By default, the access control list (ACL) of Object Storage Service (OSS) resources, including buckets and objects, is set to private to ensure data security. Only the owners of the resources and authorized users can access these resources. OSS allows you to configure a variety of policies to grant third-party users specific permissions to access or use your OSS resources.
The following table describes the access control policies that you can configure for objects stored in buckets.
Parameter | Description | Scenario |
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage access permissions on resources. RAM policies are authorization policies configured based on users. You can configure RAM policies to manage your users, such as employees, systems, or applications, and control user permissions on your resources. For example, you can configure a RAM policy to allow your users to only read one bucket. | Grant permissions to RAM users, RAM user groups, or RAM roles within the current Alibaba Cloud account. | |
A bucket policy is a resource-based authorization policy. Unlike RAM policies, bucket policies can be easily configured on the GUI of the console. In addition, the owner of a bucket can configure bucket policies for the bucket without RAM permissions. You can configure bucket policies to grant permissions to the RAM users of other Alibaba Cloud accounts or anonymous users who access OSS by using the specified IP addresses. |
| |
You can configure the ACL of a bucket when you create the bucket or modify the ACL of a created bucket. Only the owner of a bucket can configure or modify the ACL of the bucket. You can set the ACL of a bucket to one of the following values: public-read-write, public-read, and private. | Set the same ACL permissions for all objects in a bucket. | |
You can also configure the ACL of each object stored in OSS. You can configure the ACL of an object when you upload the object or modify the ACL of an uploaded object. You can set the ACL of an object to one of the following values: default, public-read-write, public-read, and private. | Set the ACL permissions of a single or multiple objects respectively. For example, you configure RAM policies or bucket policies for a bucket to set the ACL of all objects in the bucket or objects whose names contain the specified prefix to private. In this case, if you want an object in the bucket to be accessed by all anonymous users from the Internet, you can set the ACL of the object to public-read. | |
You can allow public access to OSS resources by configuring bucket policies and ACLs. Public access specifies access to OSS resources without specific permissions or authentication. Public access can cause data breaches and generate a large amount of outbound traffic over the Internet due to malicious access. OSS allows you to enable Block Public Access to prevent risks that may be caused. After you enable this feature, existing public access permissions will be ignored and you cannot grant public access permissions. This disables public access channels and ensures data security. |
|
For more information about the authentication process of OSS when multiple access control policies, such as RAM policies, ACLs, and bucket policies, are configured for a bucket, see Authorization.