You can grant public access to Object Storage Service (OSS) resources by configuring bucket policies and access control lists (ACLs). Public access does not require specific permissions or identity verification, which increases the risk of data breaches and unwanted outbound internet traffic. To mitigate these risks, OSS lets you enable Block Public Access at the account level and for individual buckets, access points, or Object FC Access Points. When enabled, this feature ignores existing public permissions and prevents new public permissions from being granted, which helps ensure data security.
Determine if resources are publicly accessible
You can review the bucket policy and access control lists (ACLs), including bucket ACLs and object ACLs, to determine if an OSS resource is publicly accessible. If any setting grants public access, your resource is at risk and you should enable Block Public Access.
Bucket policy
(Recommended) Call an API operation
You can call the GetBucketPolicyStatus operation to check whether the current bucket policy grants public access.
If the IsPublic response field is set to true, the current bucket policy grants public access.
If the IsPublic response field is set to false, the current bucket policy does not grant public access or no bucket policy is set.
For more information, see GetBucketPolicyStatus.
Manual check
Conditions and examples for non-public access
A statement in a bucket policy is considered non-public if its Principal or Condition element meets any of the following conditions.
NoteThe Action and Resource elements are not used as conditions to determine whether access is public.
If the Effect in the bucket policy is Deny, the statement is considered non-public.
Element
Field
Value
Principal
N/A
Specifies one or more static fields. The value cannot contain the asterisk (*) wildcard character.
Condition
acs:SourceVpcId
Specifies one or more static fields. The value cannot contain the asterisk (*) wildcard character.
acs:SourceVpc
Specifies one or more static fields. The value cannot contain the asterisk (*) wildcard character.
acs:AccessId
Specifies one or more static fields. The value cannot contain the asterisk (*) wildcard character.
acs:SourceVpcIp
If it is an IPv4 address, the mask must be 8 or greater.
If it is an IPv6 address, the mask must be 32 or greater.
acs:SourceIp
If it is an IPv4 address, the mask must be 8 or greater.
If it is an IPv6 address, the mask must be 32 or greater.
Example of non-public access
{ "Version":"1", "Statement":[ { "Action":[ "oss:GetObject", "oss:GetObjectAcl", "oss:GetObjectVersion", "oss:GetObjectVersionAcl" ], "Effect":"Allow", "Principal":[ "20214760404935xxxx" ], "Resource":[ "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*", "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*" ] }, { "Action":[ "oss:ListObjects", "oss:ListObjectVersions" ], "Condition":{ "StringLike":{ "oss:Prefix":[ "hangzhou/2020/*", "shanghai/2015/*" ] } }, "Effect":"Allow", "Principal":[ "20214760404935xxxx" ], "Resource":[ "acs:oss:*:174649585760xxxx:examplebucket" ] } ] }
Conditions and examples for public access
If a bucket policy does not meet the conditions for non-public access, it is considered to grant public access. The following are some examples:
Example 1
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Principal": "*", "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*" } ] }Example 2
If a policy contains statements that grant both public access (allows access from all VPCs) and non-public access (allows access only from specified users), the policy is still considered to grant public access.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Principal": "*", "Resource": "acs:oss:*:17464958576xxxx:examplebucket/*", "Condition": { "StringLike": { "acs:SourceVpc": [ "vpc-*" ] } } }, { "Effect": "Allow", "Action": "oss:*", "Principal": "27464958576xxxx", "Resource": "*" } ] }
ACL
If the bucket ACL or object ACL is set to public-read or public-read-write, public access is allowed.
If both the bucket ACL and object ACL are set to private, public access is not allowed.
Priority of Block Public Access settings at different levels
OSS supports enabling Block Public Access at the account, bucket, access point, and Object FC Access Point levels. If the Block Public Access settings are inconsistent across these levels, OSS uses the following priority to determine the effective access permissions.
Account > Bucket > Access point > Object FC Access PointBased on this priority, the Block Public Access setting at a higher level determines whether public access is allowed at a lower level. If Block Public Access is enabled at the account level, public access is not allowed for any buckets, access points, or Object FC Access Points.
To allow public access to a bucket, disable Block Public Access at the account level and for the bucket.
To allow public access to an access point, disable Block Public Access at the account level, for the bucket associated with the access point, and for the access point.
To allow public access to an Object FC Access Point, disable Block Public Access at the account level, for the access point associated with the Object FC Access Point, for the bucket associated with the access point, and for the Object FC Access Point.
Usage notes
A Resource Access Management (RAM) user needs the following permissions to block public access:
Account level:
oss:PutPublicAccessBlock,oss:GetPublicAccessBlock, andoss:DeletePublicAccessBlock.Bucket level:
oss:PutBucketPublicAccessBlock,oss:GetBucketPublicAccessBlock, andoss:DeleteBucketPublicAccessBlock.Access point level:
oss:PutAccessPointPublicAccessBlock,oss:GetAccessPointPublicAccessBlock, andoss:DeleteAccessPointPublicAccessBlock.Object FC Access Point level:
oss:PutAccessPointConfigForObjectProcess,oss:GetAccessPointConfigForObjectProcess, andoss:DeleteAccessPointForObjectProcess.
When Block Public Access is enabled, existing public access permissions are ignored and new public access permissions cannot be created. When Block Public Access is disabled, existing permissions take effect and you can create new public access permissions.
If a bucket policy is set to allow anyone to call the management API operations for an access point, users can still change its Block Public Access setting using the third-level domain name of the bucket, even if Block Public Access is enabled for the access point. This is because requests made using the third-level domain name of a bucket are not affected by the access point's configuration.
For cross-region replication (CRR) or same-region replication (SRR), the ACL of an object is preserved after replication, regardless of whether Block Public Access is enabled for the source and destination buckets. If Block Public Access is enabled for the destination bucket, objects replicated to it cannot be publicly accessed, even if their ACLs are public-read or public-read-write.
Methods
Use the OSS console
Use the ossutil command line interface
Related API operations
If your program has high customization requirements, you can directly make REST API requests. To do so, you must manually write code to calculate the signature.
For more information about the API operation for Block Public Access at the account level, see PutPublicAccessBlock.
For more information about the API operation for Block Public Access for a bucket, see PutBucketPublicAccessBlock.
For more information about the API operation for Block Public Access for an access point, see PutAccessPointPublicAccessBlock.
For more information about the API operation for Block Public Access for an Object FC Access Point, see PutAccessPointConfigForObjectProcess.
References
Block Public Access lets you centrally manage permissions at the account level and for individual buckets, access points, and Object FC Access Points. For more granular control over resources within a bucket or individual objects, you can use bucket policies and object ACLs.