The data detection and response feature is a value-added feature that is provided by Data Security Center (DSC). To use the feature, you must purchase sufficient Object Storage Service (OSS) protection capacity. The feature can check whether the destination object contains the AccessKey pairs of Alibaba Cloud accounts or Resource Access Management (RAM) users. The feature can also check risk access to authorized buckets and objects by using leaked or abnormal AccessKey pairs. This topic describes the billing rules and purchase methods of the data detection and response feature.
Prerequisites
If you use a RAM user to enable the data detection and response feature, the AliyunBSSOrderAccess and AliyunBSSRefundAccess system policies are attached to the RAM user to allow the RAM user to purchase, renew, and unsubscribe from DSC. The AliyunYundunSDDPFullAccess system policy is also attached to the RAM user to allow the RAM user to manage and access the DSC console. For more information, see Grant permissions to a RAM user.
Background information
For more information about AccessKey pair leak detection and alerting, see Overview.
Billing rules
The data detection and response feature uses the subscription billing method. For more information, see Billing overview.
Purchase and enable the data detection and response feature
You can refer to the following steps to purchase the data detection and response feature based on your business scenarios.
Activate DSC for the first time and purchase value-added features
Log on to the DSC buy page by using your Alibaba Cloud account.
Select an edition.
You can select Enterprise or Value-added Plan. For more information, see Purchase DSC.
Set the Data Detection and Response parameter to Enable in the Value-added Module section.
If you enable the data detection and response feature, 1 TB of OSS protection capacity is provided each month free of charge.
Configure the Data Detection and Response - OSS Protection Capacity parameter. Unit: TB.
The price varies based on the OSS protection capacity. You can purchase OSS data capacity based on the OSS capacity that requires protection after subtracting the free 1 TB each month. For more information about the pricing of OSS protection capacity, see Billing overview.
Configure the Duration parameter.
Click Buy Now and follow the on-screen instructions to complete the payment.
The first time you log on to the DSC console, the Workbench page prompts you to authorize DSC to access cloud resources. After the authorization is complete, DSC can access OSS resources and perform operations such as sensitive data scan and analysis on the cloud resources.
For more information, see Authorize DSC to access Alibaba Cloud resources.
Purchase value-added features after you purchase DSC Enterprise Edition
Log on to the DSC console.
In the left-side navigation pane, choose
.Click Upgrade Now.
On the page that appears, set the Data Detection and Response parameter to Enable and configure the Data Detection and Response - OSS Protection Capacity parameter in the Value-added Module section.
Configure the Duration parameter.
Click Buy Now and follow the on-screen instructions to complete the payment.
What to do next
After you enable the data detection and response feature and complete authorization, you can perform the following process to detect AccessKey pair leaks and abnormal AccessKey pair-based access.
Complete the required preparations.
DSC provides the OSS synchronization configuration feature. The feature allows you to synchronize sensitivity level tags that are identified by data identification tasks to OSS as tags of objects in buckets. To facilitate access control of objects based on sensitivity level tags, we recommend that you enable the OSS synchronization configuration feature. For more information, see Synchronize sensitivity level tags to OSS objects.
You can configure alert notifications for unhandled AccessKey pair leaks, which can be sent by text message or email. For more information, see Set alert notifications for abnormal AccessKey pair access.
Authorize DSC to access OSS buckets and add AccessKey pair intelligence. For more information, see Authorize DSC to access OSS buckets and add AccessKey pair intelligence.
In the following months after you purchase the data detection and response feature, DSC no longer creates or runs a default data identification task. You must create and run custom data identification tasks for authorized OSS assets. For more information, see Identification tasks.
View the information about leaked AccessKey pairs and alert events of access to authorized buckets and objects by using leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence. This helps you identify risks, evaluate the impacts of the risks, and select a handling method. For more information, see View leaked AccessKey pairs and alerts for abnormal AccessKey pair-based access.
Based on the leaked AccessKey pairs and abnormal access behavior, take appropriate measures to handle the leaked AccessKey pairs and manage the access control policies of OSS buckets and objects. For more information, see Handle AccessKey pair leaks and unusual access alerts.