Help Center/ Object Storage Service/ User Guide/ Data Security/ Block Public Access
Updated on 2025-07-01 GMT+08:00
View PDF
Share

Block Public Access

Public access means that a requester can access a bucket and data in the bucket without specific permissions or identity authentication, risking data leakage, malicious access, and high external network traffic. To avoid these risks, OBS allows you to enable Block Public Access for a bucket to ensure data security. With Block Public Access, bucket owners can easily configure centralized controls to restrict public access to resources.

Checking Whether a Bucket Is Publicly Accessible

You need to determine whether a bucket is public based on its bucket policies and ACL. If a bucket policy or the ACL allows public access, you can enable Block Public Access to avoid exposure.

  • If Principal in a bucket policy is set to * and the condition keys, operators, and values meet the requirements listed in the following table, the bucket policy allows public access.
    Table 1 Conditions keys used for public access in bucket policies

    Condition Key

    Operator

    Value Description

    PrincipalID

    StringLike

    The first segment of characters separated by a colon (:) contains a wildcard character.

    PrincipalAccount

    StringLike

    There is a wildcard.

    DomainId

    PrincipalOrgID

    PrincipalOrgManagementAccountID

    SourceVpc

    SourceVpce

    SourceIP

    IpAddress or NotIpAddress

    The number of valid IPv4 addresses exceeds 2^{32-8}, or the number of valid IPv6 addresses exceeds 2^{128-32}.

    PrincipalUrn

    StringLike

    The URN does not contain five segments or the third segment (Account) contains a wildcard character.

    PrincipalOrgPath

    StringLike

    The first segment of characters separated by a slash (/) contains a wildcard character.

    A wildcard character is an asterisk (*) or a question mark (?).

    Example 1: Principal is set to *. 
    1
2
3
4
5
6
7
    		 
    {
	"Principal": "*", 
	"Resource": "*", 
	"Action": "PutObject", 
	"Effect": "Allow", 
	"Condition": { "StringLike": {"SourceVpc": "vpc-*"}}
}

    Example 2: The value of SourceVpc contains a wildcard character.

    1
2
3
4
5
6
7
    		 
    {
	"Principal": "exampleID", 
	"Resource": "*", 
	"Action": "PutObject", 
	"Effect": "Allow", 
	"Condition": { "StringLike": {"SourceVpc": "vpc-*"}}
}
  • In an ACL, if the granted entity is Everyone, the authorized account ID contains a wildcard character, or either public-read, public-read-write, public-read-delivered or public-read-write-delivered is configured, the ACL allows public access.

    Example 1: Configure a bucket ACL to allow public access in its header.

    1
2
3
4
5
6
7
    		 
    PUT /?acl HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
x-obs-acl: public-read
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml

    Example 2: Configure a bucket ACL to allow public access in its body.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
    		 
    <AccessControlPolicy xmlns="http://obs.cn-north-4.myhuaweicloud.com/doc/2024-12-30/">
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ_ACP</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>

Block Public Access Settings

OBS provides four Block Public Access settings. You can use them in any combination and apply them to buckets.

Table 2 Four Block Public Access settings

Setting

Description

BlockPublicAcls

Enabling this setting will:

  • Make object upload fail if the configured ACL allows public access.
  • Prevent modifying a bucket or an object ACL to allow public access.

BlockPublicPolicy

Enabling this setting will prevent creating or modifying a bucket policy that contains public access.

IgnorePublicAcls

Enabling this setting will:

  • Ignore any bucket or object ACL that allows public access and block unauthorized users and those without specified permissions from accessing the buckets and objects in the buckets.
  • Allow you to configure an ACL for an object to allow public access when you upload it. When the object is accessed, the ACL that allows public access will be ignored.
  • Allow you to configure a new public ACL for a bucket or an object. When the bucket or object is accessed, all public ACLs on them will be ignored.

For example, if IgnorePublicAcls is enabled for bucket A, you can configure an ACL for object b to allow public access either during its upload to bucket A or after the upload is complete.

RestrictPublicBuckets

Enabling this setting will invalidate any bucket policy that contains public access. Afterward, only the bucket owner account and its IAM users can access the bucket and objects within.

Important Notes

  • Before enabling Block Public Access, verify that your services can work correctly without public access.
  • To block public access, your account must have the PutBucketPublicAccessBlock permission.
  • If Block Public Access is enabled for a bucket, OBS returns all ACL rules on the bucket when you obtain the ACL of the bucket or any object it contains. For example, if IgnorePublicAcls is enabled for a bucket with an ACL that allows public access, obtaining the bucket's ACL will still show the ACL rule that allows public access.
  • Enabling Block Public Access does not affect existing bucket policies or ACLs. Therefore, disabling the Block Public Access settings will make any bucket or object with a public bucket policy or ACL publicly accessible again.
  • By default, Block Public Access (four settings in Table 2) is enabled for newly created buckets but disabled for newly created parallel file systems. Enabling it for parallel file systems may degrade performance. For existing buckets, Block Public Access is disabled by default and must be manually enabled if needed.

Constraints

  • You can block public access only for buckets, not for accounts or specified objects.
  • To ensure that Block Public Access can work appropriately, the total size of all bucket policies cannot exceed 20 KB, and the combined size of all ACLs and bucket policies cannot exceed 32 KB. If the size exceeds the upper limit, requests for setting bucket policies or bucket ACLs, querying the public status of buckets, and enabling Block Public Access may be denied, with error code 400 and message "Bucket policy and bucket acl is too large/complicated to perform block public access analysis" returned.
  • Block Public Access is not available for mirroring-based back to source scenarios.
  • During cross-region replication, if the destination bucket has the BlockPublicAcls setting, objects with public ACLs in the source bucket will fail to be replicated.
  • To use Block Public Access, you must have the following permissions.
    Table 3 Permissions required for using Block Public Access

    Operation

    Required Permissions

    Configuring Block Public Access for a bucket

    Bucket owner or a user with the PutBucketPublicAccessBlock permission

    Obtaining the Block Public Access configuration of a bucket

    Bucket owner or a user with the GetBucketPublicAccessBlock permission

    Deleting the Block Public Access configuration of a bucket

    Bucket owner or a user with the DeleteBucketPublicAccessBlock permission

    Obtaining the public access status of a bucket policy

    Bucket owner or a user with the GetBucketPolicyPublicStatus permission

    Obtaining the public access status of a bucket

    Bucket owner or a user with the GetBucketPublicStatus permission

Ways to Use Block Public Access

You can use OBS Console, SDKs, or APIs, to configure Block Public Access.

Using OBS Console

You can enable Block Public Access when creating a bucket. For details, see Creating a Bucket. You can also enable or edit the function after a bucket is created. The procedure is as follows:

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane on the left, choose Permissions > Block Public Access. The Block Public Access page is displayed
  4. Enable settings as required.

    Enabling all settings prevents the creation of new ACLs or bucket policies that contain public access, and invalidates existing ones. Only the bucket owner can access the bucket and objects within.

    The following four settings are supported:

    • Prevent the creation of ACLs that allow public access.
    • Prevent the creation of bucket policies that allow public access.
    • Ignore ACLs that allow public access.
    • Ignore bucket policies that allow public access.

  5. Click Save.
  6. In the Modify Block Public Access? dialog box, enter Confirm and click OK.

Using APIs

Configuring Block Public Access for a Bucket

Obtaining the Block Public Access Configuration of a Bucket

Deleting the Block Public Access Configuration of a Bucket

Obtaining the Public Access Status of a Bucket Policy

Obtaining the Public Access Status of a Bucket

Using SDKs

Java

Python

C: not supported

Go: not supported

BrowserJS: not supported

.NET: not supported

Android: not supported

iOS: not supported

PHP: not supported

Node.js: not supported

Helpful Links

Why Is the Error Message "Block Public Access enabled. Disable Block Public Access and try again." Displayed When I Edit a Bucket Policy or ACL on the Console After Block Public Access Is Enabled?

Cause of the bucket policy configuration error: Although there are multiple bucket policies displayed on the console, the system combines them into one. If you already have configured a bucket policy that allows public access and then enable Block Public Access, an error will be reported when you edit the bucket policy in visual editor mode on the console.

Solution to the bucket policy configuration error: Use the JSON mode to delete the content that allows public access in the bucket policy and then edit the bucket policy.

Cause of the ACL configuration error: Although there are multiple ACLs displayed on the console, the system combines them into one. If you already have configured an ACL that allows public access and then enable Block Public Access, an error will be reported when you edit the ACL on the console.

Solution to the ACL configuration error: Use the API or SDK to delete the content that allows public access in the ACL and then edit the ACL.

Parent Topic: Data Security