Overview
This topic describes how to control access permissions on Alibaba Cloud Object Storage Service (OSS) to make OSS resource access more secure.
Background information
OSS provides multiple ways to grant OSS resource permissions to other users. You can use the following mechanisms to control access to OSS resources to ensure data security.
- Set a bucket ACL: You can use the RAM list (ACL) to grant access permissions to buckets and objects, including public read /write, public read, and private.
- File ACL: This parameter is used to control the access permissions of objects. You can configure the ACL when you upload objects. You can also modify the ACL at any time after objects are uploaded based on your business requirements.
- Bucket Policy: You can use the Bucket Policy feature in the console to easily and intuitively authorize other users to access your OSS resources, such as granting access permissions to RAM users of other accounts and granting access permissions with specific IP conditions to anonymous users.
- RAM Policy: Build RAM policies to control access to buckets and folders. OSS provides a RAM policy editor to help you quickly generate RAM policies. The following example shows a practical tutorial:
- Use STS temporary access credential to access OSS: Use Alibaba Cloud STS(Security Token Service) to grant third-party applications or RAM user temporary access permissions with a custom validity period.
- Anti-leech: Configure a whitelist for access sources to prevent OSS resources from being embezzled by others.
References
After you set the access permission, an AccessDenied error occurs when you access OSS resources, or you cannot access publicly read objects. For more information, see the following documents for processing:
- Solution for OSS anonymous users unable to access public read objects
- Troubleshoot common errors related to OSS permissions
Applicable scope
- OSS