All Products
Search
Document Center

Object Storage Service:How can I prevent the creation of a public-read or public-read-write bucket?

Last Updated:Aug 16, 2024

A public-read bucket grants all users (including anonymous ones) read access to objects in the bucket, whereas a public-read-write bucket grants all users (including anonymous ones) both read and write access to objects in the bucket. Creating a public-read or public-read-write bucket can cause data leaks and pose a significant data security risk. For security purposes, we recommend that you prevent the creation of public-read and public-read-write buckets by using the Block Public Access feature or configuring Resource Access Management (RAM) policies.

Scenarios

Type

Scenario

Prevent an Alibaba Cloud account and all RAM users of the account from creating public-read or public-read-write buckets

  • Sensitive data: If you want to store sensitive data in Object Storage Service (OSS), such as personally identifiable information and confidential business data, a good data security practice is to prevent your account and all RAM users of the account from creating publicly accessible buckets.

  • Compliance: Some industry standards or regulatory rules stipulate that no resources may be made publicly accessible.

  • Access control in a multi-user environment: If RAM users of an Alibaba Cloud account work on different projects or belong to different departments, restricting all users from creating publicly accessible buckets can avoid security risks from incorrect bucket configurations.

Prevent a specific RAM user from creating public-read or public-read-write buckets

  • Core team management: In cases where an Alibaba Cloud account is managed by a team of core members who profoundly know the security policies and rules, blocking only specific RAM users from creating publicly accessible buckets protects data security while maintaining flexible access control for these core members.

  • Access control for specific RAM users: In some scenarios, you may want to block only specific RAM users from creating publicly accessible buckets while allowing internal employees or advanced administrators to create publicly accessible buckets.

Prevent an Alibaba Cloud account and all RAM users of the account from creating publicly accessible buckets

You can globally block public access to prevent your Alibaba Cloud account and all RAM users within the account from creating public-read and public-read-write buckets by using the following steps:

  1. Log on to the OSS console.

  2. In the left-side navigation pane, choose Data Service > Block Public Access.

  3. On the Block Public Access page, turn on Block Public Access and follow the on-screen instructions.

Important

After you globally block public access, you cannot create publicly accessible buckets by using the Alibaba Cloud account or as any RAM user of the account. In addition, public access authorization for existing buckets is revoked. The Block Public Access feature denies public access on all existing and newly created buckets in the account.

Prevent a specific RAM user from creating publicly accessible buckets

You can configure a RAM policy to prevent a specific user from creating public-read and public-read-write buckets by using the following steps:

  1. Create a RAM policy by using the JSON policy editor. For more information, see Create a custom policy on the JSON tab.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "oss:PutBucket"
          ],
          "Resource": [
            "acs:oss:*:*:*"
          ],
          "Condition": {
            "StringLike": {
              "oss:x-oss-acl": [
                "public-read",
                "public-read-write"
              ]
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "oss:PutBucket"
          ],
          "Resource": [
            "acs:oss:*:*:*"
          ]
        }
      ]
    }
  2. Attach the RAM policy to the RAM user. For more information, see Grant permissions to a RAM user.

References

  • For more information about bucket-level access control lists (ACLs), see Bucket ACLs.

  • For more information about RAM policy syntax and access control, see RAM policies.

  • For more information about the effect of the Block Public Access feature, see Block Public Access.