All Products
Search

This Product

    Object Storage Service:Use VPC policies and bucket policies to control data access

    Document Center

    Object Storage Service:Use VPC policies and bucket policies to control data access

    Last Updated:Oct 19, 2024

    You can configure virtual private cloud (VPC) policies to specify resources that can be accessed by authorized users and configure bucket policies to specify users who can access the resources. This way, your data in the cloud can be accessed by authorized users in a secure network and is protected from unauthorized access.

    Prerequisites

    A VPC is created in the same region in which the bucket is located. For more information, see Create and manage a VPC.

    Background information

    The following figure shows the architecture that is used to control data access from the source to the destination.

    safety

    Based on the preceding architecture, Object Storage Service (OSS) determines whether to allow users to access resources based on the following rules:

    • Allow access to resources

      Access to resources in authorized buckets is allowed if it is initiated from authorized VPCs by using the AccessKey pairs of authorized users.

    • Deny access to resources

      • Access to resources in unauthorized buckets is denied if it is initiated from authorized VPCs by using the AccessKey pairs of unauthorized users.

      • Access to resources in authorized buckets is denied if it is initiated from unauthorized VPCs by using the AccessKey pairs of authorized users.

    Scenarios

    A user whose UID is 174649585760xxxx creates a bucket named examplebucket in OSS to store important business data. The user also purchases multiple Elastic Compute Service (ECS) instances and deploys these instances in a VPC whose ID is t4nlw426y44rd3iq4xxxx.

    To control data access from the source, the user wants to configure a VPC policy to allow only requests that are initiated from the current VPC to access specific OSS resources in examplebucket. To control data access to the destination, the user also wants to configure a bucket policy to block all access requests that are initiated from other VPCs to examplebucket.

    Step 1: Configure a VPC policy

    Configure a VPC policy to allow requests that are initiated from the VPC whose ID is t4nlw426y44rd3iq4xxxx to access only OSS resources in examplebucket.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Endpoints.

    3. In the top navigation bar, select the region where you want to create the gateway endpoint.

    4. On the Interface Endpoint tab of the Endpoints page, click Create Endpoint.

    5. On the Create Endpoint page, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Endpoint Name

      Enter a name for the gateway endpoint.

      Endpoint Type

      Select the type of the endpoint that you want to create. In this example, Gateway Endpoint is selected.

      Endpoint Service

      Click Select Service and select the endpoint service that you want your VPC to access.

      VPC

      Select the VPC in which you want to create the gateway endpoint.

      Route Table

      Select the route table that you want to be associated with the gateway endpoint.

      Resource Group

      Select the resource group that you want to be associated with the gateway endpoint.

      Description

      Enter a description for the endpoint.

      Access Policies

      Enter the following access policy: 

      {
  "Statement":
    [
      {
        "Action": "oss:*",
        "Effect": "Allow",
        "Principal": ["174649585760xxxx"],
        "Resource": ["acs:oss:*:*:examplebucket",
                     "acs:oss:*:*:examplebucket/*"]
      }
    ],
  "Version": "1"
}
      Important

      By default, requests initiated from the VPC that resides in the same region as the OSS resources are allowed if no VPC policies are configured. If VPC policies are configured, requests initiated from the VPC that resides in the same region as the OSS resources are only granted if the authentication result is Allow.

    Step 2: Configure a bucket policy

    Configure a bucket policy to prevent requests that are initiated from the VPC whose ID is not t4nlw426y44rd3iq4xxxx from accessing OSS resources.

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click examplebucket.

    3. In the left-side navigation tree, choose Permission Control > Bucket Policy.

    4. On the Bucket Policy page, click Add by Syntax.

    5. Click Edit and enter the following bucket policy: 

      {
  "Statement" :
    [
      {
        "Action": ["oss:*"],
        "Effect": "Deny",
        "Principal": ["*"],
        "Resource": "acs:oss:*:*:*",
        "Condition":
          {
            "StringNotEquals" :
              {
                "acs:SourceVpc": ["t4nlw426y44rd3iq4xxxx"]
              }
          }
      }
    ] ,
  "Version": "1"
}
      Important

      If access to the resources is denied based on the bucket policies, OSS denies the request. If access to the resources is not denied, OSS determines whether to allow or deny the request based on multiple other conditions, such as RAM policies. For more information, see Authorization.

    6. Click Save. In the dialog box that appears, click OK.