A bucket is a container used to store objects in Object Storage Service (OSS). Buckets help you efficiently organize and manage objects. This topic describes basic information about buckets and provides follow-up guidelines.
Features
Limits on bucket capacity and number: You can create up to 100 buckets in a region by using an Alibaba Cloud account. No limit is imposed on the capacity of a bucket.
Flat structure: Buckets use a flat structure instead of a hierarchical structure to store objects and do not have directories, as shown in the following figure. To facilitate object management, graphical tools, such as the OSS console and ossbrowser, display objects whose names end with a forward slash (/) as directories. For more information, see Manage directories.
Basic information
Before you use buckets, take note of the following items:
Bucket name: When you create a bucket, you must specify the name of the bucket. The name of a bucket must be unique in OSS in an Alibaba Cloud account. We recommend that you use a business-related name to facilitate identification. For example, myapp-logs-Hangzhou specifies a bucket in which the logs of myapp in the Hangzhou region are stored. For more information, see Naming conventions.
Region: When you create a bucket, you must specify the physical location of the bucket. You cannot change the region of a bucket after you create the bucket. To improve access speed, we recommend that you select a region that is geographically closest to your business. For more information, see Choose an OSS region.
Endpoint: You can use an endpoint to access objects in OSS. Each region has its own endpoints. To access objects in a bucket by calling API operations or by using OSS SDKs, ossutil, and ossfs, you must use the endpoint of the region in which the bucket is located. For more information, see Regions and endpoints.
Storage class :OSS provides the following storage classes to meet different storage requirements: Standard (default), Infrequent Access (IA), Archive, Cold Archive, and Deep Cold Archive. You can store objects in different storage classes based on the application scenarios to reduce storage costs. For example, Standard is suitable for frequently accessed objects, while Cold Archive is suitable for cold data that must be retained for a long period of time. For more information, see Overview.
Redundancy type: The redundancy mechanism improves data reliability by backing up data in multiple devices or zones. If you require higher reliability, we recommend that you select zone-redundant storage (ZRS). If you want to reduce costs, we recommend that you select locally redundant storage (LRS). ZRS is used by default. For more information, see Storage redundancy.
ImportantLRS supports the following storage classes: Standard, IA, Archive, Cold Archive, and Deep Cold Archive. ZRS supports the following storage classes: Standard, IA, and Archive.
ACL: You can specify the bucket access control list (ACL) to manage the read and write permissions on the bucket and objects in the bucket. Bucket ACLs include private (default), public-read, and public-read-write. We recommend that you set the bucket ACL to private to ensure data security. For more information, see Access and control.
Block Public Access: If you enable Block Public Access for a bucket, existing public access permissions are ignored and you cannot configure public access permissions. This disables public data access channels and ensures data security. By default, this feature is enabled. For more information, see Block Public Access.
Resource group: You can select resource groups to which buckets belong to manage the buckets by department or project. A default resource group is provided for use. For more information, see Use resource groups.
Operations
After you are familiar with the basic information about buckets, you can use and manage buckets based on your business requirements.
Bucket-related operations
Operation | Description |
Before you upload an object to OSS, you must create a bucket to store the object. | |
You can specify different conditions to list all buckets or specific buckets in a region. | |
You can delete a bucket that is no longer required to release storage capacity. | |
You can view basic statistics, ranking statistics, region and operator statistics, API statistics, and object access statistics in the OSS console. | |
If you created a large number of buckets across regions, you can specify the bucket name to query the region of the bucket. | |
If you encounter issues when you use buckets, see FAQ about buckets. |
Bucket configurations
Operation | Description |
OSS allows you to configure bucket tags to classify and manage buckets. For example, you can list buckets that have specific tags and configure the ACL for buckets that have specific tags. | |
Map a custom domain name to the default domain name of a bucket | After you upload objects to a bucket, OSS automatically generates URLs that include the public endpoint of the bucket for the uploaded objects. You can use these URLs to access the objects. If you want to access the objects by using a custom domain name, you must map the custom domain name to the bucket in which the objects are stored. |
OSS uses regions that are distributed around the world to perform transfer acceleration. When a request to access your bucket is sent, the request is parsed and routed to the region in which the bucket is located over the optimal network path and protocol. The transfer acceleration feature provides an optimized end-to-end acceleration solution to access OSS over the Internet. | |
If you want requesters to pay the fees that are generated when they access objects in a bucket, enable pay-by-requester for the bucket. | |
A resource group is a resource-based access control method. You can group your buckets based on your business requirements and configure different access permissions for different resource groups. This way, you can manage access to your buckets by group. |
Access control
By default, Alibaba Cloud uses an Alibaba Cloud account to perform OSS operations. However, the Alibaba Cloud account has full access permissions, which poses high security risks. We recommend that you use an Alibaba Cloud account to create RAM users as account administrators and attach RAM policies to the RAM users to grant permissions to the RAM users. If you want to authorize bucket access across accounts, you can configure bucket policies to grant other accounts the permissions to access the bucket. If you want to implement coarse-grained access control on a bucket, you can specify the bucket ACL to manage access to the bucket. We recommend that you turn on Block Public Access to prevent accidental data disclosure and enhance data security.
Feature | Description |
If you enable Block Public Access, existing public access permissions are ignored and you cannot configure public access permissions. This disables public data access channels and ensures data security. By default, Block Public Access is enabled when you create a bucket. | |
You can configure the ACL for a bucket when you create the bucket or change the ACL of an existing bucket based on your business requirements. Only the owner of a bucket can configure or change the ACL of the bucket. | |
You can configure bucket policies for a bucket to grant permissions to other users to access specific OSS resources. | |
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage access permissions on resources. RAM policies are user-based authorization policies. You can configure RAM policies to manage users, such as employees, systems, or applications. You can specify which resources are accessible to the users. For example, you can create a RAM policy to grant users only read permissions on a bucket. |
Data security
Operation | Description |
After you enable versioning for a bucket, each time you upload an object that has the same name as an existing object in the bucket, a new version is created. In this case, the existing object is not overwritten. This way, you can find and restore previous versions of the object at any time. This feature is suitable for scenarios in which you frequently update objects or historical objects need to be retained. | |
You can configure hotlink protection for a bucket to prevent unauthorized access to resources in the bucket. | |
Cross-origin resource sharing (CORS) is a standard cross-origin solution provided by HTML5 to allow web application servers to control cross-origin access. This ensures the security of data transmission across origins. | |
OSS supports the Write Once Read Many (WORM) feature. The feature helps prevent objects from being deleted or overwritten within a specific period of time. Enterprises use this feature to comply with the regulations of the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA). | |
OSS encrypts objects uploaded to a bucket for which server-side encryption is configured and stores the encrypted objects. When you call the GetObject operation to download an object, OSS decrypts and returns the object. The x-oss-server-side-encryption header is included in the response to indicate that the object is encrypted on the server side. | |
Communication between the client applications and OSS is encrypted by using Transport Layer Security (TLS) to ensure the security of the communication link. You can specify the allowed TLS versions to improve the security of connections between the client applications and OSS. |
Data management
Operation | Description |
Same-region replication (SRR) allows you to automatically and asynchronously (in near real-time) replicate objects across buckets within the same region. SRR replicates operations, such as object creation, update, and deletion, from a source bucket to a destination bucket. | |
Cross-region replication (CRR) allows you to automatically and asynchronously (in near real-time) replicate objects from a bucket in one region to a bucket in a different region. CRR replicates operations, such as object creation, update, and deletion, from a source bucket to a destination bucket. | |
You can configure lifecycle rules for a bucket based on the last modified time and last access time of objects in the bucket. This way, Object Storage Service (OSS) can regularly convert the storage class of the objects or delete expired objects and parts to reduce your storage costs. | |
You can use the bucket inventory feature to export information about specific objects in a bucket, such as the number, size, storage class, and encryption status of the objects. To list a large number of objects, we recommend that you use the bucket inventory feature instead of calling the GetBucket (ListObjects) operation. | |
Static websites are websites in which all web pages consist of only static content, including scripts such as JavaScript code that can be run on a client. You can use the static website hosting feature to host your static website on an OSS bucket and use the domain name of the bucket to access the website. For more information, see Map custom domain names. | |
After you configure mirroring-based back-to-origin rules for a bucket, if a requested object does not exist in the bucket, OSS obtains the object from the origin specified by the back-to-origin rules. OSS returns the object retrieved from the origin to the requester and stores the object in the bucket. | |
After you enable real-time access of Archive objects for a bucket, you can access Archive objects in the bucket in real time without the need to restore them. Compared with accessing restored objects, real-time access of Archive objects requires less time to retrieve data but generates higher data retrieval fees. |
Data processing
Operation | Description |
You can use image processing (IMG) to resize images, crop images, and configure image styles. | |
You can configure event notification rules for objects that you want to monitor in the OSS console. If the events that are specified in the rules occur on these objects, you can be immediately notified. |
Log management
Feature | Description |
A large number of logs are generated when OSS resources are accessed. After you enable and configure logging for a bucket, OSS generates logs on an hourly basis based on predefined naming conventions and then stores the logs in a specific bucket. You can use Simple Log Service or build a Spark cluster to analyze the logs. | |
Real-time log query allows you to query, filter, and analyze OSS access logs in the OSS console to track exceptions and troubleshoot errors. You can enable real-time log query based on your business requirements. |
Data lake management
Feature | Description |
OSS-HDFS integrates OSS and Hadoop Distributed File System (HDFS). OSS-HDFS allows you to store data in OSS and use Hadoop tools to process and analyze the data. OSS-HDFS is suitable for scenarios in which a large amount of data needs to be processed, such as big data analysis, data mining, and machine learning scenarios. |