All Products
Document Center

Object Storage Service:How do I prevent unauthorized access to OSS?

Last Updated:Sep 01, 2023

When Object Storage Service (OSS) buckets are accessed by unauthorized users, sudden spikes in traffic or bandwidth may occur. As a result, unexpected outbound traffic fees are generated. In severe cases, the buckets may be moved to the sandbox, and OSS becomes unavailable. This topic describes how to prevent unauthorized access to OSS.

You can use one of the following methods to prevent unauthorized access to OSS:

Method 1: Set the ACL of the bucket to private

If you set the access control list (ACL) of your bucket to public-read and the bucket URL is exposed on the Internet, all Internet users can access your OSS resources. We recommend that you set the ACL of your bucket to private. This is more secure. For more information, see Bucket ACL.

Method 2: Enable WAF protection

  1. Purchase a Web Application Firewall (WAF) 3.0 instance. For more information, see Get started with WAF 3.0.

  2. Add a domain name to WAF in CNAME record mode.

    1. Map a custom domain name to the bucket in the OSS console.

      When you map a custom domain name to the bucket, do not resolve the custom domain name to the bucket domain name. For more information, see Map custom domain names.

    2. Log on to the WAF console to perform the following operations:

      1. Add a domain name to WAF.

        Add the custom domain name for which you want to enable WAF and set the origin domain name to the domain name of the bucket. For more information, see Add a domain name to WAF.

      2. Copy the CNAME that is assigned by WAF.

        1. In the left-side navigation pane, click Website Configuration. On the Website Configuration page, click the CNAME Record tab.

        2. Find the added domain name in the Domain Name /CNAME list, and copy the CNAME of the domain name.

    3. Add a CNAME record for the custom domain name in the Alibaba Cloud DNS console.

      For more information, see Change a DNS record.

  3. Configure protection policies.

    After you add the domain name to WAF, WAF automatically adds it as a protected object and enables basic protection rules for the protected object. By default, a medium rule group is used, and the protection action is set to Block. For more information, see Get started with WAF 3.0.