A public-read bucket grants all users (including anonymous ones) read access to objects in the bucket, whereas a public-read-write bucket grants all users (including anonymous ones) both read and write access to objects in the bucket. Creating a public-read or public-read-write bucket can cause data leaks and pose a significant data security risk. For security purposes, we recommend that you prevent the creation of public-read and public-read-write buckets by using the Block Public Access feature or configuring Resource Access Management (RAM) policies.
Scenarios
Type | Scenario |
| |
Prevent a specific RAM user from creating public-read or public-read-write buckets |
|
Prevent an Alibaba Cloud account and all RAM users of the account from creating publicly accessible buckets
You can globally block public access to prevent your Alibaba Cloud account and all RAM users within the account from creating public-read and public-read-write buckets by using the following steps:
Log on to the OSS console.
In the left-side navigation pane, choose
.On the Block Public Access page, turn on Block Public Access and follow the on-screen instructions.
After you globally block public access, you cannot create publicly accessible buckets by using the Alibaba Cloud account or as any RAM user of the account. In addition, public access authorization for existing buckets is revoked. The Block Public Access feature denies public access on all existing and newly created buckets in the account.
Prevent a specific RAM user from creating publicly accessible buckets
You can configure a RAM policy to prevent a specific user from creating public-read and public-read-write buckets by using the following steps:
Create a RAM policy by using the JSON policy editor. For more information, see Create a custom policy on the JSON tab.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "oss:PutBucket" ], "Resource": [ "acs:oss:*:*:*" ], "Condition": { "StringLike": { "oss:x-oss-acl": [ "public-read", "public-read-write" ] } } }, { "Effect": "Allow", "Action": [ "oss:PutBucket" ], "Resource": [ "acs:oss:*:*:*" ] } ] }
Attach the RAM policy to the RAM user. For more information, see Grant permissions to a RAM user.
References
For more information about bucket-level access control lists (ACLs), see Bucket ACLs.
For more information about RAM policy syntax and access control, see RAM policies.
For more information about the effect of the Block Public Access feature, see Block Public Access.