Object Storage Service (OSS) allows you to grant different permissions to different Resource Access Management (RAM) users by using object tags to control access to objects. Data Security Center (DSC) provides the OSS synchronization feature. This feature allows you to synchronize sensitivity level tags that are identified by data identification tasks to OSS as the tags of objects in buckets. You can create different policies for objects that have different sensitivity levels and attach different policies to different RAM users. This ensures data security and allows you to manage object permissions in a fine-grained manner. This topic describes how to synchronize sensitivity level tags in DSC to objects in OSS buckets.
Overview
DSC can scan objects in authorized OSS buckets for sensitive information and classify the sensitive information. You can configure DSC to synchronize identified sensitivity levels as the value of the SensitiveLevelForSDDP tag for the OSS objects.
If you use sensitivity level tags to manage access to objects, you can use the Deny method, the oss:ExistingObjectTag condition key, and the SensitiveLevelForSDDP tag to manage the blacklist of the objects. For more information, see RAM policies.
Scenarios
Protect sensitive data
For data that contains sensitive information, such as personal privacy data, financial information, and trade secrets, you can configure high sensitivity level tags and limit access to only specific RAM users such as senior management or security personnel. This helps prevent sensitive data leaks even if OSS buckets store various types of data.
Comply with data protection regulations
In industries and regions regulated by strict data protection regulations, data processing and access are tightly controlled. Enterprises can use DSC to configure sensitivity levels for data that meets regulatory requirements and configure compliant policies to ensure that relevant data complies with data protection regulations.
Collaborate with third parties and share data
When you share data with partners, vendors, or customers, you can grant permissions based on requirements for data sensitivity levels. This helps enhance cross-organizational collaboration and maintain data security.
Billing
You are not charged fees when you enable the OSS synchronization feature in DSC. All operations performed in OSS are implemented by calling OSS operations. Fees are calculated based on the number of API requests. If you synchronize tags to OSS, the process involves adding or modifying tags by using PUT requests. Fees are calculated based on the number of PUT requests. For more information, see API operation calling fees.
Configure sensitivity level tag synchronization
By default, the OSS synchronization feature is disabled in DSC. You must select an identification template and enable the OSS synchronization feature. When you run a data identification task by using the selected template, the sensitivity levels of scan results can be synchronized as tags to objects in OSS buckets.
Prerequisites
If you do not want to use a built-in identification template, a custom identification template is created. For more information about how to configure an identification template, see View and configure identification templates.
Enable the OSS synchronization feature
Log on to the DSC console.
In the left-side navigation pane, choose
.On the Alert notification page, click the OSS Synchronization Configurations tab.
Turn on Synchronize Tags to OSS.
Select an identification template from the Identification Template drop-down list and click Submit.
You can select a built-in identification template or a custom identification template. For more information, see View and configure identification templates.
ImportantAfter you turn on Synchronize Tags to OSS, you must configure an identification template. Otherwise, the OSS synchronization configuration does not take effect.
Use the selected identification template to scan authorized OSS assets
After you enable the OSS synchronization feature, you must run a data identification task by using the required identification template. Then, sensitivity levels of scan results in DSC can be synchronized to OSS.
Authorized OSS assets include OSS buckets that are authorized DSC to access on the Authorization Management page and on the OSS Data Leak (AccessKey Pair Scenarios) page. For more information, see Authorize DSC to access unstructured data in OSS and Simple Log Service and Authorize the data detection and response feature to access OSS buckets and add AccessKey pair intelligence.
If you want to re-run a data identification task or select a different identification template to create a data identification task, see Data identification task.