[Yandex Cloud documentation](../../index.md) > [Yandex Object Storage](../index.md) > Access management > Overview

# Access management methods in Object Storage: Overview

Object Storage uses various access management methods:
* [Yandex Identity and Access Management (IAM)](#iam)
* [Access control list (ACL)](#acl)
* [Bucket policy](#policy)
* [Public access](#anonymous)
* [Security Token Service](#sts)
* [Ephemeral access keys](#ephemeral-keys)
* [Pre-signed URLs](#pre-signed)
* [VPC service connections](#pe-vpc)

Also, enabled encryption may affect access to buckets and objects in Object Storage. For more information about working with encrypted buckets, see [Encryption in Object Storage](../concepts/encryption.md).

The flow chart below shows how these access management methods work together in Object Storage. {#scheme}

![access-scheme](../../_assets/storage/access-scheme.svg)

The checks follow this algorithm:

1. _IAM_ and _bucket ACL_:
    * If the request passes the _IAM_ **or** _bucket ACL_ check, it is checked whether the _bucket policy_ is configured.
    * If the request fails the _IAM_ **and** _bucket ACL_ checks, it is checked whether _public access_ to the bucket is enabled.
1. _Public access_:
    * If public access to perform the action is enabled, it is checked whether the _bucket policy_ is configured.
    * If public access to perform the action is denied, an access check based on the _object ACL_ is performed.
1. _Bucket policy_:
    * If the bucket policy is configured:
      1. If the request meets at least one of the `Deny` rules in the bucket policy, an access check based on the _object ACL_ is performed.
      1. If the request meets at least one of the `Allow` rules in the bucket policy, it is checked whether there is access via _Security Token Service_.
      1. If the request does not meet any of the bucket policy rules, an access check based on the _object ACL_ is performed.
    * If the bucket policy is not configured, it is checked whether there is access via _Security Token Service_.
1. _Security Token Service_:
    * If the request is made using Security Token Service:
      1. If the request meets at least one of the `Deny` rules in the policy for the temporary key, an access check based on the _object ACL_ is performed.
      1. If the request meets at least one of the `Allow` rules in the policy for the temporary key, access will be allowed.
      1. If the request does not meet any of the policy rules for the temporary key, an access check based on the _object ACL_ is performed.
    * If the request is made directly, access will be allowed.
1. _Object ACL_:
    * If the request passes the _object ACL_ check, access will be allowed.
    * If the request fails the _object ACL_ check, access will be denied.

## Identity and Access Management {#iam}

[Identity and Access Management](index.md) is the primary tool for managing access in Yandex Cloud using roles and [access policies](../../iam/concepts/access-control/access-policies.md). It enables the basic access control policy. For more details, see [Roles this service has](index.md#roles-list).

The access grantees include:
* Yandex account
* [Service account](../../iam/concepts/users/service-accounts.md)
* [Federated user](../../iam/concepts/users/accounts.md#saml-federation)
* [Local user](../../iam/concepts/users/accounts.md#local)
* [System group](../../iam/concepts/access-control/system-group.md)
* [Public group](../../iam/concepts/access-control/public-group.md)

Access is granted for a [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), or [bucket](../concepts/bucket.md).

## Access control list (ACL) {#acl}

An [access control list (ACL)](acl.md) is a list of action permissions stored directly in Object Storage. It enables the basic access control policy. ACL permissions for buckets and objects are different; see [Permission types](acl.md#permissions-types) for details.

{% note info %}

If you do not need to differentiate access to specific objects, we recommend using Identity and Access Management.

{% endnote %}

Access grantees: 
* Yandex account
* [Service account](../../iam/concepts/users/service-accounts.md)
* [Federated user](../../iam/concepts/users/accounts.md#saml-federation)
* [Local user](../../iam/concepts/users/accounts.md#local)
* [System group](../../iam/concepts/access-control/system-group.md)
* [Public group](../../iam/concepts/access-control/public-group.md)

Access is granted for a [bucket](../concepts/bucket.md) or [object](../concepts/object.md).

## Bucket policy {#policy}

A [bucket policy](policy.md) is a list of rules that prohibit or allow [actions](../s3/api-ref/policy/actions.md) when certain [conditions](../s3/api-ref/policy/conditions.md) are met. It allows you to granularly differentiate access to buckets, objects, and groups of objects.

Access grantees: 
* Yandex account
* [Service account](../../iam/concepts/users/service-accounts.md)
* [Federated user](../../iam/concepts/users/accounts.md#saml-federation)
* [Local user](../../iam/concepts/users/accounts.md#local)
* Anonymous user

Access is granted for a [bucket](../concepts/bucket.md), [object](../concepts/object.md), or a group of objects.

## Public access {#anonymous}

[Public access](public-access.md) defines access permissions for anonymous users to read objects, list of objects, and bucket settings.

Access is granted for a [bucket](../concepts/bucket.md).

{% note warning %}

Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.

{% endnote %}

## Security Token Service {#sts}

[Security Token Service](sts.md) is an Identity and Access Management component to get temporary access keys compatible with [AWS S3 API](../s3/index.md).

With temporary keys, you can set up granular access to buckets for multiple users with a single service account.

## Ephemeral access keys {#ephemeral-keys}

[Ephemeral access keys](ephemeral-keys.md) are temporary credentials for authenticating [Yandex accounts](../../iam/concepts/users/accounts.md#passport), [federated accounts](../../iam/concepts/users/accounts.md#saml-federation), [local users](../../iam/concepts/users/accounts.md#local), and [service accounts](../../iam/concepts/users/service-accounts.md).


## Pre-signed URLs {#pre-signed}

[Pre-signed URLs](pre-signed-urls.md) are a way of giving anonymous users temporary access to certain actions in Object Storage using URLs that contain request authorization data in their parameters.

Access is granted for a [bucket](../concepts/bucket.md) or [object](../concepts/object.md).

## VPC service connections {#pe-vpc}

To make Object Storage buckets accessible from VPC cloud networks directly, use a [VPC service connection](../../vpc/concepts/private-endpoint.md). With this connection, you can access Object Storage via VPC [internal IP addresses](../../vpc/concepts/address.md#internal-addresses) without any Internet access.

In Object Storage, you can configure your bucket so that it is only accessible via VPC service connections. The following mechanisms are provided:
* **Policy-level bucket access restriction**: Bucket can be accessed from VPC service connections with IDs specified in the policy. However, as the [flow chart](#scheme) shows, the bucket will still be accessible from the public network, e.g., though an object [ACL](#acl) or under another enabling rule in the policy. In addition, a bucket configured this way still supports [server-side copy](../operations/objects/copy.md), both from and to the bucket. For more information, see [Configure a bucket policy for access from service connections](../operations/buckets/access-via-vpc.md#setup-policy).
* **Service-level bucket access restriction**: Bucket can be accessed only from VPC service connections. Remember to specify particular names of connections. The bucket will not be accessible from the public network. There is a special option that enables bucket access via the [management console](https://console.yandex.cloud). For more information, see [Configure a restriction for access only from service connections](../operations/buckets/access-via-vpc.md#setup-service-restriction).

### Server-side copy {#server-side-copy}

For details on [server-side copy](../operations/objects/copy.md) in buckets with access restricted to VPC service connections, refer to this table:

Source bucket | Target bucket | Condition to initiate server-side copying^1^
--- | --- | ---
Access restricted to VPC service connections | Access restricted to VPC service connections | Request from a service connection listed as allowed for both buckets
Access restricted to VPC service connections | Access from a public network | Request from a service connection listed as allowed for the source bucket
Access from a public network | Access restricted to VPC service connections | Request from a service connection listed as allowed for the target bucket
Access from a public network | Access from a public network | Request from a public network or service connection

^1^ If the client has permissions to read from the source bucket and write to the target bucket.

## See also {#see-also}

* [Configuring access permissions for a bucket using Identity and Access Management](../operations/buckets/iam-access.md)
* [Editing a bucket ACL](../operations/buckets/edit-acl.md)
* [Editing an object ACL](../operations/objects/edit-acl.md)
* [Managing a bucket policy](../operations/buckets/policy.md)
* [Configuring public access to a bucket](../operations/buckets/bucket-availability.md)
* [Accessing a bucket using Security Token Service](../operations/buckets/create-sts-key.md)
* [Accessing a bucket using a service connection from Yandex Virtual Private Cloud](../operations/buckets/access-via-vpc.md)