Data Security Center (DSC) can assess the security configuration compliance of your buckets by checking items such as access control lists (ACLs) and encryption policies. DSC provides suggestions for any detected configuration risks. We recommend that you address these risks as soon as possible to improve the security of data assets in your OSS buckets.
Solution overview
DSC supports the following baseline risk check items for OSS buckets:
Policy Name | Check Item | Description |
Data storage security | OSS-Enable server-side encryption for buckets | Checks whether server-side encryption is enabled for an OSS bucket. Data at rest should be encrypted to ensure data confidentiality and integrity. |
Backup and restore | OSS-Enable versioning for buckets | Checks whether versioning is enabled for an OSS bucket. A versioning and recovery mechanism provides data redundancy and ensures data availability. |
Access control management | OSS-Enable hotlink protection for buckets, OSS-Configure a source IP address whitelist | Checks whether an OSS bucket is publicly exposed. Access to and use of data should be restricted to specific sources based on business needs to prevent public exposure of data assets. |
Data Transmission Encryption | OSS-Enable secure data transmission | Checks whether data is encrypted during transmission for OSS files. Data transmission activities should use encryption to ensure security. |
Log monitoring and audit | OSS-Enable log storage | Checks whether log storage is enabled for OSS files. The entire data processing lifecycle should have recording and monitoring capabilities to ensure traceability. Log storage should be enabled for OSS files. |
Identity and permission management | OSS-Configure read/write or full control permissions for anonymous accounts | Checks whether permissions for OSS files are properly managed. For example, it checks if public-read-write permissions are configured, which would allow changes to stored file content. Data access and use should follow the principle of least privilege. Define access permissions for relevant personnel to prevent unauthorized access. |
Sensitive data protection | OSS-Check public read/write access permissions for buckets with sensitive data, OSS-Configure public read/write access permissions for log files | Checks for data breach risks, such as public read/write permissions on OSS log files. It also checks whether access control is enabled for projects that contain sensitive data. In this example, DSC does not perform sensitive data detection on the OSS bucket and directly performs a baseline check. The check for OSS-Check public read/write access permissions for buckets with sensitive data passes by default. |
You can complete the baseline security checks and risk handling in four steps:
Create an OSS bucket: Create an OSS bucket.
Add the OSS bucket to DSC: In the Asset Center, enable configuration risk checks for the bucket.
Manually run a baseline security check: By default, a security baseline check runs for all connected data assets at approximately 01:00 every day. To view the results immediately, you must run the check manually.
View and handle security risks: Address detected configuration risks based on the check results.
Prerequisites
Activate the Free Edition of Data Security Center and grant DSC access to other Alibaba Cloud resources.
The Free Edition of Data Security Center includes the baseline check feature. This feature supports checks based on the Alibaba Cloud Data Security Best Practices and includes 500 TB of free OSS protection capacity per month. This example uses the Free Edition of DSC.
Object Storage Service (OSS) has already been activated for your account.
Step 1: Create an OSS bucket
On the Buckets page of the Object Storage Service (OSS) console, click Create Bucket.
In the Create Bucket panel, configure the required parameters, keep the default values for the other parameters, and then click Create.

Step 2: Add the OSS bucket to DSC
Log on to the Data Security Center console.
In the navigation pane on the left, select Asset Center.
Take the new Asset Center as an example. On the Asset Center page, in the Unstructured Data area on the left, click OSS and then click Asset synchronization.

After the asset synchronization is complete, find the newly created OSS bucket, and enable the Configuration Risks switch.
Wait for the Connection Status of the OSS bucket to change to Connected.

Step 3: Manually run a baseline check
3.1 View and confirm that the check policy is enabled
In the navigation pane on the left, select .
On the tab, view the OSS-related check items and their status.
To use the PIPL-based Security Baseline Check, you must purchase a DSC Enterprise instance. This example uses the Alibaba Cloud Data Security Best Practices to perform compliance checks on authorized buckets.
By default, DSC enables all check items in the baseline check policy to detect risks for authorized OSS assets.

Confirm that the Enabled icon
is displayed in the Status column for the OSS-related check items.
3.2 Manually run security checks for each item
On the tab, find the target policy and click Details in the Actions column.
On the Risk Situation tab, for each OSS-related check item, click the Check button. The check is complete when the Check button becomes active again. You can then close the panel.

Repeat these steps to complete the checks for all relevant check policies.
Step 4: View and handle security risks
4.1 View the check results for the target OSS bucket
After the baseline check is complete, on the Asset Risk tab, search for the target bucket. The results show that five security configuration items passed the security check. The time of the last check is also displayed.

Click Handle in the Actions column to view the failed check items and remediation suggestions.

4.2 Handle risk items
In the Risk Details area, you can click Handle to go to the corresponding page and address threats, such as OSS-Enable server-side encryption.
Go to the Server-side Encryption page of the OSS bucket, click Settings, select an encryption method such as OSS-managed encryption, and click Save. For more information about server-side encryption, see Server-side Encryption.

4.3 Rerun the check for verification
Return to the threat details panel in DSC and click Recheck.

The check passes, which indicates that the risk item is resolved.

You can follow these steps to address all risk items and improve the security configuration compliance of your OSS bucket.
Summary
You can check the security configuration compliance of an OSS bucket before you store data in it to enhance data storage security.
Sensitive data protection policy
Before sensitive data detection is performed on an OSS bucket, the OSS-Check public read/write access permissions for buckets with sensitive data check item passes the baseline security check by default. To ensure that your OSS bucket remains compliant after data is stored, you can create a sensitive data detection task. This task periodically scans the OSS bucket for sensitive data. For buckets that contain sensitive data, DSC runs the OSS-Check public read/write access permissions for buckets with sensitive data baseline check. This lets you address the risks for this check item promptly.
For more information, see Scan for sensitive data using detection tasks.
The Free Edition of DSC lets you scan 5 GB of assets each month free of charge. If this quota is insufficient for your business needs, you can purchase a paid edition of Data Security Center. For more information, see Purchase Data Security Center.
Whitelist management
To ignore the result of a check item for an asset, go to the Asset Risks tab. In the Actions column for the target asset, click Add to Whitelist to add the asset to the whitelist for that check item.
The Free Edition of Data Security Center does not support whitelist management. You must purchase the Enterprise Edition of DSC to use this feature.
