Data Security Center (DSC) evaluates whether your OSS buckets meet security configuration standards — covering access control, encryption, logging, versioning, and transmission security. When a check fails, DSC pinpoints the risk and links you directly to the setting that needs fixing.
Check items covered
DSC runs baseline security checks against the Alibaba Cloud Data Security Best Practices policy. The following check items apply to OSS buckets:
| Policy category | Check item | What it checks |
|---|---|---|
| Data storage security | OSS-enable Bucket server-side encryption | Whether server-side encryption is enabled |
| Data backup and recovery | OSS-enable Bucket version control | Whether versioning is enabled |
| Access control management | OSS-configure an access source IP address whitelist | Whether the bucket is publicly exposed |
| Data transmission encryption | OSS-enable secure encrypted transmission | Whether encryption in transit is enabled for objects |
| Log monitoring audit | OSS-enable log storage | Whether log storage is enabled |
| Identity rights management | OSS-anonymous account "read/write/full control" permission configuration | Whether public-read-write permissions are configured |
| Sensitive data protection | OSS-log file public read (write) access permission settings; OSS-sensitive data Bucket public read (write) Access Check | Whether log files or sensitive data are publicly readable or writable |
The end-to-end workflow consists of four steps:
Create an OSS bucket
Add the OSS bucket to DSC
Manually run a baseline security check
View and handle security risks
Prerequisites
Before you begin, ensure that you have:
Activated the Free Edition of Data Security Center and granted DSC the necessary permissions to access other Alibaba Cloud resources
The Free Edition includes the baseline check feature and supports the check items in Alibaba Cloud Data Security Best Practices, with 500 TB of free OSS protection per month.
Activated Object Storage Service (OSS) for the current account
Step 1: Create an OSS bucket
In the OSS console, go to the Buckets page and click Create Bucket.
In the Create Bucket panel, configure the required parameters, keep the default settings for the remaining parameters, and click Create.
Step 2: Add the OSS bucket to DSC
Log on to the Data Security Center console.
In the left navigation pane, click Asset Center.
In the Unstructured Data area, click OSS, and then click Asset synchronization.
After synchronization completes, find the newly created bucket and turn on the Configuration Risks switch. Wait for the Connection Status to change to Connected.
Step 3: Manually run a baseline security check
DSC runs a baseline check on connected assets at approximately 01:00 every day. To view results immediately, run the check manually.
View and confirm the check policy
In the left navigation pane, choose Risk Governance > Configuration Risks.
On the Policies > Alibaba Cloud Data Security Best Practices tab, review the OSS-related check items and their status.
NoteThe PIPL Security Baseline requires an Enterprise instance of DSC. This example uses Alibaba Cloud Data Security Best Practices, which is available in the Free Edition.
By default, DSC enables all check items in the baseline check policy.
Confirm that the status column for each OSS check item shows the enabled icon
.
Run security checks manually
On the Risk Trends > Alerts tab, find the target policy and click Details in the Actions column.
On the Risk Situation tab, click Check for each OSS check item. The check is complete when the Check button becomes active again. Close the panel.
Repeat the preceding steps for each check policy.
Step 4: View and handle security risks
View check results for the bucket
On the Asset Risks tab, search for the target bucket to view check results. The detection time shows when the last check ran.
Click Handle in the Actions column to see which check items failed and their recommended fixes.
Fix risk items
In the Risk Details area, click Handle next to a risk item. DSC redirects you to the relevant configuration page. For example, to fix OSS-enable Bucket server-side encryption: on the Server-side Encryption page, click Settings, select OSS-Managed as the encryption method, and click Save. For full configuration details, see Server-side encryption.
Verify the fix
Return to the risk details panel in DSC and click Recheck.
A passed status confirms the risk item is resolved.
Repeat this process for all remaining risk items.
What's next
Sensitive data protection
By default, OSS-sensitive data Bucket public read (write) Access Check passes for any bucket where sensitive data has not yet been detected. After you store data in the bucket, create a sensitive data detection task to periodically scan for sensitive data. If sensitive data is found, DSC runs this check item automatically so you can address any access control risks.
For more information, see Scan for sensitive data using a detection task.
The Free Edition of Data Security Center provides 5 GB of free OSS data detection per month. For higher volumes, purchase a paid instance. For more information, see Purchase DSC.
Whitelist management
If a failed check result for a specific asset can be safely ignored, go to the Asset Risks tab, find the asset, and click Add to Whitelist in the Actions column.
The Free Edition of Data Security Center does not support whitelist management. An Enterprise instance is required.