oss-bucket-public-read-prohibited

Check whether your OSS bucket does not allow public read access. If an OSS bucket policy or bucket ACL allows the public read permission, the bucket is not compliant.

Trigger type: configuration change

Resource: ACS::OSS::Bucket

Request parameters: none

Troubleshooting: Check whether your OSS bucket does not allow public read access. If the ACL of the OSS bucket is set to public-read or public-read-write, this rule is not applicable. Set the OSS bucket ACL to private. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: log on to the OSS bucket console and choose bucket-basic settings to modify the bucket ACL.

OSS_1

API operation: you can call PutBucketACL to change the ACL of a Bucket to private.

oss-bucket-public-write-prohibited

Check whether the OSS bucket does not allow public write access. If an OSS bucket policy or bucket ACL allows the public write access permission, the bucket is not compliant.

Trigger type: configuration change

Resource: ACS:: OSS:: Bucket

Request parameters: none

Fix: Check whether your OSS bucket does not allow public write access. If the ACL of the OSS bucket is set to public, this rule is not applicable. Set the OSS bucket ACL to private or public-read. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: log on to the OSS bucket console and choose bucket-basic settings to modify the bucket ACL.

OSS_2

API operation: you can call PutBucketACL to modify the ACL of a Bucket by setting the ACL to private or public-read.

oss-bucket-referer-limit

Check whether the anti-Leech function is enabled for the OSS bucket.

Trigger type: configuration change

Resource: ACS::OSS::Bucket

Request parameters:

allowReferers

The allowed anti-Leech list. Separate multiple referers with commas (,).

Troubleshooting Guide:

Scenario 1: The threshold of the rule parameter is not empty. The anti-Leech Referer whitelist configured in the OSS bucket (the whitelist is not empty) is not enabled in the threshold list or anti-LeechEmpty Referer allowedWill cause the rule to be non-compliant.

Case 2: The anti-Leech protection function is disabled because the threshold of rule parameters is not empty.Empty Referer allowedIf the Referer whitelist configured for the OSS bucket is empty, the rules are not compliant.

Case 3: When the threshold of rule parameters is empty, anti-Leech is disabled.Empty Referer allowedWill cause the rule to be non-compliant.

Scenario 1:

Disable anti-LeechEmpty Referer allowedThe referer whitelist values are listed in the rule parameter threshold of allowReferers. Config detects your changes within 10 minutes and automatically starts the audit.

Scenario 2:

Set a referer whitelist and list all whitelist values in the rule parameter threshold of allowReferers. Config detects your changes within 10 minutes and automatically starts the audit.

Scenario 3:

Enable anti-LeechEmpty Referer allowed. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: Overview-basic settings-settings in anti-Leech

API operation: call PutBucketReferer to set the Referer access whitelist and whether to allow empty Referer fields.

oss-bucket-server-side-encryption-enabled

Check that default encryption is enabled for your OSS bucket.

Trigger type: configuration change

Resource: ACS::OSS::Bucket

Request parameters: none

Troubleshooting Guide:

Check whether encryption is enabled for the OSS bucket under your account. If encryption is not enabled, this rule is not compliant.

Set the server-side encryption of the OSS bucket to AES256 or KMS. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: log on to the OSS bucket console and choose bucket-basic settings to modify the server-side encryption mode of the bucket.

OSS_4