You can configure virtual private cloud (VPC) policies to specify resources that can be accessed by authorized users and configure bucket policies to specify users who can access the resources. This way, your data in the cloud can be accessed by authorized users in a secure network and is protected from unauthorized access.
Prerequisites
A VPC is created in the same region in which the bucket is located. For more information, see Create and manage a VPC.
Background information
The following figure shows the architecture that is used to control data access from the source to the destination.
Based on the preceding architecture, Object Storage Service (OSS) determines whether to allow users to access resources based on the following rules:
Allow access to resources
Access to resources in authorized buckets is allowed if it is initiated from authorized VPCs by using the AccessKey pairs of authorized users.
Deny access to resources
Access to resources in unauthorized buckets is denied if it is initiated from authorized VPCs by using the AccessKey pairs of unauthorized users.
Access to resources in authorized buckets is denied if it is initiated from unauthorized VPCs by using the AccessKey pairs of authorized users.
Scenarios
A user whose UID is 174649585760xxxx creates a bucket named examplebucket in OSS to store important business data. The user also purchases multiple Elastic Compute Service (ECS) instances and deploys these instances in a VPC whose ID is t4nlw426y44rd3iq4xxxx.
To control data access from the source, the user wants to configure a VPC policy to allow only requests that are initiated from the current VPC to access specific OSS resources in examplebucket. To control data access to the destination, the user also wants to configure a bucket policy to block all access requests that are initiated from other VPCs to examplebucket.
Step 1: Configure a VPC policy
Configure a VPC policy to allow requests that are initiated from the VPC whose ID is t4nlw426y44rd3iq4xxxx to access only OSS resources in examplebucket.
Log on to the VPC console.
In the left-side navigation pane, click Endpoints.
In the top navigation bar, select the region where you want to create the gateway endpoint.
On the Endpoints tab of the Endpoints page, click Create Endpoint.
On the Create Endpoint page, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Endpoint Name
Enter a name for the gateway endpoint.
Endpoint Type
Select the type of the endpoint that you want to create. In this example, Gateway Endpoint is selected.
Endpoints Service
Click Select Service and select the endpoint service that you want your VPC to access.
VPC
Select the VPC in which you want to create the gateway endpoint.
Route Table
Select the route table that you want to be associated with the gateway endpoint.
Resource Group
Select the resource group that you want to be associated with the gateway endpoint.
Description
Enter a description for the endpoint.
Access Policies
Enter the following access policy:
{ "Statement": [ { "Action": "oss:*", "Effect": "Allow", "Principal": ["174649585760xxxx"], "Resource": ["acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*"] } ], "Version": "1" }
Step 2: Configure a bucket policy
Configure a bucket policy to prevent requests that are initiated from the VPC whose ID is not t4nlw426y44rd3iq4xxxx from accessing OSS resources.
Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click examplebucket.
In the left-side navigation tree, choose Permission Control > Bucket Policy.
On the Bucket Policy page, click Add by Syntax.
Click Edit and enter the following bucket policy:
{ "Statement" : [ { "Action": ["oss:*"], "Effect": "Deny", "Principal": ["*"], "Resource": "acs:oss:*:*:*", "Condition": { "StringNotEquals" : { "acs:SourceVpc": ["t4nlw426y44rd3iq4xxxx"] } } } ] , "Version": "1" }Click Save. In the dialog box that appears, click OK.