All Products
Search
Document Center

Data Security Center:Synchronize sensitivity level tags to OSS objects

Last Updated:Aug 26, 2024

Object Storage Service (OSS) allows you to grant different permissions to different Resource Access Management (RAM) users by using object tags to control access to objects. Data Security Center (DSC) provides the OSS synchronization feature. This feature allows you to synchronize sensitivity level tags that are identified by data identification tasks to OSS as the tags of objects in buckets. You can create different policies for objects that have different sensitivity levels and attach different policies to different RAM users. This ensures data security and allows you to manage object permissions in a fine-grained manner. This topic describes how to synchronize sensitivity level tags in DSC to objects in OSS buckets.

Overview

DSC can scan objects in authorized OSS buckets for sensitive information and classify the sensitive information. You can configure DSC to synchronize identified sensitivity levels as the value of the SensitiveLevelForSDDP tag for the OSS objects.

If you use sensitivity level tags to manage access to objects, you can use the Deny method, the oss:ExistingObjectTag condition key, and the SensitiveLevelForSDDP tag to manage the blacklist of the objects. For more information, see RAM policies.

Scenarios

  • Protect sensitive data

    For data that contains sensitive information, such as personal privacy data, financial information, and trade secrets, you can configure high sensitivity level tags and limit access to only specific RAM users such as senior management or security personnel. This helps prevent sensitive data leaks even if OSS buckets store various types of data.

  • Comply with data protection regulations

    In industries and regions regulated by strict data protection regulations, data processing and access are tightly controlled. Enterprises can use DSC to configure sensitivity levels for data that meets regulatory requirements and configure compliant policies to ensure that relevant data complies with data protection regulations.

  • Collaborate with third parties and share data

    When you share data with partners, vendors, or customers, you can grant permissions based on requirements for data sensitivity levels. This helps enhance cross-organizational collaboration and maintain data security.

Billing

You are not charged fees when you enable the OSS synchronization feature in DSC. All operations performed in OSS are implemented by calling OSS operations. Fees are calculated based on the number of API requests. If you synchronize tags to OSS, the process involves adding or modifying tags by using PUT requests. Fees are calculated based on the number of PUT requests. For more information, see API operation calling fees.

Configure sensitivity level tag synchronization

By default, the OSS synchronization feature is disabled in DSC. You must select an identification template and enable the OSS synchronization feature. When you run a data identification task by using the selected template, the sensitivity levels of scan results can be synchronized as tags to objects in OSS buckets.

Prerequisites

If you do not want to use a built-in identification template, a custom identification template is created. For more information about how to configure an identification template, see Configure an identification template.

Enable the OSS synchronization feature

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click System Settings.

  3. On the System Settings page, click the OSS Synchronization Configurations tab.

  4. Turn on Synchronize Tags to OSS.

  5. Select an identification template from the Identification Template drop-down list and click Submit.

    You can select a built-in identification template or a custom identification template. For more information, see Configure an identification template.

    Important

    After you turn on Synchronize Tags to OSS, you must configure an identification template. Otherwise, the OSS synchronization configuration does not take effect.

Use the selected identification template to scan authorized OSS assets

Important

After you enable the OSS synchronization feature, you must run a data identification task by using the required identification template. Then, sensitivity levels of scan results in DSC can be synchronized to OSS.

Example of using object tags to manage the permissions of objects

image

Perform the following operations to implement access control for RAM users based on different sensitivity data levels:

  1. Complete OSS synchronization configurations, OSS asset authorization, and sensitivity data identification in DSC. For more information, see Configure an identification template, Synchronize sensitivity level tags to OSS objects, Authorize DSC to access OSS, and Data identification task.

  2. The SensitiveLevelForSDDP tag is automatically synchronized in OSS objects.

    The value of the SensitiveLevelForSDDP tag indicates the sensitivity level of an object. In the value, 1 represents a sensitivity level of S1, 2 represents S2, 3 represents S3, and 4 represents S4.

    image

  3. Create a custom policy in RAM and attach the policy to a RAM user. For more information, see Create a RAM user, Create custom policies, and Grant permissions to a RAM user. For more information about how to configure OSS policies, see RAM policies.

    The policy restricts access to objects whose sensitivity levels are S2 and S3 across all authorized OSS buckets, as shown in the preceding figure.

    You can also restrict access to all objects in a bucket. In the following policy, access to objects whose sensitivity level is S3 in a bucket named test-bucket is restricted.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "oss:*"
          ],
          "Resource": [
            "acs:oss:*:*:test-bucket/*"
          ],
          "Condition": {
            "StringEquals": {
              "oss:ExistingObjectTag/SensitiveLevelTagForSDDP": [
                "3"
              ]
            }
          }
        }
      ]
    }