Overview
Scenarios
You can configure both a VPC endpoint policy and a bucket policy to enable VPC-level access control over OBS resources.
A VPC endpoint policy defines what servers (ECS/CCE/) in a VPC can access specific resources in OBS, while a bucket policy specifies what OBS buckets can be accessed by servers in a certain VPC. This ensures security by working on the request sources and the requested resources.
Context
VPC endpoint access control complies with the principle of least privilege. If a VPC endpoint policy does not explicitly specify an Allow statement, the Deny effect is applied by default. When you purchase a VPC endpoint, the system assigns a default policy for it. This policy allows full access control over OBS. You can modify the default policy when creating a VPC endpoint or adjust the policy after the VPC endpoint is created. For details about how to configure a VPC endpoint policy, see the Statement parameter in IAM Policies.
- VPC endpoint policies differ from IAM permissions in that VPC endpoint policies do not contain the Condition tag.
- VPC endpoint service name used for OBS access control with both VPC endpoint and bucket policies is as follows: ru.sbercloud.hc.ru-moscow-1.obs-internet or ru.sbercloud.hc.ru-moscow-1.obs.
- Scenarios
- Context