Data Security Center:Synchronize sensitivity level tags to OSS objects

Overview

DSC can scan objects in authorized OSS buckets for sensitive information and classify the sensitive information. You can configure DSC to synchronize identified sensitivity levels as the value of the SensitiveLevelForSDDP tag for the OSS objects.

If you use sensitivity level tags to manage access to objects, you can use the Deny method, the oss:ExistingObjectTag condition key, and the SensitiveLevelForSDDP tag to manage the blacklist of the objects. For more information, see RAM policies.

Scenarios

• Protect sensitive data

  For data that contains sensitive information, such as personal privacy data, financial information, and trade secrets, you can configure high sensitivity level tags and limit access to only specific RAM users such as senior management or security personnel. This helps prevent sensitive data leaks even if OSS buckets store various types of data.

• Comply with data protection regulations

  In industries and regions regulated by strict data protection regulations, data processing and access are tightly controlled. Enterprises can use DSC to configure sensitivity levels for data that meets regulatory requirements and configure compliant policies to ensure that relevant data complies with data protection regulations.

• Collaborate with third parties and share data

  When you share data with partners, vendors, or customers, you can grant permissions based on requirements for data sensitivity levels. This helps enhance cross-organizational collaboration and maintain data security.

Billing

You are not charged fees when you enable the OSS synchronization feature in DSC. All operations performed in OSS are implemented by calling OSS operations. Fees are calculated based on the number of API requests. If you synchronize tags to OSS, the process involves adding or modifying tags by using PUT requests. Fees are calculated based on the number of PUT requests. For more information, see API operation calling fees.

Configure sensitivity level tag synchronization

By default, the OSS synchronization feature is disabled in DSC. You must select an identification template and enable the OSS synchronization feature. When you run a data identification task by using the selected template, the sensitivity levels of scan results can be synchronized as tags to objects in OSS buckets.

Prerequisites

If you do not want to use a built-in identification template, a custom identification template is created. For more information about how to configure an identification template, see Configure an identification template.

Enable the OSS synchronization feature

1. Log on to the DSC console.

2. In the left-side navigation pane, click System Settings.

3. On the System Settings page, click the OSS Synchronization Configurations tab.

4. Turn on Synchronize Tags to OSS.

5. Select an identification template from the Identification Template drop-down list and click Submit.

   You can select a built-in identification template or a custom identification template. For more information, see Configure an identification template.

   Important

   After you turn on Synchronize Tags to OSS, you must configure an identification template. Otherwise, the OSS synchronization configuration does not take effect.

Use the selected identification template to scan authorized OSS assets

• Authorized OSS assets include OSS buckets that are authorized DSC to access on the Authorization Management page and on the OSS Data Leak (AccessKey Pair Scenarios) page. For more information, see Authorize DSC to access OSS and Authorize DSC to access OSS buckets and add AccessKey pairs to DSC.

• If you want to re-run a data identification task or select a different identification template to create a data identification task, see Data identification task.

Example of using object tags to manage the permissions of objects

Perform the following operations to implement access control for RAM users based on different sensitivity data levels:

1. Complete OSS synchronization configurations, OSS asset authorization, and sensitivity data identification in DSC. For more information, see Configure an identification template, Synchronize sensitivity level tags to OSS objects, Authorize DSC to access OSS, and Data identification task.

2. The SensitiveLevelForSDDP tag is automatically synchronized in OSS objects.

   The value of the SensitiveLevelForSDDP tag indicates the sensitivity level of an object. In the value, 1 represents a sensitivity level of S1, 2 represents S2, 3 represents S3, and 4 represents S4.

   

3. Create a custom policy in RAM and attach the policy to a RAM user. For more information, see Create a RAM user, Create custom policies, and Grant permissions to a RAM user. For more information about how to configure OSS policies, see RAM policies.

   The policy restricts access to objects whose sensitivity levels are S2 and S3 across all authorized OSS buckets, as shown in the preceding figure.

   You can also restrict access to all objects in a bucket. In the following policy, access to objects whose sensitivity level is S3 in a bucket named test-bucket is restricted.

   {
     "Version": "1",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": [
           "oss:*"
         ],
         "Resource": [
           "acs:oss:*:*:test-bucket/*"
         ],
         "Condition": {
           "StringEquals": {
             "oss:ExistingObjectTag/SensitiveLevelTagForSDDP": [
               "3"
             ]
           }
         }
       }
     ]
   }