All Products
Search
Document Center

Data Security Center:Authorize the data detection and response feature to access OSS buckets and add AccessKey pair intelligence

Last Updated:Dec 18, 2024

Before you can use the data detection and response feature to check AccessKey pairs in Object Storage Service (OSS) buckets, you must authorize the feature to access the buckets. If AccessKey pairs are leaked or potentially leaked, you can add the AccessKey pairs to Data Security Center (DSC). This way, you can use the data detection and response feature to track unusual object access by using the AccessKey pairs. The data detection and response feature monitors accessed objects in OSS buckets and generates alerts to allow you to identify and respond to risks of data leaks at the earliest opportunity.

Prerequisites

Background information

For more information about the working principles and limits of AccessKey pair leak detection and unusual access alerting, see Overview

Limits

When you add self-managed AccessKey pair intelligence, take note of the following information:

  • If the multi-account management feature is enabled for the current account, you can add up to 1 million AccessKey pairs. For more information about the multi-account management feature, see Use the multi-account management feature.

  • If the multi-account management feature is disabled for the current account, you can add up to 10,000 AccessKey pairs.

  • If you upload multiple AccessKey pairs at a time, you must save the AccessKey pair file in the .xlsx format and ensure that the file does not exceed 10 MB in size.

Authorize the data detection and response feature to access OSS buckets

Before you can use the data detection and response feature to check AccessKey pairs leaks and unusual object access within an OSS bucket, you must authorize DSC to access the bucket. Procedure:

  1. Log on to the DSC console.

  2. In the left-side navigation pane, choose Data Detection and Response > OSS Data Leak (AccessKey Pair Scenarios).

  3. The first time you go to the OSS Data Leak (AccessKey Pair Scenarios) page, click Authorize Immediately. On the Asset Authorization Configuration page, perform the following operations to authorize the data detection and response feature to access an OSS bucket:

    image

    1. Find the required bucket and click Authorization in the Actions column. You can select multiple buckets and click Authorize Now below the list.

    2. After you complete the authorization, click Try Now.

  4. If you want to authorize the data detection and response feature to access more OSS buckets later, go to the OSS Data Leak (AccessKey Pair Scenarios) page and click Authorize Immediately in the Authorization Statistics section.

  5. In the Asset Authorization Configuration panel, click Asset synchronization.

    After you purchase DSC and complete the authorization on the Welcome page, DSC automatically synchronizes assets in the cloud. In this case, you do not need to manually synchronize assets. DSC scans for new assets at 00:00 every day and automatically synchronizes new assets to the lists of unauthorized assets. If you want to authorize the data detection and response feature to access assets that are created on the current day, you must manually synchronize the assets.

  6. Click Not authorized, find the required bucket, and then click Authorization in the Actions column.

    If you want to authorize the data detection and response feature to access multiple assets, select the assets and click Batch Authorize below the list.

    Important

    If the multi-account management feature is enabled for the current account, you can select the OSS buckets of members based on the UIDs of the members. For more information about how to enable the multi-account management feature, see Use the multi-account management feature.

  7. During the first month after you enable the data detection and response feature, DSC automatically creates and runs a default data identification task to scan for and classify sensitive information.

    The default data identification task uses the built-in classification template for the Internet industry as the main template to scan for and classify sensitive information in authorized buckets and objects. You cannot view and manage the default data identification task in the console.

    One month after you enable the data detection and response feature, you must manually create a custom data identification task. When you create a custom data identification task, set the Scope parameter to Asset Type, select OSS from the Asset Type drop-down list, set the Scan Scope parameter to Specify Scan Scope, and select the bucket that the data detection and response feature is authorized to access from the Bucket drop-down list. This way, sensitive data in the bucket can be classified into different levels. For more information, see Create a custom identification task.

Add self-managed AccessKey pair intelligence

If an AccessKey pair is leaked, potentially leaked, or used for unauthorized access or if you want to query objects that are accessed by using a specific AccessKey pair, you can add the AccessKey pair to the intelligence source of the data detection and response feature. DSC checks the objects that are accessed by using the AccessKey pair and generates alerts on the Data Detection and Response > OSS Data Leak (AccessKey Pair Scenarios) page.

Note

If no AccessKey pair leaks are detected on GitHub or in an authorized bucket, no alerts are displayed on the Data Detection and Response > OSS Data Leak (AccessKey Pair Scenarios) page even if AccessKey pairs are used to access authorized buckets. If you want to view the events that involve access to authorized buckets by using AccessKey pairs, you must add the AccessKey pairs to the self-managed AccessKey pair intelligence.

  1. Log on to the DSC console.

  2. In the left-side navigation pane, choose Data Detection and Response > OSS Data Leak (AccessKey Pair Scenarios).

  3. In the AccessKey Pair Leaks section of the OSS Data Leak (AccessKey Pair Scenarios) page, click Add Intelligence in the Self-managed Intelligence card.

  4. In the Intelligence Management panel, click Add Intelligence.

    image

  5. Use one of the following methods to add AccessKey pairs:

    • Manual Import

      image

      On the Manual Import tab, enter the ID of the AccessKey pair that you want to manage in the AccessKey ID field, configure the Leak Status and Remarks parameters, and then click OK. Valid values for the Leak Status parameter are Leaked, Not Leaked, or Suspected Leak.

      If the data detection and response feature is authorized to access buckets and at least one check is performed, DSC records the AccessKey pairs that are used to access the buckets and summarizes the information as sample data. You can click Preview to copy the AccessKey pairs.

    • Batch Upload

      image

      1. On the Batch Upload tab, click Download Template to obtain the AccessKey pair template file in the .xlsx format. Configure the AccessKeyId, Status, and Comment parameters. AccessKeyId indicates the ID of the AccessKey pair. Valid values for the Status parameter are Leaked, Not Leaked, or Suspected Leak.

        If the data detection and response feature is authorized to access buckets and at least one check is performed, DSC records the AccessKey pairs that are used to access the buckets and summarizes and saves the information into the template file. The following figure shows the template file.

        image

      2. Save the template file.

      3. Go back to the Batch Upload tab and click View Local File or the image icon to import the saved template file in the .xlsx format.

      4. Click OK.

What to do next

  • On the succeeding month after you enable the data detection and response feature, DSC no longer automatically creates or runs default data identification tasks. You must create and run custom data identification tasks for authorized OSS assets. For more information, see Identify sensitive data by using identification tasks.

  • View the information about leaked AccessKey pairs and the alert events of access to authorized buckets and objects by using leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence. This way, you can identify risks, evaluate the impacts of the risks, and select a handling method. For more information, see View leaked AccessKey pairs and alerts for abnormal AccessKey pair-based access.

  • Handle AccessKey pair leak events based on alert details and response measures provided by DSC. For example, you can disable affected AccessKey pairs to prevent unauthorized access or configure a stricter policy for affected objects. For more information, see Handle AccessKey pair leak alerts and unusual access alerts.

References