OSS Bucket Public Access

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

05 On the selected OSS bucket page, choose Permission Control from the resource navigation panel, and perform the following actions:

1. To verify the Block Public Access feature status for your bucket, select the Block Public Access tab, and check the Block Public Access setting to determine if the security feature is enabled for the selected bucket. If Block Public Access is set to Disabled, OSS does not block anonymous access to the bucket, therefore, if the bucket ACL and/or bucket policy allows public access, the selected Object Storage Service (OSS) bucket is considered publicly accessible.
2. To verify the Access Control List (ACL) configured for your bucket, select the ACL tab, and check the Bucket ACL configuration setting to determine the level of access configured for the bucket. If Bucket ACL is not set to Private, the selected OSS bucket is considered publicly accessible.
3. To verify the authorization policy defined for your bucket, select the Bucket Policy tab, choose Add by Syntax, and check the policy document to determine who is authorized to access the OSS bucket. If the "Effect" element value is set to "Allow" and the "Principal" element value is set to ["*"] without any "Condition" elements, the selected Object Storage Service (OSS) bucket is publicly accessible.

06 Repeat steps no. 4 and 5 for each OSS bucket available within your Alibaba Cloud account.

Note: Getting the Block Public Access feature status using ossutil is not currently supported.

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run stat command (macOS/Linux/Windows) to describe the configuration metadata available for the selected OSS bucket:

ossutil stat oss://tm-project-data-bucket

03 The command output should return the requested configuration information (including the Access Control List (ACL) configured for the bucket):

Name                  : tm-project-data-bucket
Location              : oss-eu-west-1
CreationDate          : 2024-02-02 11:45:38 +0200 EET
ExtranetEndpoint      : oss-eu-west-1.aliyuncs.com
IntranetEndpoint      : oss-eu-west-1-internal.aliyuncs.com
ACL                   : public-read-write
Owner                 : 1234567890123456
StorageClass          : Standard
RedundancyType        : LRS
TransferAcceleration  : Disabled
CrossRegionReplication: Disabled
AccessMonitor         : Disabled

04 Run bucket-policy command (macOS/Linux/Windows) with --method set to get to describe the bucket policy configured for the specified OSS bucket:

ossutil bucket-policy --method get oss://tm-project-data-bucket

05 The command output should return the bucket policy document (in JSON format):

{
	"Version": "1",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"oss:*"
			],
			"Principal": [
				"*"
			],
			"Resource": [
				"acs:oss:*:1234567890123456:tm-project-logs-bucket",
				"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
			]
		}
	]
}

06 Repeat steps no. 2 - 5 for each OSS bucket available within your Alibaba Cloud account.

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

05 On the selected OSS bucket page, choose Permission Control from the resource navigation panel, and perform the following actions:

1. To block public/anonymous access to your bucket using the Block Public Access feature, select the Block Public Access tab, set Block Public Access to Enabled, enter I confirm that I want to enable Block Public Access in the confirmation box, and choose OK to enable the feature at the bucket level. Block Public Access lets you centrally restrict OSS public access, reducing unauthorized access and data leakage. Enabling it denies anonymous access, ignores current public ACLs and bucket policies, and prevents the creation of new public ACLs and bucket policies.
2. To deny public/anonymous access to your OSS bucket using Access Control Lists (ACLs), select the ACL tab, choose Settings, set the Bucket ACL to Private, and choose Save to apply the changes. Once the ACL settings are applied, only the bucket owner or authorized users can perform read and write operations on the objects stored within the selected bucket.
3. To restrict public/anonymous access to your bucket using authorization policies, select the Bucket Policy tab, choose Add by Syntax, select Edit, and replace the "Principal" element value "*" with the UID (e.g. "123412341234123412") of the trusted RAM identity or the ID (e.g. "1234567890123456") of the trusted account that can access the selected bucket. You can also use the "Condition" element to introduce a condition that, for example, permits access from authorized IP addresses or IP address ranges only (e.g. "Condition": {"IpAddress": {"acs:SourceIp": ["10.0.0.30/32"]}}). Choose Save to apply the permission changes. Select OK for confirmation.

06 Repeat steps no. 4 and 5 for each OSS bucket that you want to configure, available in your Alibaba Cloud account.

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run set-acl command (macOS/Linux/Windows) to set the Access Control List (ACL) to private for the selected OSS bucket. Once the ACL settings are saved, only the bucket owner or authorized users can perform read and write operations on the objects stored within the bucket:

ossutil set-acl oss://tm-project-data-bucket private -b

03 Modify the existing bucket policy or create a new policy document to restrict public/anonymous access to your bucket. Replace the "Principal" element value "*" with the UID (e.g. "123412341234123412") of the trusted RAM identity or the ID (e.g. "1234567890123456") of the trusted account that can access the selected OSS bucket. Save the policy document to a JSON file named bucket-policy.json. Because existing bucket policies are overwritten by the ossutil commands, make sure that you include all the existing policy statements in the bucket-policy.json file:

{
	"Version": "1",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"oss:*"
			],
			"Principal": [
				"123412341234123412"
			],
			"Resource": [
				"acs:oss:*:1234567890123456:tm-project-logs-bucket",
				"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
			]
		}
	]
}

04 Run bucket-policy command (macOS/Linux/Windows) with --method set to put to set the bucket policy. When you add or modify bucket policies, ossutil reads bucket policies from the local JSON file (e.g. bucket-policy.json) and adds the policies to your bucket:

ossutil bucket-policy --method put oss://tm-project-data-bucket bucket-policy.json

05 Repeat steps no. 2 - 4 for each OSS bucket available in your Alibaba Cloud account.