The differences between bucket policies, user policies, bucket ACLs, and object ACLs are as follows, which are further illustrated in Table 1:
allow. Bucket ACLs and object ACLs are based on ACLs ad therefore provide relatively lower permission control flexibility. They allow you to grant only basic read and write permissions.
Table 1. Differences between authorization methods
|Item||User policy||Bucket policy||Bucket ACL||Object ACL|
|Classification||User-based authorization||Resource-based authorization||Resource-based authorization||Resource-based authorization|
|Permission control flexibility||High flexibility||High flexibility||Low flexibility||Low flexibility|
|Console configuration||CAM console||COS console||COS console||COS console|
|Access control element||User||All CAM identities (sub-accounts, roles, etc.) management by the current account||Sub-accounts, root accounts, anonymous users||Sub-accounts, other root accounts, anonymous users||Sub-accounts, other root accounts, anonymous users|
|Sub-account Tencent Cloud services, roles, etc.|
|Before cross-account authorization, you need to add the target account as your collaborator.||Directly supports cross-account authorization.|
|Effect||Allow + Deny||Allow + Deny||Allow only||Allow only|
|Resource||All cloud resources, all COS buckets, specified buckets (prefixes, objects, etc.)||Specified buckets (prefixes, objects, etc.)||Entire bucket||Specified objects|
|Action||Every specific action||Every specific action (excluding bucket creation and bucket listing)||Simplified read and write permissions||Simplified read and write permissions|
|Condition||Supported||Supported||Not supported||Not supported|
The differences listed in Table 1 show the advantages and disadvantages of different authorization methods. You can choose an appropriate authorization method based on your own needs.
But whichever authorization method you choose, you are advised to maintain consistency as much as possible. Otherwise, with the increase of bucket policies, user policies, and ACLs, it will become increasingly difficult to maintain permissions.
Enabling anonymous access (Public Read) is highly risky due to hotlinking risks. In cases where Public Read is required, you can set hotlink protection to improve security.
Use ACLs if you only need to set some simple access permissions for buckets and objects or enable anonymous access. However, in most cases, you are advised to use bucket policies or user policies, which are more flexible. ACLs are recommended in scenarios where you want to:
Each account supports only 1,000 ACLs. If this upper limit is exceeded, select bucket policies or user policies instead.
If you want to specify what operations a user can perform, you are advised to configure user policy. You can search for a CAM user and check the permissions of the user's user groups to see what operations the user can perform. A user policy is recommended in scenarios where you want to:
If you want to specify which users can access a COS bucket, you are advised to configure a bucket policy. You can search for a bucket and check the bucket's policy to see who can access the bucket. A bucket policy is recommended in scenarios where you want to:
allow, which is not supported by ACL.