Help Center > Object Storage Service > FAQ > Security > How Can I Control Access to the Data on OBS?

How Can I Control Access to the Data on OBS?

You can use the following mechanisms to control access to the data on OBS:

  • AK and SK identity authentication

    A user's account provided by OBS contains an AK and an SK. The AK and SK are used for user identity authentication. If you use a client to send a request to OBS, the request header must contain a signature. The signature is generated based on the SK, request time, and request type.

  • ACLs

    An ACL can restrict all users' or a specific user's permissions to access a single bucket or an object. The permissions include read-only permission, write permission, and full control permission. By default, only the creator of a bucket can access the objects in the bucket. However, the creator can set other access policies such as a public access policy to assign read permission on an object to the other users. OBS enables you to set a bucket or object control policy while you are creating the bucket or uploading the object. If you do not set a permission control policy when creating a bucket or uploading an object, you can obtain or modify an ACL for the bucket or object after creating or uploading it. ACLs are only used to grant permissions.

  • Bucket policies

    You can define rules for applying for OBS resources to control one or multiple users' or accounts' permissions to access buckets or objects in the buckets. For example, if a request is from an IP address or an IP address segment, you can use a bucket policy to grant the write permission to a user or account. A bucket policy can be used to grant and deny permissions.