The BestPracticesForOSS compliance package checks the compliance in the read and write settings, protection settings, and zone-redundant storage (ZRS) settings of Object Storage Service (OSS) buckets. This topic describes the rules that are provided in the BestPracticesForOSS compliance package.
Rule name | Description |
Checks whether the access control list (ACL) policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. | |
Public read-write access to OSS buckets via ACLs is prohibited | Checks whether the ACL policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant. |
Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each OSS bucket. If so, the evaluation result is Compliant. | |
The Referer of an OSS bucket is in the specified hotlink protection whitelist | Checks whether the hotlink protection feature is enabled for each OSS bucket and the Referer is added to a specified whitelist. If so, the evaluation result is Compliant. |
Checks whether the ZRS feature is enabled for each OSS bucket. If so, the evaluation result is Compliant. If the ZRS feature is disabled, OSS cannot provide consistent services and ensure data recovery when a data center becomes unavailable. | |
Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant. | |
Checks whether versioning is enabled for each OSS bucket. If so, the evaluation result is Compliant. If versioning is disabled, data cannot be recovered when it is overwritten or deleted. | |
OSS buckets must not grant any permissions to anonymous accounts | Checks whether the authorization policy of each OSS bucket does not grant read or write permissions to anonymous accounts. If so, the evaluation result is Compliant. If no authorization policy is configured for an OSS bucket, the evaluation result is also Compliant. |