oss-bucket-public-read-prohibited
Check whether your OSS bucket does not allow public read access. If an OSS bucket policy or bucket ACL allows the public read permission, the bucket is not compliant.
Trigger type: configuration change
Resource: ACS::OSS::Bucket
Request parameters: none
Troubleshooting: Check whether your OSS bucket does not allow public read access. If the ACL of the OSS bucket is set to public-read or public-read-write, this rule is not applicable. Set the OSS bucket ACL to private. Config detects your changes within 10 minutes and automatically starts the audit.
Console operation: log on to the OSS bucket console and choose bucket-basic settings to modify the bucket ACL.
API operation: you can call PutBucketACL to change the ACL of a Bucket to private.
oss-bucket-public-write-prohibited
Check whether the OSS bucket does not allow public write access. If an OSS bucket policy or bucket ACL allows the public write access permission, the bucket is not compliant.
Trigger type: configuration change
Resource: ACS:: OSS:: Bucket
Request parameters: none
Fix: Check whether your OSS bucket does not allow public write access. If the ACL of the OSS bucket is set to public, this rule is not applicable. Set the OSS bucket ACL to private or public-read. Config detects your changes within 10 minutes and automatically starts the audit.
Console operation: log on to the OSS bucket console and choose bucket-basic settings to modify the bucket ACL.
API operation: you can call PutBucketACL to modify the ACL of a Bucket by setting the ACL to private or public-read.
oss-bucket-referer-limit
Check whether the anti-Leech function is enabled for the OSS bucket.
Trigger type: configuration change
Resource: ACS::OSS::Bucket
Request parameters:
allowReferers
The allowed anti-Leech list. Separate multiple referers with commas (,).
Troubleshooting Guide:
Scenario 1: The threshold of the rule parameter is not empty. The anti-Leech Referer whitelist configured in the OSS bucket (the whitelist is not empty) is not enabled in the threshold list or anti-LeechEmpty Referer allowedWill cause the rule to be non-compliant.
Case 2: The anti-Leech protection function is disabled because the threshold of rule parameters is not empty.Empty Referer allowedIf the Referer whitelist configured for the OSS bucket is empty, the rules are not compliant.
Case 3: When the threshold of rule parameters is empty, anti-Leech is disabled.Empty Referer allowedWill cause the rule to be non-compliant.
Scenario 1:
Disable anti-LeechEmpty Referer allowedThe referer whitelist values are listed in the rule parameter threshold of allowReferers. Config detects your changes within 10 minutes and automatically starts the audit.
Scenario 2:
Set a referer whitelist and list all whitelist values in the rule parameter threshold of allowReferers. Config detects your changes within 10 minutes and automatically starts the audit.
Scenario 3:
Enable anti-LeechEmpty Referer allowed. Config detects your changes within 10 minutes and automatically starts the audit.
Console operation: Overview-basic settings-settings in anti-Leech
API operation: call PutBucketReferer to set the Referer access whitelist and whether to allow empty Referer fields.
oss-bucket-server-side-encryption-enabled
Check that default encryption is enabled for your OSS bucket.
Trigger type: configuration change
Resource: ACS::OSS::Bucket
Request parameters: none
Troubleshooting Guide:
Check whether encryption is enabled for the OSS bucket under your account. If encryption is not enabled, this rule is not compliant.
Set the server-side encryption of the OSS bucket to AES256 or KMS. Config detects your changes within 10 minutes and automatically starts the audit.
Console operation: log on to the OSS bucket console and choose bucket-basic settings to modify the server-side encryption mode of the bucket.
