You can allow public access to Object Storage Service (OSS) resources by configuring bucket policies and access control lists (ACLs). Public access specifies access to OSS resources without specific permissions or authentication. Public access can easily cause data breaches and generate a large amount of outbound traffic over the Internet due to malicious access. To prevent risks caused by public access, OSS allows you to enable Block Public Access with a few steps for OSS, a bucket, an access point, and an Object FC Access Point. If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. This disables public data access channels and ensures data security.
Check whether public access is allowed in bucket policies and ACLs
You must view the bucket policies and ACLs, including bucket ACLs and object ACLs, to check whether public access to OSS, a bucket, an access point, or an Object FC Access Point is allowed. If a bucket policy or ACL allows public access, your resources may be exposed to unauthorized users. To prevent public access, you can enable Block Public Access.
Bucket Policy
(Recommended) Call an API operation to check whether public access is allowed in bucket policies
You can call the GetBucketPolicyStatus operation to check whether public access is allowed in a bucket policy.
If the value of the IsPublic response parameter is true, public access is allowed in the bucket policy.
If the value of the IsPublic response parameter is false, public access is denied in the bucket policy.
For more information, see GetBucketPolicyStatus.
View bucket policies to check whether public access is allowed in the bucket policies
Conditions and examples for non-public access
Public access is not allowed in a bucket policy only if specific conditions are met. The following table describes the conditions.
NoteThe Action and Resource elements are not used as conditions to check whether public access is allowed in the bucket policy.
If the value of the Effect element in the bucket policy is Deny, public access is denied in the bucket policy.
Element
Field
Example
Principal
N/A
Set one or more fields to fixed values. The values cannot contain the asterisk (*) wildcard character.
Condition
acs:SourceVpcId
acs:SourceVpcIp
acs:SourceVpc
acs:AccessId
acs:SourceIp
For IPv4 addresses, the mask must be greater than or equal to 8.
For IPv6 addresses, the mask must be greater than or equal to 32.
The following sample code provides an example of a bucket policy that denies public access:
{ "Version":"1", "Statement":[ { "Action":[ "oss:GetObject", "oss:GetObjectAcl", "oss:GetObjectVersion", "oss:GetObjectVersionAcl" ], "Effect":"Allow", "Principal":[ "20214760404935xxxx" ], "Resource":[ "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*", "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*" ] }, { "Action":[ "oss:ListObjects", "oss:ListObjectVersions" ], "Condition":{ "StringLike":{ "oss:Prefix":[ "hangzhou/2020/*", "shanghai/2015/*" ] } }, "Effect":"Allow", "Principal":[ "20214760404935xxxx" ], "Resource":[ "acs:oss:*:174649585760xxxx:examplebucket" ] } ] }
Conditions and examples for public access
Public access is allowed in a bucket policy if one of the conditions for non-public access is not met. Examples:
Example 1
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Principal": "*", "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*" } ] }Example 2
If a bucket policy contains both public access statements in which all virtual private clouds (VPCs) are allowed and non-public access statements in which only specific users are allowed, public access is allowed in the bucket policy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Principal": "*", "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*", "Condition": { "StringLike": { "acs:SourceVpc": [ "vpc-*" ] } } }, { "Effect": "Allow", "Action": "oss:*", "Principal": "27464958576xxxx", "Resource": "*" } ] }
ACL
If the bucket ACL or object ACL is set to public-read or public-read-write, public access is allowed.
If both the bucket ACL and the object ACL are set to private, public access is denied.
Priority of the Block Public Access configurations
OSS allows you to enable Block Public Access for OSS, a bucket, an access point, or an Object FC Access Point. If the configurations of Block Public Access are different, OSS applies the following priorities:
OSS > A bucket > An access point > An Object FC Access PointWhether public access is allowed at the next level varies based on the Block Public Access configurations at the previous level. If Block Public Access is enabled for OSS, public access to a bucket, an access point, or an Object FC Access Point is not allowed.
If you want to allow public access to a bucket, you must disable Block Public Access for OSS and the bucket.
If you want to allow public access to a bucket by using an access point, you must disable Block Public Access for OSS, the bucket with which the access point is associated, and the access point.
If you want to allow public access to a bucket by using an Object FC Access Point, you must disable Block Public Access for OSS, the access points of the bucket, the bucket with which the access points are associated, and the Object FC Access Point.
Usage notes
To use a RAM user to enable Block Public Access for a bucket and an access point, the RAM user must have the following permissions:
Enable Block Public Access for OSS:
oss:PutPublicAccessBlock,oss:GetPublicAccessBlock, andoss:DeletePublicAccessBlock.Enable Block Public Access for a bucket:
oss:PutBucketPublicAccessBlock,oss:GetBucketPublicAccessBlock, andoss:DeleteBucketPublicAccessBlock.Enable Block Public Access for an access point:
oss:PutAccessPointPublicAccessBlock,oss:GetAccessPointPublicAccessBlock, andoss:DeleteAccessPointPublicAccessBlock.Enable Block Public Access for an Object FC Access Point:
oss:PutAccessPointConfigForObjectProcess,oss:GetAccessPointConfigForObjectProcess, andoss:DeleteAccessPointForObjectProcess.
If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. If you disable Block Public Access, existing public access permissions take effect and you can configure public access permissions.
If you configure a bucket policy that allows all users to manage an access point of a bucket, users can change the status of Block Public Access of the access point by using the third-level domain name of the bucket even if Block Public Access is enabled for the access point. The configurations of the access point do not take effect on access requests created by using the subdomains of the bucket.
For cross-region replication (CRR) or same-region replication (SRR) tasks, the ACL of objects before and after replication is not affected regardless of whether Block Public Access is enabled for the source and destination buckets. If Block Public Access is enabled for the destination bucket, public access to the objects that are replicated to the destination bucket is not allowed even if the ACL of the objects are public-read or public-read-write.
Procedure
Use the OSS console
Use the OSS API
References
Block Public Access allows you to manage access to OSS, buckets, access points, and Object FC Access Points in a centralized manner. To manage access to specific resources in a bucket or an object in a fine-grained manner, you must use Bucket policies together with Object ACLs.