Object Storage Service:Security of OSS data

Versioning

To prevent business interruption or damage caused by accidental object deletion or overwriting, you can enable versioning for OSS buckets. After you enable versioning for a bucket, objects in the bucket are stored as previous versions when they are overwritten or deleted. If you accidentally delete or overwrite an object, you can recover the object to a previous version. For more information, see Versioning.

Hotlink protection

To prevent additional traffic costs generated due to the access of data in OSS by external websites, you can enable hotlink protection for OSS buckets. After you enable hotlink protection for a bucket, only your website can request to access objects in the bucket. For more information, see Hotlink protection.

CORS

When you access OSS in browsers by using JavaScript, cross-origin request errors can occur due to the same-origin policy enforced by the browsers. To resolve the issue, you can configure cross-origin resource sharing (CORS) for OSS buckets. After you configure CORS for a bucket, you are allowed to access objects in the bucket across regions in browsers by using JavaScript. For more information, see CORS.

Retention policies

High requirements are imposed on data security and compliance in fields and scenarios such as finance, insurance, healthcare, securities, and log data. If you do not want anyone, including resource owners, to modify or delete objects in a bucket within a specific period of time, you can configure a retention policy for the bucket. After you configure a retention policy, users can only read the objects in or upload objects to the bucket until the retention period ends. You can modify or delete objects only after the retention period ends. For more information, see Retention policies.

Server-side encryption

The server-side encryption feature of OSS helps enhance the security of data storage and can be used in most data protection scenarios. After you configure server-side encryption for an OSS bucket, OSS automatically encrypts and persistently stores objects that are uploaded to the bucket. When you download an object, OSS automatically decrypts and returns the object. For more information, see Server-side encryption.

Client-side encryption

The client-side encryption feature of OSS helps enhance the security of data transmission and storage and is suitable for scenarios in which highly sensitive data exists. If you enable client-side encryption for a bucket, objects are locally encrypted before they are uploaded to OSS. Only the owner of the customer master key (CMK) can decrypt the objects. For more information, see Client-side encryption.

TLS versions

Transport Layer Security (TLS) is a standard cryptographic protocol that can be used to ensure the privacy and integrity of data transmitted between clients and OSS. You can specify the TLS version used to access an OSS bucket. After you specify the TLS version for a bucket, clients can use only the specified TLS version to communicate with the bucket. This ensures the security of data transmission. For more information, see Configure the TLS version.

OSS sandbox

When your OSS bucket is under attack or is used to distribute illegal content, OSS automatically moves the bucket to the sandbox. The buckets that are in the sandbox can still respond to requests, but service degradation may occur. In this case, network availability may be affected, and a request timeout error is returned. After OSS automatically moves a bucket to the sandbox, your application may be aware of the operation. For more information, see OSS sandbox.

OSS DDoS protection

To prevent business interruption caused by DDoS attacks, you can enable OSS DDoS protection for OSS buckets. After you enable OSS DDoS protection for a bucket, the system diverts incoming traffic to an Anti-DDoS Proxy instance for scrubbing and then redirects normal traffic to the bucket when the bucket suffers a DDoS attack. This ensures business continuity in the event of DDoS attacks. For more information, see OSS DDoS protection.

FAQ about data security

• How do I access a private image object within a specific period of time?

• How do I configure an HTTPS request and an SSL certificate?

• How do I set the ACL of an object in a directory of a public-read bucket to private?

• Why are anonymous users unable to access public-read objects?

• Can I recover an OSS object after the object is deleted or overwritten?

• What do I do if my data is lost?

• How do I prevent unauthorized access to OSS?

• How do I encrypt OSS resources across Alibaba Cloud accounts by using KMS?