Updated on 2025-07-01 GMT+08:00

Block Public Access

Public access means that a requester can access a bucket and data in the bucket without specific permissions or identity authentication, risking data leakage, malicious access, and high external network traffic. To avoid these risks, OBS allows you to enable Block Public Access for a bucket to ensure data security. With Block Public Access, bucket owners can easily configure centralized controls to restrict public access to resources.

Checking Whether a Bucket Is Publicly Accessible

You need to determine whether a bucket is public based on its bucket policies and ACL. If a bucket policy or the ACL allows public access, you can enable Block Public Access to avoid exposure.

  • If Principal in a bucket policy is set to * and the condition keys, operators, and values meet the requirements listed in the following table, the bucket policy allows public access.
    Table 1 Conditions keys used for public access in bucket policies

    Condition Key

    Operator

    Value Description

    PrincipalID

    StringLike

    The first segment of characters separated by a colon (:) contains a wildcard character.

    PrincipalAccount

    StringLike

    There is a wildcard.

    DomainId

    PrincipalOrgID

    PrincipalOrgManagementAccountID

    SourceVpc

    SourceVpce

    SourceIP

    IpAddress or NotIpAddress

    The number of valid IPv4 addresses exceeds 2^{32-8}, or the number of valid IPv6 addresses exceeds 2^{128-32}.

    PrincipalUrn

    StringLike

    The URN does not contain five segments or the third segment (Account) contains a wildcard character.

    PrincipalOrgPath

    StringLike

    The first segment of characters separated by a slash (/) contains a wildcard character.

    A wildcard character is an asterisk (*) or a question mark (?).

    Example 1: Principal is set to *.
    1
    2
    3
    4
    5
    6
    7
    {
    	"Principal": "*", 
    	"Resource": "*", 
    	"Action": "PutObject", 
    	"Effect": "Allow", 
    	"Condition": { "StringLike": {"SourceVpc": "vpc-*"}}
    }
    

    Example 2: The value of SourceVpc contains a wildcard character.

    1
    2
    3
    4
    5
    6
    7
    {
    	"Principal": "exampleID", 
    	"Resource": "*", 
    	"Action": "PutObject", 
    	"Effect": "Allow", 
    	"Condition": { "StringLike": {"SourceVpc": "vpc-*"}}
    }
    
  • In an ACL, if the granted entity is Everyone, the authorized account ID contains a wildcard character, or either public-read, public-read-write, public-read-delivered or public-read-write-delivered is configured, the ACL allows public access.

    Example 1: Configure a bucket ACL to allow public access in its header.

    1
    2
    3
    4
    5
    6
    7
    PUT /?acl HTTP/1.1
    Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
    User-Agent: curl/7.29.0
    Host: examplebucket.obs.region.myhuaweicloud.com
    x-obs-acl: public-read
    Date: WED, 01 Jul 2015 02:37:22 GMT
    Content-Type: application/xml
    

    Example 2: Configure a bucket ACL to allow public access in its body.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    <AccessControlPolicy xmlns="http://obs.cn-north-4.myhuaweicloud.com/doc/2024-12-30/">
      <Owner> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Owner>  
      <AccessControlList> 
        <Grant> 
          <Grantee> 
            <Canned>Everyone</Canned> 
          </Grantee>  
          <Permission>READ_ACP</Permission> 
        </Grant> 
      </AccessControlList> 
    </AccessControlPolicy>
    

Block Public Access Settings

OBS provides four Block Public Access settings. You can use them in any combination and apply them to buckets.

Table 2 Four Block Public Access settings

Setting

Description

BlockPublicAcls

Enabling this setting will:

  • Make object upload fail if the configured ACL allows public access.
  • Prevent modifying a bucket or an object ACL to allow public access.

BlockPublicPolicy

Enabling this setting will prevent creating or modifying a bucket policy that contains public access.

IgnorePublicAcls

Enabling this setting will:

  • Ignore any bucket or object ACL that allows public access and block unauthorized users and those without specified permissions from accessing the buckets and objects in the buckets.
  • Allow you to configure an ACL for an object to allow public access when you upload it. When the object is accessed, the ACL that allows public access will be ignored.
  • Allow you to configure a new public ACL for a bucket or an object. When the bucket or object is accessed, all public ACLs on them will be ignored.

For example, if IgnorePublicAcls is enabled for bucket A, you can configure an ACL for object b to allow public access either during its upload to bucket A or after the upload is complete.

RestrictPublicBuckets

Enabling this setting will invalidate any bucket policy that contains public access. Afterward, only the bucket owner account and its IAM users can access the bucket and objects within.

Important Notes

  • Before enabling Block Public Access, verify that your services can work correctly without public access.
  • To block public access, your account must have the PutBucketPublicAccessBlock permission.
  • If Block Public Access is enabled for a bucket, OBS returns all ACL rules on the bucket when you obtain the ACL of the bucket or any object it contains. For example, if IgnorePublicAcls is enabled for a bucket with an ACL that allows public access, obtaining the bucket's ACL will still show the ACL rule that allows public access.
  • Enabling Block Public Access does not affect existing bucket policies or ACLs. Therefore, disabling the Block Public Access settings will make any bucket or object with a public bucket policy or ACL publicly accessible again.
  • By default, Block Public Access (four settings in Table 2) is enabled for newly created buckets but disabled for newly created parallel file systems. Enabling it for parallel file systems may degrade performance. For existing buckets, Block Public Access is disabled by default and must be manually enabled if needed.

Constraints

  • You can block public access only for buckets, not for accounts or specified objects.
  • To ensure that Block Public Access can work appropriately, the total size of all bucket policies cannot exceed 20 KB, and the combined size of all ACLs and bucket policies cannot exceed 32 KB. If the size exceeds the upper limit, requests for setting bucket policies or bucket ACLs, querying the public status of buckets, and enabling Block Public Access may be denied, with error code 400 and message "Bucket policy and bucket acl is too large/complicated to perform block public access analysis" returned.
  • Block Public Access is not available for mirroring-based back to source scenarios.
  • During cross-region replication, if the destination bucket has the BlockPublicAcls setting, objects with public ACLs in the source bucket will fail to be replicated.
  • To use Block Public Access, you must have the following permissions.
    Table 3 Permissions required for using Block Public Access

    Operation

    Required Permissions

    Configuring Block Public Access for a bucket

    Bucket owner or a user with the PutBucketPublicAccessBlock permission

    Obtaining the Block Public Access configuration of a bucket

    Bucket owner or a user with the GetBucketPublicAccessBlock permission

    Deleting the Block Public Access configuration of a bucket

    Bucket owner or a user with the DeleteBucketPublicAccessBlock permission

    Obtaining the public access status of a bucket policy

    Bucket owner or a user with the GetBucketPolicyPublicStatus permission

    Obtaining the public access status of a bucket

    Bucket owner or a user with the GetBucketPublicStatus permission

Ways to Use Block Public Access

You can use OBS Console, SDKs, or APIs, to configure Block Public Access.

Helpful Links