Hello. In this session, we will focus on the main security features of the Object Storage Service. There are three main ways to set security for protecting objects in OSS.

Number one: Access Control. You can use Access Control in the following ways. Access Control Lists or ACLs. With an Access Control List you can define the type of access allowed for a bucket, and the objects that reside within the bucket.

The following settings are available. Private: Only the owner or authorized users of the bucket can read and write files in the bucket. Public Read: Only the owner or authorized users of this bucket can write files in the bucket. Other users, including anonymous users, can only read files in the bucket. And Public Read\Write: Any users, including anonymous users, can read and write files in the bucket.

You can use Bucket Policy. This allows you to grant permission on all, or just Specific resources in a bucket to RAM users from your Alibaba Cloud account, other accounts, or anonymous accounts. Conditional access can also be set. You can select whether objects can be accessed by HTTP or HTTPS only. Every object in OSS is enabled with HTTPS access by default. This provides secure uploads and downloads via SSL-encrypted endpoints.

You can also set whitelist or blacklist IP addresses to further restrict access to bucket contents. Hotlink Protection. Hotlink Protection uses an HTTP Referer whitelist to prevent unauthorized users from accessing your data in OSS. The Referer Whitelist specifies the domains are allowed to access OSS resources.

Access Keys. An Access Key is composed of a Key Id and a Key Secret. They work in pairs to perform access identity verification. OSS verifies the identity of a request sender by using symmetric encryption. The Access Key Id is used to identify a user, and the Access Key Secret is used for the user to encrypt the signature and for OSS to verify the signature. In OSS, Access Keys are generated by the following three methods: The bucket owner applies for Access Keys. The bucket owner uses Resource Access Management to authorize a third party to apply for Access Keys. Or the bucket owner uses the Security Token Service to authorize a third party to apply for Access Keys.

The second method of security is Server-Side Encryption or SSE. OSS supports server-side encryption for uploaded data when enabled. When you upload data, OSS encrypts and stores the data. When you download data, OSS automatically decrypts the data and returns the original data to the user. The returned HTTP request header declares that the data has been encrypted on the server.

SSE can be implemented in one of two ways: The first is Key Management Services or KMS. This implements Server-Side Encryption with a Customer Master Key, CMK, which is stored in KMS. When uploading an object, you can use a CMK ID stored in KMS to encrypt and decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server through networks for encryption and decryption. KMS requires activation before it can be used. And the second is Advanced Encryption Standard or AES256. This implements server-side encryption with OSS-managed keys. This encryption method is an attribute of objects.

In this method, OSS server-side encryption uses AES-256 to encrypt objects with different data keys. Master keys are used to encrypt data, and keys are rotated regularly. This method is suited to encrypt and decrypt multiple objects at the same time. And three: Identity Authentication using either Resource Access Management, RAM, or the Security Token Service, STS. We can use these features to make sure that we only grant privileges to specific users or temporary privileges to anonymous users.

The RAM Console. The resource access management console, manages user identities and permissions to access resources. You can manage users by configuring RAM policies. For users such as employees, systems, or applications, you can control which resources are accessible. RAM applies to scenarios where multiple users in an enterprise must collaboratively manage cloud resources. RAM allows you to grant RAM users the minimum permissions.

In this case, you do not need to share your Alibaba Cloud account and password. This method helps you minimize security risks. And the Security Token Service or STS. STS is a cloud service that provides short-term access control for Alibaba Cloud accounts, or RAM users. Through STS, you can issue an access credential with custom time limits and access rights to federated users. STS is implemented by command line, SDKs, or the RAM Console. That concludes this session on security.