Evaluates whether each Object Storage Service (OSS) bucket whose Bucket ACL is set to Public Read/Write has a bucket policy configured that does not grant any permissions to anonymous accounts. If so, the evaluation result is Compliant.
Scenarios
Use this rule to ensure that bucket policies are configured for OSS buckets and that no read or write permissions are granted to anonymous accounts. This prevents unauthorized access and protects data security.
Risk level
Default risk level: high.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
- If an OSS bucket whose Bucket ACL is set to Public Read/Write has a bucket policy configured and the bucket policy does not grant read or write permissions to anonymous accounts, the evaluation result is Compliant.
- This rule does not apply to OSS buckets whose Bucket ACL is set to Private.
- If an OSS bucket whose Bucket ACL is set to Public Read/Write does not have a bucket policy configured, the evaluation result is Incompliant. If the bucket policy is configured but grants read or write permissions to anonymous accounts, the evaluation result is also Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | oss-bucket-anonymous-prohibited |
| Rule identifier | oss-bucket-anonymous-prohibited |
| Tag | OSS, Bucket, and BucketPolicy |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | OSS bucket |
| Input parameter | None. |
Incompliance remediation
Grant specific users the required permissions on an OSS bucket. For more information, see Overview.