Evaluates whether the bucket policy of each Object Storage Service (OSS) bucket prohibits public read access. A bucket that denies public read access is evaluated as Compliant.
Scenarios
Public read access on an OSS bucket increases the risk of data exposure over the Internet. Deny public read access to protect your stored data.
Risk level
Default risk level: high.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
- If the bucket policy of an OSS bucket denies public read access, the evaluation result is Compliant.
- If the bucket policy of an OSS bucket allows public read access, the evaluation result is Incompliant. For information about how to fix this issue, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | oss-bucket-public-read-prohibited |
| Rule identifier | oss-bucket-public-read-prohibited |
| Tag | OSS and Bucket |
| Automatic remediation | Yes |
| Trigger type | Configuration change |
| Supported resource type | OSS bucket |
| Input parameter | None |
Incompliance remediation
Set the Bucket ACL parameter of the OSS bucket to Private. For more information, see Modify the ACL of a bucket.