Data Security Center (DSC) evaluates and verifies the security configuration compliance of Object Storage Service (OSS) buckets. For example, DSC checks whether access control lists (ACLs) and encryption policies are configured and provides suggestions on how to handle detected risk items. We recommend that you handle risk items at the earliest opportunity based on the suggestions to enhance the basic security configurations of assets in OSS buckets.
Overview
DSC supports the following check items for OSS buckets.
Policy | Check item | Description |
Data Storage Security | OSS-enable Bucket server-side encryption | Checks whether the encryption feature is enabled for OSS buckets. You must configure security measures such as encryption for data storage to ensure data confidentiality and integrity. |
Data backup and recovery | OSS-enable Bucket version control | Checks whether the versioning feature is enabled for OSS buckets. You must configure versioning and restoration settings to implement redundancy management of stored data and protect data availability. |
Access Control Management | OSS-enable Bucket anti-theft chain configuration and OSS-configure an access source IP address whitelist | Checks whether OSS buckets are exposed to the Internet. You must restrict data access and usage based on your business requirements to prevent exposure of assets. |
Data transmission encryption | OSS-enable secure encrypted transmission | Checks whether encrypted transmission is enabled for OSS objects during transmission. You must configure security measures such as encryption to ensure the security of the transmitted data. |
Log Monitoring Audit | OSS-enable log storage | Checks whether the log storage feature is enabled for OSS objects. You must implement recording and monitoring throughout the entire data processing lifecycle to ensure traceability of the data processing process. You must enable features such as log storage for OSS objects. |
Identity Rights Management | OSS-anonymous account "read/write/full control" permission configuration | Checks whether permission management for OSS objects is appropriate. For example, the system checks whether the public-read-write ACL is configured for objects to allow changes on the objects. You must apply the principle of least privilege to data access and usage. Only authorized users can access your assets. |
Sensitive Data Protection | OSS-sensitive data Bucket public read (write) Access Check and OSS-log file public read (write) access permission settings | Checks whether risks of data leaks exist or whether access control is enabled for projects that contain sensitive data. For example, the system checks whether the public-read-write ACL is configured for OSS logs. In this example, a security baseline check is performed for OSS buckets, and sensitive data identification is not performed. By default, the OSS-sensitive data Bucket public read (write) Access Check check item passes the check. |
To complete security baseline checks of the preceding check items, perform the following steps:
Create an OSS bucket.
Connect the OSS bucket to DSC. In this step, DSC must be authorized to access the OSS bucket.
Manually perform a security baseline check: DSC automatically performs a security baseline check on connected database assets at approximately 01:00 every day. If you want to immediately view the security baseline check results, you must manually perform a security baseline check.
View and handle security risks: Handle detected risk items at the earliest opportunity based on the security baseline check results.
Prerequisites
The free edition of DSC is activated for the current account, and DSC is authorized to access other Alibaba Cloud resources.
The free edition of DSC provides the baseline check feature. You can perform baseline checks based on the check items in Alibaba Cloud Data Security Best Practices. The free edition of DSC provides 500 TB of OSS protection capacity for each month. In this example, the free edition of DSC is activated.
OSS is activated. To activate OSS, go to the OSS buy page.
Step 1: Create an OSS bucket
On the Buckets page of the OSS console, click Create Bucket.
In the Create Bucket panel, configure the parameters as shown in the following figure and use the default settings for other parameters. Then, click Create.
Step 2: Connect the OSS bucket to DSC
On the Authorization Management page of the DSC console, click Asset Authorization Management.
In the Asset Authorization Management panel, click OSS in the Unstructured Data section and then click Asset synchronization.
After you synchronize assets, select the OSS bucket that you want to manage and click Authorization in the Actions column.
After the authorization is complete, find the OSS bucket on the Authorization Management page and click Connect in the Actions column.
In the Batch Connect dialog box, click OK. You do not need to select Immediately scan database assets and identify data.
Wait until the Connection Status of the OSS bucket changes to Connected.
Step 3: Manually perform a security baseline check
3.1 Check whether baseline check policies are enabled
On the Baseline Management page, view the check items that are related to OSS and their status on the Alibaba Cloud Data Security Best Practices tab.
To use PIPL-based Security Baseline Check, you must purchase DSC Enterprise Edition. In this example, the check items in Alibaba Cloud Data Security Best Practices are used to check the security configuration compliance of authorized buckets.
By default, DSC enables all check items of the baseline check policies for authorized OSS assets.
Check whether the
icon is displayed in the Status column of each check item.
3.2 Manually perform a security baseline check for each check item
On the Alerts tab, find the policy that you want to manage and click Details in the Actions column.
On the Risk Situation tab, find the check items that are related to OSS and click Check in the Actions column. If the Check button is highlighted again, the check is complete. In this case, you can close the panel.
Repeat the preceding steps to perform the security baseline checks for check items of different policies.
Step 4: View and handle security risks
4.1 View the check results for the OSS bucket
After the security baseline check is complete, search for the required bucket on the Risk Trends tab. In this example, five check items pass the baseline check and four check items fail the check.
Click Handle in the Actions column to view the failed check items and the handling suggestions.
4.2 Handle risk items
In the Risk Details section, find the risk item that you want to manage and click Handle to go to the relevant page to handle the risk item. For example, handle the OSS-enable Bucket server-side encryption risk item.
On the Server-Side Encryption page of the OSS bucket, click Settings. For example, set the Encryption Method parameter to OSS-Managed and click Save. For more information about server-side encryption, see Server-side encryption.
4.3 Perform an recheck
Go back to the Risk Details section in the DSC console and click Recheck.
If the risk item passes the check, the risk item is handled.
You can perform the preceding operations to handle all risk items to enhance the security configuration compliance of OSS buckets.
Summary
You can check the security configuration compliance of an existing OSS bucket before you store data in the bucket. This helps improve data storage security.
Sensitive data protection policies
By default, the OSS-sensitive data Bucket public read (write) Access Check check item passes the security baseline check, and sensitive data identification is not performed. To ensure the security configuration compliance of OSS buckets after you store data in the buckets, you can create a sensitive data identification task to periodically scan OSS buckets for sensitive data. For OSS buckets that contain sensitive data, DSC performs a security baseline check for the OSS-sensitive data Bucket public read (write) Access Check check item. This helps you handle risk items at the earliest opportunity.
For more information about sensitive data identification tasks, see Identification tasks.
The free edition of DSC allows you to scan 5 GB of assets each month free of charge. If the quota cannot meet your business requirements, you can purchase DSC Basic Edition. For more information, see Purchase DSC.
Whitelist management
After you confirm that the check results of a check item for the current asset can be ignored, go to the Asset Risks tab, find the OSS asset that you want to manage, and then click Add to Whitelist in the Actions column to add the asset to the whitelist of the check item.
The free edition of DSC does not support the whitelist feature. You must purchase DSC Enterprise Edition to use the whitelist feature.
