Help Center/ Object Storage Service/ Best Practices/ Suggestions on OBS Security Configuration
Updated on 2024-10-17 GMT+08:00

Suggestions on OBS Security Configuration

Security is a shared responsibility between Huawei Cloud and yourself. Huawei Cloud is responsible for providing secure cloud services. As a tenant, you should take advantage of the security provided by cloud services to protect your data. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of OBS. You can continuously evaluate the security status of your OBS resources and enhance their overall security by combining different security capabilities provided by OBS. By doing this, data stored in OBS can be protected from leakage and tampering both at rest and in transit.

Consider the following aspects for your security configurations:

Properly Using Security Credentials to Prevent Data Leaks

  1. Using temporary security credentials

    Requests from applications deployed on ECSs and from other Huawei Cloud services to OBS must be signed. To access OBS buckets, these applications or services should have the required security credentials. You are advised to configure an IAM agency (which you can use to obtain a temporary access key) or a temporary access key for your applications or cloud services. Temporary access keys have a limited validity period, so using them can reduce data leakage risks. For details, see Accessing OBS Using Temporary Access Keys and Obtaining a Temporary Access Key and Security Token Through an Agency.

  2. Periodically changing permanent access keys

    If you have to use a permanent AK/SK pair for access, periodically change it and store it after encryption. This can prevent data leaks in case you lose the preset plaintext credentials. For details, see Accessing OBS Using Permanent Access Keys.

Correctly Using OBS Access Control

Using the right OBS access control methods can protect your data from being stolen or damaged.

  1. Granting IAM users with different roles the minimum level of access needed

    To better isolate and manage permissions, you are advised to configure independent IAM administrators and grant them permissions to manage IAM policies. Following the principle of least privilege, an IAM administrator can create one or more user groups (data access scenarios) and add users (employees from different departments) to the user groups to inherit the IAM policies applied to their groups. This protects data from leakage caused by excessive permissions. For details, see Access Control over Departments' Public Data and Policy Syntax.

  2. Using bucket policies

    You can configure bucket policies to grant permissions only required for actual service processing, in case data is accidentally shared with others. For details, see Introduction to OBS Access Control.

    One or more conditions can be used to define a bucket policy. Each condition controls a different aspect of bucket security. For example, you can deny access from certain IP addresses to a bucket, so that data in the bucket can only be accessed by the specified clients. For details, see Preventing Specific IP Addresses from Accessing a Bucket and Bucket Policy Parameters.

  3. Storing public and private objects in different buckets

    To protect your data from being leaked or stolen, do not put your sensitive data in buckets accessible to the public or configure public access policies for your private buckets. You are also advised to define conditions in bucket policies to further restrict IP addresses that can access private objects. For details, see Preventing Specific IP Addresses from Accessing a Bucket.

  4. Using temporary sharing

    To share objects (files or folders) stored in OBS with others, you are advised to use temporary sharing. Shared URLs are only valid for the validity period you specified, so the data is not exposed long-term. For details, see Accessing OBS Using a Temporary URL.

  5. Enabling critical operation protection

    You can enable protection for OBS critical operations. Then, any critical operations (like deleting buckets) on OBS cannot be performed without being authenticated. For details, see Critical Operation Protection.

Encrypting Data Before Storage

You can enable SSE-KMS for an OBS bucket, so that each object uploaded to this bucket can be encrypted using the KMS key you specified before being stored in OBS. When you download an encrypted object, OBS uses the KMS key to decrypt the object first and then returns it to you. OBS does not store the key during the encryption or decryption process. For details, see Configuring Bucket Default Encryption.

SSE-OBS is another option. With this method, OBS uses keys it generates for encryption and decryption. For details, see Configuring Bucket Default Encryption.

There is also SSE-C for you to use. When uploading objects to or downloading objects from an OBS bucket with SSE-C enabled, you can add a key and an encryption algorithm in each request. OBS then uses the key and algorithm you provided to encrypt or decrypt your object. OBS does not store your encryption keys. If you lose them, you lose the objects. For details, see Server-Side Encryption (SSE-C).

Building Disaster Recovery Capabilities

Enable the following OBS features in advance to protect your data from being deleted or damaged accidentally in the event of failures.

  1. Versioning

    Versioning allows OBS to keep multiple versions of an object in the same bucket. That way, you can quickly recover objects from both unintended actions and applications failures. For details, see Versioning.

  2. Cross-region replication

    You can configure cross-region replication to migrate your data in OBS buckets from one region to another for remote backup. For details, see Cross-Region Replication.

Keeping Data in Transit Safe

  1. Using HTTPS to access OBS

    Hypertext Transfer Protocol Secure (HTTPS) is a protocol that guarantees the confidentiality and integrity of communications between clients and servers. You are advised to use HTTPS for accessing data stored in OBS.

  2. Using bucket policies to allow only HTTPS requests

    To prevent OBS from receiving HTTP requests, you are advised to specify the SecureTransport condition in a bucket policy to allow only HTTPS requests for that bucket. When SecureTransport is set to True, requests sent to OBS must be encrypted using Secure Sockets Layer (SSL). For details, see Bucket Policy Parameters.

Auditing OBS Operation Logs to Check Exceptions

  1. Enabling CTS to record all OBS access operations

    Cloud Trace Service (CTS) records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analyses, track resource changes, maintain audit compliance, and locate faults.

    After you enable CTS and configure a tracker, CTS would record management and data traces of OBS for auditing. For details, see Auditing.

  2. Enabling logging for a bucket

    With logging enabled for a bucket, OBS automatically logs access requests for the bucket and writes the generated log files into the specified bucket. The bucket owner then can analyze the characteristics, types, or trends of the bucket requests based on the logs. For details, see Logging.

  3. Using Cloud Eye for real-time monitoring on security events

    When using OBS, you may encounter error responses from the server. Huawei Cloud Eye is available to monitor your OBS buckets, report alarms, and send notifications in real time, so that you can have a clear understanding of the requests, traffic, and error responses of your buckets.

    You do not need to separately subscribe to Cloud Eye. It starts automatically once you create a resource (a bucket, for example) in OBS.

    For more information, see What Is Cloud Eye?

Using the Latest SDKs for Better Experience and Security

You are advised to use the latest version of OBS SDKs to better protect your data. To download the latest SDK for each language, see OBS SDKs.

Using Other Cloud Services for Additional Protection

  1. Static website protection with WAF

    To enhance the security of your static websites hosted in OBS, you can use WAF to protect your domain name and reduce the risk of network attacks on your static websites. For details, see Website Domain Name Management.

  2. OBS resource protection with SA

    Situation Awareness (SA) checks key configurations of OBS buckets, reports alarms if any configuration is identified as insecure, and it provides hardening suggestions and guidelines accordingly. The checks are based on Cloud Security Compliance Check 1.0, DJCP 2.0 Level 3 Requirements, and Network Security. You can use SA resource management to quickly find out the region and security status of OBS buckets to help locate security risks. For details, see Resource Manager.

  3. Privacy protection

    These days, organizations are having to manage more and more data. It is getting increasingly complex, expensive, and time-consuming to identify and protect sensitive data at scale. Data Security Center (DSC) is a good way to identify and manage sensitive data in OBS buckets. It can make the identification and protection of sensitive data simpler and less expensive. For details, see Creating a Task.