This topic describes the managed rules that are related to Object Storage Service (OSS) and the rectification methods that target at non-compliant OSS buckets.

Rule name: oss-bucket-public-read-prohibited

Checks whether public read access is prohibited for an OSS bucket under your account. The rule considers an OSS bucket under your account as non-compliant if the access control list (ACL) of the bucket allows public read access.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: none

Non-compliance description: The ACL of an OSS bucket under your account allows public read access or public read/write access. Rectification method: Set the ACL permission of the OSS bucket to private. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes. You can rectify resource non-compliance in the OSS console or by calling the PutBucketACL operation.
  • To set the ACL permission of the OSS bucket in the OSS console, perform the following steps:
    • Log on to the OSS console.
    • In the left-side navigation pane, click Buckets.
    • On the Buckets page, find the target OSS bucket and click the bucket name.
    • On the bucket details page that appears, click Configure for Access Control List (ACL) in the Basic Settings section. On the page that appears, set Bucket ACL to Private.
    • Click Save.
  • You can also call the PutBucketACL operation and set x-oss-acl to private to change the bucket ACL. For more information, see PutBucketACL.

Rule name: oss-bucket-public-write-prohibited

Checks whether public write access is prohibited for an OSS bucket under your account. The rule considers an OSS bucket under your account as non-compliant if the bucket ACL allows public write access.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: none

Non-compliance description: Public write access is allowed for an OSS bucket under your account. The ACL of an OSS bucket under your account allows public read/write access. Rectification method: Set the ACL permission of the OSS bucket to private or public read. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes. You can rectify resource non-compliance in the OSS console or by calling the PutBucketACL operation.
  • To set the ACL permission of the OSS bucket in the OSS console, perform the following steps:
    • Log on to the OSS console.
    • In the left-side navigation pane, click Buckets.
    • On the Buckets page, find the target OSS bucket and click the bucket name.
    • On the bucket details page that appears, click Configure for Access Control List (ACL) in the Basic Settings section.
    • On the page that appears, set Bucket ACL to Private or Public Read.
    • Click Save.
  • You can also call the PutBucketACL operation and set x-oss-acl to private or public-read to change the bucket ACL. For more information, see PutBucketACL.

Rule name: oss-bucket-referer-limit

Checks whether hotlink protection is enabled for an OSS bucket under your account.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: allowReferers. It specifies HTTP referers that are allowed to access the data in your OSS buckets. Separate multiple referers with commas (,).

Non-compliance description:
  • Case 1: You have assigned a value to the input parameter but a specified referer that is allowed to access an OSS bucket under your account is not included in the value, or the Allow Empty Referer switch is turned on for hotlink protection of the OSS bucket. Rectification method for case 1:
    1. Turn off the Allow Empty Referer switch for hotlink protection of the OSS bucket in the OSS console.

      For more information, see Configure hotlink protection.

    2. Add all the referers that are allowed to access the OSS bucket to the value of the input parameter allowReferers in the Cloud Config console.

      For more information, see Modify a rule.

  • Case 2: You have assigned a value to the input parameter and the Allow Empty Referer switch is turned off for hotlink protection of an OSS bucket under your account, but the referer whitelist of the OSS bucket is not specified. Rectification method for case 2:
    1. View the referfer whitelist for the OSS bucket in the OSS console.

      For more information, see Configure hotlink protection.

    2. Add all the referers specified in the whitelist to the value of the input parameter allowReferers in the Cloud Config console.

      For more information, see Modify a rule.

  • Case 3: You have not assigned a value to the input parameter and the Allow Empty Referer switch is turned off for hotlink protection of an OSS bucket under your account. Rectification method for case 3:

    Turn on the Allow Empty Referer switch for hotlink protection of the OSS bucket in the OSS console. For more information, see Configure hotlink protection.

Rule name: oss-bucket-server-side-encryption-enabled

Checks whether server-side encryption is enabled for an OSS bucket under your account.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: none

Non-compliance description: Server-side encryption is not enabled for an OSS bucket under your account.

Rectification method: Set the method of server-side encryption to AES-256 or KMS for the OSS bucket. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

For more information about how to enable server-side encryption for the OSS bucket in the OSS console, see Configure server-side encryption.