All Products
Search
Document Center

Cloud Config:oss-bucket-anonymous-prohibited

Last Updated:Jun 16, 2026

Evaluates whether each Object Storage Service (OSS) bucket whose Bucket ACL is set to Public Read/Write has a bucket policy configured that does not grant any permissions to anonymous accounts. If so, the evaluation result is Compliant.

Scenarios

Use this rule to ensure that bucket policies are configured for OSS buckets and that no read or write permissions are granted to anonymous accounts. This prevents unauthorized access and protects data security.

Risk level

Default risk level: high.

You can change the risk level based on your business requirements when you apply this rule.

Compliance evaluation logic

  • If an OSS bucket whose Bucket ACL is set to Public Read/Write has a bucket policy configured and the bucket policy does not grant read or write permissions to anonymous accounts, the evaluation result is Compliant.
  • This rule does not apply to OSS buckets whose Bucket ACL is set to Private.
  • If an OSS bucket whose Bucket ACL is set to Public Read/Write does not have a bucket policy configured, the evaluation result is Incompliant. If the bucket policy is configured but grants read or write permissions to anonymous accounts, the evaluation result is also Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

Item Description
Rule name oss-bucket-anonymous-prohibited
Rule identifier oss-bucket-anonymous-prohibited
Tag OSS, Bucket, and BucketPolicy
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type OSS bucket
Input parameter None.

Incompliance remediation

Grant specific users the required permissions on an OSS bucket. For more information, see Overview.