Object Storage Service (OSS) provides access control lists (ACLs), RAM and bucket policies, and hotlink protection based on Referer whitelists to control and manage access to your OSS resources.
ACLs
OSS provides ACLs for access control. You can configure ACL for buckets and objects to control access. You can set the bucket or object ACL when you create a bucket or upload an object. You can also modify the ACL of a created bucket or an uploaded object at any time.
Bucket ACLs
Bucket ACLs are used to control access to buckets. The following table describes the ACLs that you can configure for a bucket.
ACL
Description
Access control
Public Read/Write
Public-read-write
All users, including anonymous users, can read data from, write data to, and delete objects in the bucket. The bucket owner is charged for these operations. Exercise caution when you set the bucket ACL to Public Read/Write.
WarningIf you set the ACL of a bucket to public read/write, all users can access the objects in the bucket and write data to the bucket over the Internet. This may result in unauthorized access to the data in your bucket and high costs. If a user uploads prohibited data or information, your legitimate interests and rights may be infringed. Therefore, we recommend that you do not set the ACL of a bucket to public-read-write unless necessary.
Public Read
Public-read
Only the bucket owner and authorized users can write data to and delete objects in the bucket. Other users, including anonymous users, can only read the objects in the bucket.
WarningThis may result in unexpected access to the data in your bucket and unexpectedly high costs. Exercise caution when you set your bucket ACL to this value.
Private
Private
Only the bucket owner and authorized users can read data from, write data to, and delete objects in the bucket. Other users cannot access the objects in the bucket.
Object ACLs
Object ACLs are used to control access to objects. The following table describes the ACLs that you can configure for an object.
ACL
Description
Access control
Public Read/Write
Public-read-write
All users can read data from and write data to the object.
WarningIf you set the object ACL to this value, all users can access the object and write data to the object over the Internet. This may result in unauthorized access to data in your bucket and high costs. If a user uploads prohibited data or information to the bucket, your legitimate interests and rights may be infringed. Therefore, we recommend that you do not set the ACL of a bucket to public-read-write unless necessary.
Public Read
Public-read
Only the object owner can read data from and write data to the object. Other users can only read the object.
WarningThis may result in unauthorized access to data in your bucket and high costs. Exercise caution when you set the object ACL to public-read.
Private
Private
Only the object owner can read data from and write data to the object. Other users cannot access the object.
Inherited from Bucket
Default
The ACL of the object is the same as that of the bucket in which the object is stored.
NoteBy default, the ACL of an object is inherited from the bucket. The ACL of an object takes precedence over that of the bucket in which the object is stored. For example, if the ACL of an object is set to public-read, all authenticated and anonymous users can read the object regardless of the bucket ACL.
For more information, see Object ACLs.
RAM policies based on users
RAM is a resource access control service provided by Alibaba Cloud. You can configure RAM policies based on users. You can configure RAM policies to manage your users, such as employees, systems, or applications, by specifying the resources that are accessible to the users in the RAM policies. For example, you can create a RAM policy to grant users the read permissions on only specific objects in a bucket.
A RAM policy is in the JSON format. You can configure a RAM policy by specifying the Action, Effect, Resource, and Condition elements in the statements. You can specify multiple statements in a RAM policy to help you manage authorization in a more efficient manner. For more information, see System policies for OSS and Custom policies for OSS.
Temporary access authorization based on STS
RAM policies allow you to manage long-term access permissions. If you want to allow users to access resources only for a short period of time, you can use Security Token Service (STS) to create temporary access credentials. You can obtain temporary access credentials which consist of an AccessKey pair and a security token from environment variables by using STS SDKS, and send them to temporary users to access the corresponding resources. The permissions that are obtained by using STS are restricted and have time limits. The leak of temporary access credentials causes lower-level risks than the leak of other credentials.
You can use STS to authorize temporary access to OSS. You can use STS to grant temporary access credentials that have a custom validity period and custom permissions to a third-party application or a RAM user that is managed by you. For more information, see Use OSS with RAM.
Bucket policies based on resources
A bucket policy is a resource-based authorization policy. Compared with RAM policies, bucket policies can be configured in the OSS console. The bucket owner can grant other users permissions to access OSS resources.
By configuring bucket policies, you can authorize RAM users of another Alibaba Cloud account to access your OSS resources or authorize anonymous users from specific IP addresses to access your OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.
Hotlink protection based on Referer whitelists
You are charged for OSS based on resource usage. To prevent additional fees caused by unauthorized access to the data in your bucket, you can configure hotlink protection for your buckets based on the Referer field in HTTP and HTTPS requests.
You can configure a Referer whitelist to allow only requests from specific domain names or HTTP and HTTPS requests that contain the Referer header to access your OSS resources. Hotlink protection can prevent the data in public-read or public-read-write buckets from being hotlinked to protect your legal rights. For more information, see Hotlink protection.