the bucket even if Block Public Access is enabled for the access point. The configurations of the access point do not take effect on access requests created by using the subdomains of the bucket.

    • For cross-region replication (CRR) or same-region replication (SRR) tasks, the ACL of objects before and after replication is not affected regardless of whether Block Public Access is enabled for the source and destination buckets. If Block Public Access is enabled for the destination bucket, public access to the objects that are replicated to the destination bucket is not allowed even if the ACL of the objects are public-read or public-read-write.

    Procedure

    Use the OSS console

    Enable Block Public Access for OSS

    1. Log on to the OSS console.

    2. In the left-side navigation pane, choose Data Service > Block Public Access.

    3. On the Block Public Access page, turn on Block Public Access and follow the on-screen instructions.

    Enable Block Public Access for a bucket

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

    3. In the left-side navigation tree, choose Permission Control > Block Public Access.

    4. On the Block Public Access tab, turn on Block Public Access and follow the on-screen instructions.

    Enable Block Public Access for an access point

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Access Points. On the Access Points page, click the name of the access point for which you want to enable Block Public Access.

    3. In the Basic Information section, click Enable next to Block Public Access and follow the on-screen instructions.

    Enable Block Public Access for an Object FC Access Point

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Object FC Access Points. On the Object FC Access Points page, click the Object FC Access Point for which you want to enable Block Public Access.

    3. In the Basic Information section, click Enable next to Block Public Access and follow the on-screen instructions.

    Use the OSS API

    If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code.

    • For more information about the API operation that you can call to enable Block Public Access for OSS, see PutPublicAccessBlock.

    • For more information about the API operation that you can call to enable Block Public Access for a bucket, see PutBucketPublicAccessBlock.

    • For more information about the API operation that you can call to enable Block Public Access for an access point, see PutAccessPointPublicAccessBlock.

    • For more information about the API operation that you can call to enable Block Public Access for an Object FC Access Point, see PutAccessPointConfigForObjectProcess.

    References

    Block Public Access allows you to manage access to OSS, buckets, access points, and Object FC Access Points in a centralized manner. To manage access to specific resources in a bucket or an object in a fine-grained manner, you must use Bucket policies together with Object ACLs.