---
Title: Configure security
URL Source: https://company-skill.com/p/oss/oss-configure-security
Language: en
Description: You want to restrict or control who can access your OSS bucket and its objects—whether by blocking public access entirely, preventing unauthorized hotlinking (leeching), or defining fine-grained…
---

# Configure security

Part of **Object Storage Service (OSS)**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You want to restrict or control who can access your OSS bucket and its objects—whether by blocking public access entirely, preventing unauthorized hotlinking (leeching), or defining fine-grained access through access points tied to VPCs or FunctionCompute.

**Typical User Questions**:
- How to secure my OSS bucket from public access?

- Can I block public access via console?

## Decision Tree

Pick the best path for your situation:

- **If** you need to define programmatic access policies using `AccessPointArn`, `NetworkOrigin`, or integrate with `FunctionCompute` via `Object FC Access Point` → Use API (go to *oss/oss-access-control*)
- **If** you are managing **multiple buckets** via shell scripts and need to run commands like `ossutil api create-access-point` or `delete-bucket-public-access-block` → Use CLI (go to *oss/oss-access*)
- **If** you only need to enable **hotlink protection (referer-based)** or **one-click public access blocking** without code → Use or (go to *oss/oss-network_security* or *oss/oss-storage-guide*)
- **Otherwise (default)** → Start with **** — it’s the safest way to prevent accidental public exposure during bucket creation or management.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | high | Yes | Yes | Uses `OSS4-HMAC-SHA256` signature auth; supports `x-oss-access-point-name` header | `oss/api/oss-access-control` |
| CLI | medium | No | Yes | Requires `OSS_ACCESS_KEY_ID`; supports `put-access-point-policy` and `bucket-cname` | `oss/cli/oss-access` |
| Console / Dashboard | low | No | No | GUI-only hotlink (referer) protection | `oss/guide/oss-network-security` |
| Console / Dashboard | low | No | No | One-click toggle for `PublicAccessBlockConfiguration.BlockPublicAccess` | `oss/guide/oss-storage` |

## Path Details

### Path 1: API

**Brief Description**: This approach uses synchronous REST endpoints like `CreateAccessPoint` and `PutAccessPointConfigForObjectProcess`, authenticated via `OSS4-HMAC-SHA256`. You can specify headers such as `x-oss-access-point-name` and configure `Object FC Access Point` for integration with FunctionCompute.

**Key technical facts**:
- Billing: Per-request billing model at ¥0.0001 per request; data operations through access points billed separately according to standard OSS pricing
- Auth method: OSS4-HMAC-SHA256 signature-based authorization with AccessKey ID and Secret in Authorization header
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing, cn-qingdao
- Prerequisites: ALIBABA_CLOUD_ACCESS_KEY_ID environment variable, ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable, NTP-synchronized system time for signature validation

**When to Use**:
- Need programmatic integration into custom applications or automation pipelines
- Require fine-grained control over access point configurations including VPC settings and Function Compute integration
- Building infrastructure-as-code solutions that require direct API calls

**When NOT to Use**:
- Prefer command-line tools over implementing raw HTTP requests
- Need quick configuration without writing code
- Managing simple public access blocking without complex policy requirements

**Known Limitations**:
- Requires manual implementation of request signing with OSS4-HMAC-SHA256 algorithm
- Limited to 1,000 access points per account and 100 per bucket
- QPS limits between 10-100 requests per second depending on operation type
- Access point names must be 3-19 characters with specific character constraints (lowercase letters, digits, hyphens)

### Path 2: CLI

**Brief Description**: The `ossutil` CLI provides terminal commands like `create-access-point`, `put-access-point-policy`, and `delete-bucket-public-access-block`. It supports JSON/XML policy files and `bucket-cname` configuration using a `CNAME token`.

**Key technical facts**:
- Auth method: Environment variables (`OSS_ACCESS_KEY_ID`, `OSS_ACCESS_KEY_SECRET`) or config file (`~/.ossutilconfig`)
- Prerequisites: `ossutil` binary installed and in system PATH, `OSS_ENDPOINT` configured for the target region

**When to Use**:
- Managing multiple buckets' security policies through shell scripts
- Automating access point creation and policy attachment in CI/CD pipelines
- Need structured output formats (JSON/YAML) for programmatic processing
- Configuring custom domain CNAME records with SSL certificates

**When NOT to Use**:
- Prefer graphical interface over command-line tools
- One-time configuration without need for scripting or automation
- Users unfamiliar with terminal commands or JSON policy syntax

**Known Limitations**:
- Limited to 1,000 access points per account and 100 per bucket
- CNAME configuration limited to 100 custom domains per bucket
- Requires proper RAM permissions (e.g., `oss:CreateAccessPoint`, `oss:PutAccessPointPolicy`) to avoid 403 errors
- Configuration files must follow specific JSON/XML formats for access point policies

### Path 3: Console / Dashboard
**Brief Description**: The OSS Console offers a graphical interface to configure hotlink protection (referer-based access control). No code, CLI, or credentials beyond console login are needed.

**Key technical facts**:  
*(No technical facts provided in research — functionality is UI-only and not parameterized in fact cards)*

**When to Use**:  
- When you only need basic hotlink (leeching) protection
- You lack CLI/API access or prefer point-and-click

**When NOT to Use**:  
- You need access points, VPC restrictions, or automation
- You require policy-based controls beyond referer lists

**Known Limitations**:  
- Does not support access points, `Object FC Access Point`, or `PublicAccessBlockConfiguration.BlockPublicAccess`
- Cannot be scripted or integrated into pipelines

### Path 4: Console / Dashboard
**Brief Description**: The OSS Console includes a one-click toggle to enable `PublicAccessBlockConfiguration.BlockPublicAccess`, preventing any object in the bucket from being publicly accessible—even if ACLs or policies would otherwise allow it.

**Key technical facts**:  
*(No technical facts provided — this is a console-native safety feature)*

**When to Use**:  
- During bucket creation to enforce least-privilege by default
- As a safety net to override accidental public ACLs or policy grants

**When NOT to Use**:  
- You need granular access control (e.g., per-prefix or time-bound)
- You require programmatic enforcement across many buckets

**Known Limitations**:  
- Only blocks public access; does not support hotlink protection, access points, or CNAMEs
- Not automatable or scriptable

## FAQ

Q: Which path should I start with?
A: If you're unsure, start with ****—it prevents accidental public exposure with one click and requires no setup. Only move to API/CLI if you need automation or advanced features like access points.

Q: What if I need to integrate OSS access with FunctionCompute but used the console?
A: You’ll hit a dead end—the console paths do not support `Object FC Access Point` or `PutAccessPointConfigForObjectProcess`. You must use the API or CLI path.

Q: What if I try to manage 50 buckets’ security via the console but chose the GUI path?
A: You’ll face repetitive manual work with no scripting option. The CLI path (`ossutil`) is designed for bulk operations like `delete-bucket-public-access-block` across many buckets.

Q: Can I use `ossutil` without setting `OSS_ACCESS_KEY_ID`?
A: No—you’ll get authentication errors. Unlike the console (which uses SSO), `ossutil` requires explicit credentials via env vars or config file.

Q: Does the API path support all regions?
A: No—it’s only available in `cn-hangzhou`, `cn-shanghai`, `cn-beijing`, and `cn-qingdao`. If your bucket is in another region, you cannot use access points via API.

Q: What happens if I exceed 100 access points per bucket in the API or CLI path?
A: Requests like `create-access-point` will fail with quota errors. Both paths share the same backend limit of 100 access points per bucket.

Q: Can I configure CNAME with SSL using the console?
A: The console does not expose `bucket-cname` or `CNAME token` functionality—this is only available via `ossutil` CLI.

## Related queries

configure bucket security, set OSS bucket permissions, secure OSS bucket from public access, block public access OSS, OSS hotlink protection, prevent OSS hotlinking, OSS anti-leech, OSS referer policy, OSS access point setup, manage OSS access points, CLI for OSS security, ossutil security config, c

---
Part of [Object Storage Service (OSS)](https://company-skill.com/p/oss.md) · https://company-skill.com/llms.txt