OSS Security
Start course

This course is an introduction to the fundamental aspects of Alibaba’s Object Storage Service (OSS). It starts off by explaining the features and advantages of the service, before moving on to the concepts of OSS and security. You will then watch two demos that use real-life examples from the Alibaba Cloud platform to guide you through storage buckets and object operations.

If you have any feedback about this course, please contact us at

Learning Objectives

  • Become familiar with buckets, regions, objects, and object lifecycle management in OSS
  • Understand the advantages and billing models of OSS products
  • Learn about the management, use, and operation of OSS buckets and objects

Intended Audience

  • Those who are starting out on their journey into Alibaba Cloud and who want to learn more about OSS
  • Security engineers who secure and safeguard data within Alibaba
  • Beginners who want to get certified in Alibaba


To get the most from this course, you should already have some basic knowledge of cloud computing. If you would like to brush up on your cloud knowledge before taking this course, please consider taking our What is Cloud Computing? course.

A basic understanding of object storage would also be beneficial for this course. Please see our blog post on the topic here.


Hello. In this session, we will focus on the main security features of the Object Storage Service. There are three main ways to set security for protecting objects in OSS.

Number one: Access Control. You can use Access Control in the following ways. Access Control Lists or ACLs. With an Access Control List you can define the type of access allowed for a bucket, and the objects that reside within the bucket.

The following settings are available. Private: Only the owner or authorized users of the bucket can read and write files in the bucket. Public Read: Only the owner or authorized users of this bucket can write files in the bucket. Other users, including anonymous users, can only read files in the bucket. And Public Read\Write: Any users, including anonymous users, can read and write files in the bucket.

You can use Bucket Policy. This allows you to grant permission on all, or just Specific resources in a bucket to RAM users from your Alibaba Cloud account, other accounts, or anonymous accounts. Conditional access can also be set. You can select whether objects can be accessed by HTTP or HTTPS only. Every object in OSS is enabled with HTTPS access by default. This provides secure uploads and downloads via SSL-encrypted endpoints.

You can also set whitelist or blacklist IP addresses to further restrict access to bucket contents. Hotlink Protection. Hotlink Protection uses an HTTP Referer whitelist to prevent unauthorized users from accessing your data in OSS. The Referer Whitelist specifies the domains are allowed to access OSS resources.

Access Keys. An Access Key is composed of a Key Id and a Key Secret. They work in pairs to perform access identity verification. OSS verifies the identity of a request sender by using symmetric encryption. The Access Key Id is used to identify a user, and the Access Key Secret is used for the user to encrypt the signature and for OSS to verify the signature. In OSS, Access Keys are generated by the following three methods: The bucket owner applies for Access Keys. The bucket owner uses Resource Access Management to authorize a third party to apply for Access Keys. Or the bucket owner uses the Security Token Service to authorize a third party to apply for Access Keys.

The second method of security is Server-Side Encryption or SSE. OSS supports server-side encryption for uploaded data when enabled. When you upload data, OSS encrypts and stores the data. When you download data, OSS automatically decrypts the data and returns the original data to the user. The returned HTTP request header declares that the data has been encrypted on the server.

SSE can be implemented in one of two ways: The first is Key Management Services or KMS. This implements Server-Side Encryption with a Customer Master Key, CMK, which is stored in KMS. When uploading an object, you can use a CMK ID stored in KMS to encrypt and decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server through networks for encryption and decryption. KMS requires activation before it can be used. And the second is Advanced Encryption Standard or AES256. This implements server-side encryption with OSS-managed keys. This encryption method is an attribute of objects.

In this method, OSS server-side encryption uses AES-256 to encrypt objects with different data keys. Master keys are used to encrypt data, and keys are rotated regularly. This method is suited to encrypt and decrypt multiple objects at the same time. And three: Identity Authentication using either Resource Access Management, RAM, or the Security Token Service, STS. We can use these features to make sure that we only grant privileges to specific users or temporary privileges to anonymous users.

The RAM Console. The resource access management console, manages user identities and permissions to access resources. You can manage users by configuring RAM policies. For users such as employees, systems, or applications, you can control which resources are accessible. RAM applies to scenarios where multiple users in an enterprise must collaboratively manage cloud resources. RAM allows you to grant RAM users the minimum permissions.

In this case, you do not need to share your Alibaba Cloud account and password. This method helps you minimize security risks. And the Security Token Service or STS. STS is a cloud service that provides short-term access control for Alibaba Cloud accounts, or RAM users. Through STS, you can issue an access credential with custom time limits and access rights to federated users. STS is implemented by command line, SDKs, or the RAM Console. That concludes this session on security.

About the Author

David has been a trainer with QA for over 12 years and has been training cloud technologies since 2017.  Currently certified in Microsoft and Alibaba cloud technologies David has previously been a system and Network administrator amongst other roles.    

Currently, he is a Principle Technology Learning Specialist (Cloud) at QA. He loves nothing more than teaching cloud-based courses and also has a passion for teaching PowerShell scripting.

Outside of work, his main love is flying Radio control airplanes, and teaching people to fly them.