You can use the data detection and response feature of Data Security Center (DSC) to detect plaintext AccessKey pairs in Object Storage Service (OSS) buckets and abnormal AccessKey pair-based access. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. If DSC detects an abnormal access event, DSC generates an alert. You can view abnormal AccessKey pairs and alerts to identify and handle risks of AccessKey pair leaks and abnormal AccessKey pair-based access to OSS at the earliest opportunity. This helps prevent unauthorized access to OSS data and leaks of OSS data.
Overview
In this example, plaintext AccessKey pairs are detected in OSS buckets, leaked AccessKey pairs are used to access public-read objects, and alerts are generated. This topic describes how to use the data detection and response feature to detect and manage the alerts of AccessKey pair leaks and abnormal AccessKey pair-based access in OSS buckets to improve OSS data security.
If you want DSC to generate alerts for and handle abnormal AccessKey pair-based access to OSS buckets, perform the following steps:
Create an OSS bucket and upload files: Create an OSS bucket and upload a file that contains an AccessKey pair and two sample files in a sample folder. The files are used when you simulate AccessKey pair leaks and abnormal AccessKey pair-based access to the OSS bucket.
Connect the OSS bucket to DSC: Authorize the data detection and response feature to access the OSS bucket. This helps ensure that DSC can detect AccessKey pair leaks and abnormal AccessKey pair-based access to the OSS bucket.
Configure synchronization of sensitivity level tags and alert notifications: This allows you to receive alert notifications and manage access permissions on OSS objects based on their sensitivity levels.
View and handle alerts for AccessKey pair leaks and exceptions: Simulate access to the OSS bucket by using abnormal AccessKey pairs and view alerts. We recommend that you handle the alerts at the earliest opportunity.
Prerequisites
DSC is purchased and authorized to access your Alibaba Cloud resources. To purchase DSC, go to the DSC buy page. To perform authorization, go to the Workbench page.
The data detection and response feature is a value-added feature of DSC and generates alerts for abnormal AccessKey pair-based access to OSS buckets. The OSS protection capacity and log storage are consumed when you use the feature. In this example, you need to only set the Edition parameter to Value-added Plan, and set the Data Detection and Response and Log Storage parameters to Enable. You must specify a value for the Data Detection and Response - OSS Protection Capacity and Extended Log Storage Capacity parameters to meet your requirements. You can configure other parameters based on your business requirements.
OSS is activated. To activate OSS, go to the OSS buy page.
A Resource Access Management (RAM) user of the current account and the AccessKey secret AccessKey ID of the RAM user are available. For more information, see Create a RAM user and View the information about AccessKey pairs of a RAM user.
Step 1: Create an OSS bucket and upload files
1.1 Create an OSS bucket
On the Buckets page of the OSS console, click Create Bucket.
In the Create Bucket panel, configure the parameters as shown in the following figure and use the default settings for other parameters. Then, click Create.
1.2 Upload files to the OSS bucket
Create a file named test.txt, enter the AccessKey ID and AccessKey secret of the RAM user, and then save the file.
On the Buckets page of the OSS console, click the name of the OSS bucket.
On the Objects page, click Upload Object.
Set the Object ACL parameter to Private, click Select Files, select the saved test.txt file, and then click Upload Object. Wait until the file is uploaded.
On the Objects page, click Create Directory, enter a directory name such as
exampledir
in the Directory Name field, and then click OK.Go to the
exampledir
directory and click Upload Object.Click Select Files, select a sample file such as userdata.csv from your computer, and then click Upload Object. Wait until the file is uploaded.
Step 2: Connect an OSS bucket to DSC
In the Authorization Statistics section on the OSS Data Leak (AccessKey Pair Scenarios) page, click Authorize Immediately.
In the Asset Authorization Configuration panel, click Asset synchronization.
Click the Not authorized tab, find the bucket that you want to manage, and then click Authorization in the Actions column.
During the first month after you enable the data detection and response feature, DSC automatically creates and runs a data identification task to scan for and classify sensitive data. The system automatically uses the main identification template. By default, the main identification template is the Internet industry classification template.
Step 3: Configure synchronization of sensitivity level tags and alert notifications
3.1 Configure OSS synchronization
If you enable the OSS synchronization feature, you can manage access permissions of objects based on the sensitivity level tags of the objects.
On the OSS Synchronization Configurations tab, turn on Synchronize Tags to OSS, select Internet industry classification classification template, and then click Submit.
3.2 Configure alert notifications for abnormal AccessKey pair-based access
On the Alert notification tab of the System Settings page, specify emails as the notification method for abnormal AccessKey pair-based access.
Step 4: View and handle AccessKey pair leaks and exception alerts
After you access the OSS bucket by using the leaked AccessKey pair, you can view and receive alerts and alert notifications on the next day.
4.1 Use an AccessKey pair to download an object from an OSS bucket
In this example, ossutil is installed in a Linux operating system and used to access objects in an OSS bucket. For more information, see Install ossutil.
Install and configure ossutil.
In the Linux operating system, run the following command to download and install ossutil:
sudo -v ; curl https://gosspublic.alicdn.com/ossutil/install.sh | sudo bash
NoteYou must use a decompression tool, such as unzip or 7z, to decompress the installation package of ossutil.
After the installation is complete, ossutil is installed in the /usr/bin/ directory.
Run the
ossutil config
command.Press the Enter key to use the default path as the configuration file path and select English as the tool language.
Configure the Endpoint, AccessKey ID, STSToken, and AccessKey secret parameters as prompted.
You can view the endpoint in the Port section of the Overview page of the OSS bucket. The AccessKey ID and AccessKey secret are the AccessKey pair of the RAM user.
Run the following command to access the
/exampledir/userdata.csv
object in the OSS bucket.ossutil cp oss://examplebucket/exampledir/userdata.csv /opt
If the following information is returned, the object is downloaded.
4.2 View the results of AccessKey pair leak detection
In the AccessKey Pair Leaks section of the OSS Data Leak (AccessKey Pair Scenarios) page, view the detection results in the Private Plaintext Storage card. In this example, the ACL of the test.txt file that stores the AccessKey pair information is set to Private. The number 1 is displayed, which indicates that one AccessKey pair is detected.
Click the number in the Public Plaintext Storage card to view the leaked AccessKey pair.
Click Details. In this example, the AccessKey pair is the AccessKey pair in the test.txt file that is uploaded to the OSS bucket.
4.3 View email alert notifications
Recipients can receive email notification.
4.4 View alert details
On the OSS Data Leak (AccessKey Pair Scenarios) page, you can view the alerts that are generated when you access authorized OSS objects by using AccessKey pairs and view the identification results of sensitive objects.
Find an alert that you want to view and click Details in the Actions column. On the Alert Details page, you can view the AccessKey pair, accessed bucket details, and accessed objects.
Click View Details on the right side of the bucket details section to view the information about the objects that are detected in the bucket and the identification results.
4.5 Handle alerts
All RAM users can access the public-read OSS bucket without authorization. If you want to control access to the objects in the OSS bucket, you can set the ACL of the bucket to private.
In the Details section of the bucket, click Manage next to Bucket Governance Progress.
In the Manage panel, click Configure next to Bucket ACL and set the Bucket ACL parameter to Private.
Summary
The data detection and response feature of DSC allows you to continuously detect access to OSS buckets and objects by using leaked and abnormal AccessKey pairs and provides AccessKey pair and bucket governance capabilities to improve OSS data security.
Detection of AccessKey pair leaks
You can detect leaks of AccessKey pairs in OSS buckets, on GitHub, and in self-managed intelligence sources. For more information, see Authorize the data detection and response feature to access OSS buckets and add AccessKey pair intelligence.
Abnormal AccessKey pair-based access alerts
The data detection and response feature is authorized to track the access to OSS buckets by using AccessKey pairs in OSS buckets, on GitHub, and in self-managed intelligence sources. This helps you handle AccessKey pair leak alerts in a more comprehensive manner. For more information, see View leaked AccessKey pairs and alerts for abnormal AccessKey pair-based access.
Alert handling
The data detection and response feature provides two measures: AccessKey pair handling and bucket governance. You can restrict access to buckets based on IP addresses and sensitivity levels. This helps prevent data leaks and attacks to improve data security. For example, you can disable affected AccessKey pairs to prevent unauthorized access or configure a stricter policy on affected objects. For more information, see Handle AccessKey pair leaks and unusual access alerts.