Public access blocking

You can allow public access to Object Storage Service (OSS) resources by configuring bucket policies and access control lists (ACLs). Public access eliminates the need for permission verification and authentication, increasing the risks of data leaks and outbound Internet traffic. To mitigate risks associated with public access, OSS allows you to enable Block Public Access with a few steps at the global level and for individual buckets, access points, and Object FC Access Points. If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. This disables public data access and ensures data security.

Check whether public access is allowed in bucket policies and ACLs

To evaluate whether an OSS object is publicly accessible, you must review the bucket policy and ACLs (including the bucket ACL and object ACL). If any of the permission settings grants public access, your resource faces a security risk, and enabling Block Public Access is recommended.

Bucket policy

ACL

(Recommended) Call the GetBucketPolicyStatus operation

Manually review bucket policy settings

You can call the GetBucketPolicyStatus operation to check whether a bucket policy grants public access.

If the value of the IsPublic response parameter is true, the bucket policy grants public access.
If the value of the IsPublic response parameter is false, the bucket policy does not grant public access.

For more information, see GetBucketPolicyStatus.

Conditions and examples for non-public access

Conditions and examples for public access

A bucket policy is considered to grant non-public access if the policy statements meet the criteria described in the following table.

Note

The Action and Resource elements do not determine whether a bucket policy grants public access.
If the value of the Effect element in the bucket policy is Deny, the bucket policy does not grant public access.

Element	Field	Value
Principal	N/A	One or more of the fields are set to fixed values, which are defined as values that do not contain the asterisk (*) wildcard character.
Condition	acs:SourceVpcId
	acs:SourceVpcIp
	acs:SourceVpc
	acs:AccessId
	acs:SourceIp For IPv4 addresses, the mask must be greater than or equal to 8. For IPv6 addresses, the mask must be greater than or equal to 32.

The following example bucket policy grants non-public access:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "oss:GetObject",
                "oss:GetObjectAcl",
                "oss:GetObjectVersion",
                "oss:GetObjectVersionAcl"
            ],
            "Effect":"Allow",
            "Principal":[
                "20214760404935xxxx"
            ],
            "Resource":[
                "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
            ]
        },
        {
            "Action":[
                "oss:ListObjects",
                "oss:ListObjectVersions"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "hangzhou/2020/*",
                        "shanghai/2015/*"
                    ]
                }
            },
            "Effect":"Allow",
            "Principal":[
                "20214760404935xxxx"
            ],
            "Resource":[
                "acs:oss:*:174649585760xxxx:examplebucket"
            ]
        }
    ]
}

A bucket policy is considered to grant public access if it fails to meet the criteria for non-public access. Examples

Example 1

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:GetObject",
            "Principal": "*",
            "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*"
        }
    ]
}

Example 2

If a bucket policy contains both a public access statement that allows access from all virtual private clouds (VPCs) and a non-public access statement that allows access only from specific users, the bucket policy is considered to grant public access.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:GetObject",
            "Principal": "*",
            "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*",
            "Condition": {
                "StringLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                }
            }
        },
      	{
            "Effect": "Allow",
            "Action": "oss:*",
            "Principal": "27464958576xxxx",
            "Resource": "*"
        }
    ]
}

If the bucket ACL or object ACL is set to public-read or public-read-write, public access is allowed.
If both the bucket ACL and the object ACL are set to private, public access is denied.

Priorities of Block Public Access settings at different levels

OSS allows you to enable Block Public Access at the global level and for individual buckets, access points, and Object FC Access Points. If Block Public Access settings are configured at different levels, OSS will use the following priority order to determine the final access effect:

OSS resources > bucket > access point > Object FC Access Point

Whether public access is allowed at the next level depends on the Block Public Access settings at the previous level. If Block Public Access is enabled at the global level, public access to individual buckets, access points, and Object FC Access Points is blocked.

To allow public access to a bucket, you must disable Block Public Access at the global level and for the bucket.
To allow public access to a bucket by using an access point, you must disable Block Public Access at the global level, for the bucket with which the access point is associated, and for the access point.
To allow public access to a bucket by using an Object FC Access Point, you must disable Block Public Access at the global level, as well as for the access points of the bucket, the bucket with which the access points are associated, and the Object FC Access Point.

Usage notes

A RAM user requires corresponding permissions to enable Block Public Access:
- At the global level: oss:PutPublicAccessBlock, oss:GetPublicAccessBlock, and oss:DeletePublicAccessBlock
- For individual buckets: oss:PutBucketPublicAccessBlock, oss:GetBucketPublicAccessBlock, and oss:DeleteBucketPublicAccessBlock
- For individual access points: oss:PutAccessPointPublicAccessBlock, oss:GetAccessPointPublicAccessBlock, and oss:DeleteAccessPointPublicAccessBlock
- For individual Object FC Access Points: oss:PutAccessPointConfigForObjectProcess, oss:GetAccessPointConfigForObjectProcess, and oss:DeleteAccessPointForObjectProcess
If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. After you disable Block Public Access, existing public access permissions take effect again and you can configure new public access permissions.
If you configure a bucket policy that allows all users to manage an access point of a bucket, users can change the status of Block Public Access of the access point by using the third-level domain name of the bucket even if Block Public Access is enabled for the access point. The configurations of the access point do not take effect on access requests created by using the subdomains of the bucket.
For cross-region replication (CRR) or same-region replication (SRR) tasks, the ACL of objects before and after replication is not affected regardless of whether Block Public Access is enabled for the source and destination buckets. If Block Public Access is enabled for the destination bucket, public access to the objects that are replicated to the destination bucket is not allowed even if the ACL of the objects are public-read or public-read-write.

Methods

Use the OSS console

Enable Block Public Access at the global level

Enable Block Public Access for a bucket

Enable Block Public Access for an access point

Enable Block Public Access for an Object FC Access Point

Log on to the OSS console.
In the left-side navigation pane, choose Data Service > Block Public Access.
On the Block Public Access page, turn on Block Public Access and follow the on-screen instructions to complete the setting.

Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
In the left-side navigation tree, choose Permission Control > Block Public Access.
On the Block Public Access tab, turn on Block Public Access and follow the on-screen instructions to complete the setting.

Log on to the OSS console.
In the left-side navigation pane, click Access Points. On the Access Points page, click the name of the access point for which you want to enable Block Public Access.
In the Basic Information section, click Enable next to Block Public Access and follow the on-screen instructions to complete the setting.

Log on to the OSS console.
In the left-side navigation pane, click Object FC Access Points. On the Object FC Access Points page, click the Object FC Access Point for which you want to enable Block Public Access.
In the Basic Information section, click Enable next to Block Public Access and follow the on-screen instructions to complete the setting.

Use ossutil

You can enable Block Public Access by using ossutil. For information about how to install ossutil, see Install ossutil.

The following sample command enables Block Public Access at the global level:
```
ossutil api put-public-access-block --public-access-block-configuration "{\"BlockPublicAccess\":\"true\"}"
```
For more information, see put-public-access-block.
The following sample command enables Block Public Access for a bucket named examplebucket:
```
ossutil api put-bucket-public-access-block --bucket examplebucket --public-access-block-configuration "{\"BlockPublicAccess\":\"true\"}"
```
For more information, see put-bucket-public-access-block.

The following sample command enables Block Public Access for an access point:

ossutil api put-access-point-public-access-block --bucket examplebucket --access-point-name ap-01 --public-access-block-configuration "{\"BlockPublicAccess\":\"true\"}"

For more information, see put-access-point-public-access-block.

Use the OSS API

If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code.

To enable Block Public Access at the global level, call the PutPublicAccessBlock operation. For more information, see PutPublicAccessBlock.
To enable Block Public Access for a bucket, call the PutBucketPublicAccessBlock operation. For more information, see PutBucketPublicAccessBlock.
To enable Block Public Access for an access point, call the PutAccessPointPublicAccessBlock operation, see PutAccessPointPublicAccessBlock.
To enable Block Public Access for an Object FC Access Point, call the PutAccessPointConfigForObjectProcess operation, see PutAccessPointConfigForObjectProcess.

Check whether public access is allowed in bucket policies and ACLs

Priorities of Block Public Access settings at different levels

Usage notes

Methods

Use the OSS console

Use ossutil

Use the OSS API

Related topics

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)