Before you can use the data detection and response feature to check AccessKey pairs in Object Storage Service (OSS) buckets, you must authorize the feature to access the buckets. If AccessKey pairs are leaked or potentially leaked, you can add the AccessKey pairs to Data Security Center (DSC). This way, you can use the data detection and response feature to track unusual object access by using the AccessKey pairs. The data detection and response feature monitors accessed objects in OSS buckets and generates alerts to allow you to identify and respond to risks of data leaks at the earliest opportunity.
Prerequisites
The data detection and response feature is enabled, and the OSS protection capacity is sufficient. For more information, see Enable data detection and response.
If you use a Resource Access Management (RAM) user, the RAM user has the management permissions on the destination buckets and other RAM users. For more information, see Authorize a RAM user to access DSC.
Background information
For more information about the working principles and limits of AccessKey pair leak detection and unusual access alerting, see Overview
Limits
When you add self-managed AccessKey pair intelligence, take note of the following information:
If the multi-account management feature is enabled for the current account, you can add up to 1 million AccessKey pairs. For more information about the multi-account management feature, see Use the multi-account management feature.
If the multi-account management feature is disabled for the current account, you can add up to 10,000 AccessKey pairs.
If you upload multiple AccessKey pairs at a time, you must save the AccessKey pair file in the .xlsx format and ensure that the file does not exceed 10 MB in size.
Authorize the data detection and response feature to access OSS buckets
Before you can use the data detection and response feature to check AccessKey pairs leaks and unusual object access within an OSS bucket, you must authorize DSC to access the bucket. Procedure:
Log on to the DSC console.
In the left-side navigation pane, choose
.The first time you go to the OSS Data Leak (AccessKey Pair Scenarios) page, click Authorize Immediately. On the Asset Authorization Configuration page, perform the following operations to authorize the data detection and response feature to access an OSS bucket:
Find the required bucket and click Authorization in the Actions column. You can select multiple buckets and click Authorize Now below the list.
After you complete the authorization, click Try Now.
If you want to authorize the data detection and response feature to access more OSS buckets later, go to the OSS Data Leak (AccessKey Pair Scenarios) page and click Authorize Immediately in the Authorization Statistics section.
In the Asset Authorization Configuration panel, click Asset synchronization.
After you purchase DSC and complete the authorization on the Welcome page, DSC automatically synchronizes assets in the cloud. In this case, you do not need to manually synchronize assets. DSC scans for new assets at 00:00 every day and automatically synchronizes new assets to the lists of unauthorized assets. If you want to authorize the data detection and response feature to access assets that are created on the current day, you must manually synchronize the assets.
Click Not authorized, find the required bucket, and then click Authorization in the Actions column.
If you want to authorize the data detection and response feature to access multiple assets, select the assets and click Batch Authorize below the list.
ImportantIf the multi-account management feature is enabled for the current account, you can select the OSS buckets of members based on the UIDs of the members. For more information about how to enable the multi-account management feature, see Use the multi-account management feature.
During the first month after you enable the data detection and response feature, DSC automatically creates and runs a default data identification task to scan for and classify sensitive information.
The default data identification task uses the built-in classification template for the Internet industry as the main template to scan for and classify sensitive information in authorized buckets and objects. You cannot view and manage the default data identification task in the console.
One month after you enable the data detection and response feature, you must manually create a custom data identification task. When you create a custom data identification task, set the Scope parameter to Asset Type, select OSS for the Asset Type drop-down list, and set the Scan Scope parameter to the authorized bucket. For more information, see Identification tasks.
Add self-managed AccessKey pair intelligence
If an AccessKey pair is leaked, potentially leaked, or used for unauthorized access or if you want to query objects that are accessed by using an AccessKey pair, you can add the AccessKey pair to the intelligence source of the data detection and response feature. DSC checks the objects that are accessed by using the AccessKey pair and generates alerts on the
page.If no AccessKey pair leaks are detected on GitHub or in an authorized bucket, no alerts are displayed on the
page even if AccessKey pairs are used to access authorized buckets. If you want to view the events that involve access to authorized buckets by using AccessKey pairs, you must add the AccessKey pairs to the self-managed AccessKey pair intelligence.Log on to the DSC console.
In the left-side navigation pane, choose
.In the AccessKey Pair Leaks section of the OSS Data Leak (AccessKey Pair Scenarios) page, click Add Intelligence in the Self-managed Intelligence card.
In the Intelligence Management panel, click Add Intelligence.
Use one of the following methods to add AccessKey pairs:
Manual Import
On the Manual Import tab, enter the ID of the AccessKey pair that you want to manage in the AccessKey ID field, configure the Leak Status and Remarks parameters, and then click OK. Valid values for the Leak Status parameter are Leaked, Not Leaked, or Suspected Leak.
If the data detection and response feature is authorized to access buckets and at least one check is performed, DSC records the AccessKey pairs that are used to access the buckets and summarizes the information as sample data. You can click Preview to copy the AccessKey pairs.
Batch Upload
On the Batch Upload tab, click Download Template to obtain the AccessKey pair template file in the .xlsx format. Configure the AccessKeyId, Status, and Comment parameters. AccessKeyId indicates the ID of the AccessKey pair. Valid values for the Status parameter are Leaked, Not Leaked, or Suspected Leak.
If the data detection and response feature is authorized to access buckets and at least one check is performed, DSC records the AccessKey pairs that are used to access the buckets and summarizes and saves the information into the template file. The following figure shows the template file.
Save the template file.
Go back to the Batch Upload tab and click View Local File or the icon to import the saved template file in the .xlsx format.
Click OK.
What to do next
On the succeeding month after you enable the data detection and response feature, DSC no longer automatically creates or runs default data identification tasks. You must create and run custom data identification tasks for authorized OSS assets. For more information, see Identification tasks.
View the information about leaked AccessKey pairs and the alert events of access to authorized buckets and objects by using leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence. This way, you can identify risks, evaluate the impacts of the risks, and select a handling method. For more information, see View leaked AccessKey pairs and unusual access alerts.
Handle AccessKey pair leak events based on alert details and response measures provided by DSC. For example, you can disable affected AccessKey pairs to prevent unauthorized access or configure a stricter policy for affected objects. For more information, see Handle AccessKey pair leak alerts and unusual access alerts.
References
You can synchronize sensitivity level tags identified by data identification tasks to OSS as tags of objects in OSS buckets. This way, you can manage the permissions of objects based on the tags of the objects. For more information, see Synchronize sensitivity level tags to an OSS object.
Obtain real-time alert events for leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence and track the access records of the AccessKey pairs to check whether important data is leaked. For more information, see Configure alert notifications for unusual access.