This topic describes the managed rules that are related to Object Storage Service (OSS) and the methods to fix non-compliance issues.
oss-bucket-public-read-prohibited
Checks whether public read access is prohibited for an OSS bucket of your account.
Trigger type: configuration change
Applicable resource type: ACS::OSS::Bucket
Input parameter: none
- OSS console
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets.
- On the Buckets page, find the OSS bucket and click the bucket name.
- On the Overview page of the bucket, click Access Control.
- In the Access Control List (ACL) section, set Bucket ACL to Private.
- Click Save.
- API
You can also call the PutBucketACL API operation. To change the access permissions on the OSS bucket, set the x-oss-acl parameter to private. For more information, see PutBucketACL
oss-bucket-public-write-prohibited
Checks whether public write access is prohibited for an OSS bucket of your account.
Trigger type: configuration change
Applicable resource type: ACS::OSS::Bucket
Input parameter: none
- OSS console
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets.
- On the Buckets page, find the OSS bucket and click the bucket name.
- On the Overview page of the bucket, click Access Control.
- In the Access Control List (ACL) section, set Bucket ACL to Private or Public Read.
- Click Save.
- API
You can also call the PutBucketACL API operation. To change the access permissions on the OSS bucket, set the x-oss-acl parameter to private. For more information, see PutBucketACL
oss-bucket-referer-limit
Checks whether hotlink protection is enabled for an OSS bucket of your account.
Trigger type: configuration change
Applicable resource type: ACS::OSS::Bucket
Input parameter: allowReferers. You can specify HTTP referers that are allowed to access the data in your OSS buckets. Separate multiple referers with commas (,).
- Case 1: You have specified the value of the input parameter but a specified referer
that is allowed to access an OSS bucket of your account is not included in the value.
In addition, the Allow Empty Referer switch is turned on for hotlink protection of
the OSS bucket.
- Solution: Turn off the Allow Empty Referer switch for hotlink protection of the OSS
bucket in the OSS console.
For more information, see Configure hotlink protection.
- Add all the referers that are allowed to access the OSS bucket to the value of the
allowReferers parameter in the Cloud Config console.
For more information, see Modify a rule.
- Solution: Turn off the Allow Empty Referer switch for hotlink protection of the OSS
bucket in the OSS console.
- Case 2: You have specified the value of the input parameter but a specified referer
that is allowed to access an OSS bucket of your account is not included in the value.
In addition, the Allow Empty Referer switch is turned off for hotlink protection of
the OSS bucket.
- View the referfer whitelist for the OSS bucket in the OSS console.
For more information, see Configure hotlink protection.
- Add all the referers that are allowed to access the OSS bucket to the value of the
allowReferers parameter in the Cloud Config console.
For more information, see Modify a rule.
- View the referfer whitelist for the OSS bucket in the OSS console.
- Case 3: You have not specified the value of the input parameter and the Allow Empty
Referer switch is turned off for hotlink protection of an OSS bucket of your account.
Solution: Turn on the Allow Empty Referer switch for hotlink protection of the OSS bucket in the OSS console. For more information, see Configure hotlink protection.
oss-bucket-server-side-encryption-enabled
Checks whether server-side encryption is enabled for an OSS bucket of your account.
Trigger type: configuration change
Applicable resource type: ACS::OSS::Bucket
Input parameter: none
Cause: Server-side encryption is not enabled for an OSS bucket of your account.
Solution: Set the method of server-side encryption of the OSS bucket to AES-256 or KMS. Cloud Config detects the configuration change and starts to re-evaluate the resource within 10 minutes.
For more information about how to enable server-side encryption for the OSS bucket in the OSS console, see Configure server-side encryption.