This topic describes the managed rules that are related to Object Storage Service (OSS) and the methods to fix non-compliance issues.

oss-bucket-public-read-prohibited

Checks whether public read access is prohibited for an OSS bucket of your account.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: none

Cause: Public read access is allowed for an OSS bucket of your account. The access control list (ACL) of an OSS bucket of your account allows public read access or public read/write access. Solution: Set the ACL permission of the OSS bucket to Private. Cloud Config detects the configuration change and starts to re-evaluate the resource within 10 minutes. You can fix this non-compliance issue by using one of the following methods:
  • OSS console
    • Log on to the OSS console.
    • In the left-side navigation pane, click Buckets.
    • On the Buckets page, find the OSS bucket and click the bucket name.
    • On the Overview page of the bucket, click Access Control.
    • In the Access Control List (ACL) section, set Bucket ACL to Private.
    • Click Save.
  • API

    You can also call the PutBucketACL API operation. To change the access permissions on the OSS bucket, set the x-oss-acl parameter to private. For more information, see PutBucketACL

oss-bucket-public-write-prohibited

Checks whether public write access is prohibited for an OSS bucket of your account.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: none

Cause: Public write access is allowed for an OSS bucket of your account. The ACL of an OSS bucket of your account allows public write access. Solution: Set the ACL permission of the OSS bucket to private or public read. Cloud Config detects the configuration change and starts to re-evaluate the resource within 10 minutes. You can fix this non-compliance issue by using one of the following methods:
  • OSS console
    • Log on to the OSS console.
    • In the left-side navigation pane, click Buckets.
    • On the Buckets page, find the OSS bucket and click the bucket name.
    • On the Overview page of the bucket, click Access Control.
    • In the Access Control List (ACL) section, set Bucket ACL to Private or Public Read.
    • Click Save.
  • API

    You can also call the PutBucketACL API operation. To change the access permissions on the OSS bucket, set the x-oss-acl parameter to private. For more information, see PutBucketACL

oss-bucket-referer-limit

Checks whether hotlink protection is enabled for an OSS bucket of your account.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: allowReferers. You can specify HTTP referers that are allowed to access the data in your OSS buckets. Separate multiple referers with commas (,).

Causes:
  • Case 1: You have specified the value of the input parameter but a specified referer that is allowed to access an OSS bucket of your account is not included in the value. In addition, the Allow Empty Referer switch is turned on for hotlink protection of the OSS bucket.
    1. Solution: Turn off the Allow Empty Referer switch for hotlink protection of the OSS bucket in the OSS console.

      For more information, see Configure hotlink protection.

    2. Add all the referers that are allowed to access the OSS bucket to the value of the allowReferers parameter in the Cloud Config console.

      For more information, see Modify a rule.

  • Case 2: You have specified the value of the input parameter but a specified referer that is allowed to access an OSS bucket of your account is not included in the value. In addition, the Allow Empty Referer switch is turned off for hotlink protection of the OSS bucket.
    1. View the referfer whitelist for the OSS bucket in the OSS console.

      For more information, see Configure hotlink protection.

    2. Add all the referers that are allowed to access the OSS bucket to the value of the allowReferers parameter in the Cloud Config console.

      For more information, see Modify a rule.

  • Case 3: You have not specified the value of the input parameter and the Allow Empty Referer switch is turned off for hotlink protection of an OSS bucket of your account.

    Solution: Turn on the Allow Empty Referer switch for hotlink protection of the OSS bucket in the OSS console. For more information, see Configure hotlink protection.

oss-bucket-server-side-encryption-enabled

Checks whether server-side encryption is enabled for an OSS bucket of your account.

Trigger type: configuration change

Applicable resource type: ACS::OSS::Bucket

Input parameter: none

Cause: Server-side encryption is not enabled for an OSS bucket of your account.

Solution: Set the method of server-side encryption of the OSS bucket to AES-256 or KMS. Cloud Config detects the configuration change and starts to re-evaluate the resource within 10 minutes.

For more information about how to enable server-side encryption for the OSS bucket in the OSS console, see Configure server-side encryption.