All Products
Search
Document Center

Object Storage Service:Check the security configuration compliance of a bucket

Last Updated:May 12, 2026

Data Security Center (DSC) can assess the security configuration compliance of your buckets by checking items such as access control lists (ACLs) and encryption policies. DSC provides suggestions for any detected configuration risks. We recommend that you address these risks as soon as possible to improve the security of data assets in your OSS buckets.

Solution overview

DSC supports the following baseline risk check items for OSS buckets:

Policy Name

Check Item

Description

Data storage security

OSS-Enable server-side encryption for buckets

Checks whether server-side encryption is enabled for an OSS bucket.

Data at rest should be encrypted to ensure data confidentiality and integrity.

Backup and restore

OSS-Enable versioning for buckets

Checks whether versioning is enabled for an OSS bucket.

A versioning and recovery mechanism provides data redundancy and ensures data availability.

Access control management

OSS-Enable hotlink protection for buckets, OSS-Configure a source IP address whitelist

Checks whether an OSS bucket is publicly exposed.

Access to and use of data should be restricted to specific sources based on business needs to prevent public exposure of data assets.

Data Transmission Encryption

OSS-Enable secure data transmission

Checks whether data is encrypted during transmission for OSS files.

Data transmission activities should use encryption to ensure security.

Log monitoring and audit

OSS-Enable log storage

Checks whether log storage is enabled for OSS files.

The entire data processing lifecycle should have recording and monitoring capabilities to ensure traceability. Log storage should be enabled for OSS files.

Identity and permission management

OSS-Configure read/write or full control permissions for anonymous accounts

Checks whether permissions for OSS files are properly managed. For example, it checks if public-read-write permissions are configured, which would allow changes to stored file content.

Data access and use should follow the principle of least privilege. Define access permissions for relevant personnel to prevent unauthorized access.

Sensitive data protection

OSS-Check public read/write access permissions for buckets with sensitive data, OSS-Configure public read/write access permissions for log files

Checks for data breach risks, such as public read/write permissions on OSS log files. It also checks whether access control is enabled for projects that contain sensitive data.

In this example, DSC does not perform sensitive data detection on the OSS bucket and directly performs a baseline check. The check for OSS-Check public read/write access permissions for buckets with sensitive data passes by default.

You can complete the baseline security checks and risk handling in four steps:

  1. Create an OSS bucket: Create an OSS bucket.

  2. Add the OSS bucket to DSC: In the Asset Center, enable configuration risk checks for the bucket.

  3. Manually run a baseline security check: By default, a security baseline check runs for all connected data assets at approximately 01:00 every day. To view the results immediately, you must run the check manually.

  4. View and handle security risks: Address detected configuration risks based on the check results.

Prerequisites

Step 1: Create an OSS bucket

  1. On the Buckets page of the Object Storage Service (OSS) console, click Create Bucket.

  2. In the Create Bucket panel, configure the required parameters, keep the default values for the other parameters, and then click Create.

    image

Step 2: Add the OSS bucket to DSC

  1. Log on to the Data Security Center console.

  2. In the navigation pane on the left, select Asset Center.

  3. Take the new Asset Center as an example. On the Asset Center page, in the Unstructured Data area on the left, click OSS and then click Asset synchronization.

    image

  4. After the asset synchronization is complete, find the newly created OSS bucket, and enable the Configuration Risks switch.

    Wait for the Connection Status of the OSS bucket to change to Connected.

    image

Step 3: Manually run a baseline check

3.1 View and confirm that the check policy is enabled

  1. In the navigation pane on the left, select Risk Governance > Configuration Risks.

  2. On the Policies > Alibaba Cloud Data Security Best Practices tab, view the OSS-related check items and their status.

    To use the PIPL-based Security Baseline Check, you must purchase a DSC Enterprise instance. This example uses the Alibaba Cloud Data Security Best Practices to perform compliance checks on authorized buckets.

    By default, DSC enables all check items in the baseline check policy to detect risks for authorized OSS assets.image

  1. Confirm that the Enabled icon image is displayed in the Status column for the OSS-related check items.

3.2 Manually run security checks for each item

  1. On the Risk Trends > Alerts tab, find the target policy and click Details in the Actions column.

  2. On the Risk Situation tab, for each OSS-related check item, click the Check button. The check is complete when the Check button becomes active again. You can then close the panel.

    image

  3. Repeat these steps to complete the checks for all relevant check policies.

Step 4: View and handle security risks

4.1 View the check results for the target OSS bucket

  1. After the baseline check is complete, on the Asset Risk tab, search for the target bucket. The results show that five security configuration items passed the security check. The time of the last check is also displayed.

    image

  2. Click Handle in the Actions column to view the failed check items and remediation suggestions.

    image

4.2 Handle risk items

  1. In the Risk Details area, you can click Handle to go to the corresponding page and address threats, such as OSS-Enable server-side encryption.

  2. Go to the Server-side Encryption page of the OSS bucket, click Settings, select an encryption method such as OSS-managed encryption, and click Save. For more information about server-side encryption, see Server-side Encryption.

    image

4.3 Rerun the check for verification

Return to the threat details panel in DSC and click Recheck.

image

The check passes, which indicates that the risk item is resolved.

image

You can follow these steps to address all risk items and improve the security configuration compliance of your OSS bucket.

Summary

You can check the security configuration compliance of an OSS bucket before you store data in it to enhance data storage security.

Sensitive data protection policy

Before sensitive data detection is performed on an OSS bucket, the OSS-Check public read/write access permissions for buckets with sensitive data check item passes the baseline security check by default. To ensure that your OSS bucket remains compliant after data is stored, you can create a sensitive data detection task. This task periodically scans the OSS bucket for sensitive data. For buckets that contain sensitive data, DSC runs the OSS-Check public read/write access permissions for buckets with sensitive data baseline check. This lets you address the risks for this check item promptly.

For more information, see Scan for sensitive data using detection tasks.

Important

The Free Edition of DSC lets you scan 5 GB of assets each month free of charge. If this quota is insufficient for your business needs, you can purchase a paid edition of Data Security Center. For more information, see Purchase Data Security Center.

Whitelist management

To ignore the result of a check item for an asset, go to the Asset Risks tab. In the Actions column for the target asset, click Add to Whitelist to add the asset to the whitelist for that check item.

Important

The Free Edition of Data Security Center does not support whitelist management. You must purchase the Enterprise Edition of DSC to use this feature.

image