By default, the access control list (ACL) of Object Storage Service (OSS) resources, including buckets and objects, is set to private to ensure data security. Only the owners of the resources and authorized users can access these resources. OSS allows you to configure a variety of policies to grant third-party users specific permissions to access or use your OSS resources.
The following table describes the access control policies that you can configure for objects stored in buckets.
Parameter | Description | Scenario |
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage access permissions on resources. RAM policies are authorization policies configured based on users. You can configure RAM policies to manage your users, such as employees, systems, or applications, and control user permissions on your resources. For example, you can configure a RAM policy to allow your users to only read one bucket. |
| |
A bucket policy is a resource-based authorization policy. Unlike RAM policies, bucket policies can be easily configured on the GUI of the console. In addition, the owner of a bucket can configure bucket policies for the bucket without RAM permissions. You can configure bucket policies to grant permissions to the RAM users of other Alibaba Cloud accounts or anonymous users who access OSS by using the specified IP addresses. |
| |
You can configure the ACL of a bucket when you create the bucket or modify the ACL of a created bucket. Only the owner of a bucket can configure or modify the ACL of the bucket. You can set the ACL of a bucket to one of the following values: public-read-write, public-read, and private. | Configure the same access permissions for all objects in a bucket. | |
You can also configure the ACL of each object stored in OSS. You can configure the ACL of an object when you upload the object or modify the ACL of an uploaded object. You can set the ACL of an object to one of the following values: default, public-read-write, public-read, and private. | Configure the access permissions of a single object. For example, you configure RAM policies or bucket policies for a bucket to set the ACL of all objects in the bucket or objects whose names contain the specified prefix to private. In this case, if you want an object in the bucket to be accessed by all anonymous users from the Internet, you can set the ACL of the object to public-read. |
References
For more information about how to enable Block Public Access for buckets and objects, see Block Public Access.
For more information about permission management mechanisms of OSS, see Authorization.