All Products
Search
Document Center

Cloud Config:oss-bucket-public-read-prohibited

Last Updated:Jun 16, 2026

Evaluates whether the bucket policy of each Object Storage Service (OSS) bucket prohibits public read access. A bucket that denies public read access is evaluated as Compliant.

Scenarios

Public read access on an OSS bucket increases the risk of data exposure over the Internet. Deny public read access to protect your stored data.

Risk level

Default risk level: high.

You can change the risk level based on your business requirements when you apply this rule.

Compliance evaluation logic

  • If the bucket policy of an OSS bucket denies public read access, the evaluation result is Compliant.
  • If the bucket policy of an OSS bucket allows public read access, the evaluation result is Incompliant. For information about how to fix this issue, see Incompliance remediation.

Rule details

Item Description
Rule name oss-bucket-public-read-prohibited
Rule identifier oss-bucket-public-read-prohibited
Tag OSS and Bucket
Automatic remediation Yes
Trigger type Configuration change
Supported resource type OSS bucket
Input parameter None

Incompliance remediation

Set the Bucket ACL parameter of the OSS bucket to Private. For more information, see Modify the ACL of a bucket.