Help Center/ Cloud Trace Service/ FAQs/ Trace Transfer/ How Do I Use Organizations' SCPs to Restrict the OBS Bucket Transfer Scope?

Updated on 2025-10-30 GMT+08:00

View PDF

How Do I Use Organizations' SCPs to Restrict the OBS Bucket Transfer Scope?

Background

Service control policies (SCPs) in Organizations define the operations allowed or denied for accounts within an organization, providing central management and control over permissions. When creating and configuring a tracker in CTS, you can use the SCPs of Organizations and different condition keys (such as cts:TargetType, cts:TargetOrgPath, cts:TargetOrgId, and cts:TargetAccountId) to limit the range of audit logs that can be transferred to OBS buckets, precisely controlling user permissions.

This section describes how to use these CTS service condition keys to control the transfer of audit logs to OBS buckets of other users. For details about how to transfer audit logs to another user's OBS bucket, see Cross-Tenant Transfer Authorization.

The following describes how to configure CTS SCPs based on conditions.

Constraints

CTS supports SCPs in the following regions: CN North-Ulanqab1, CN North-Beijing1, CN North-Beijing4, CN South-Guangzhou, CN East-Shanghai1, CN East-Shanghai2, CN East-Qingdao, CN East2, CN Southwest-Guiyang1, CN-Hong Kong, AP-Bangkok, AP-Singapore, AP-Jakarta, ME-Riyadh, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, LA-Santiago, AF-Cairo, AF-Johannesburg, and TR-Istanbul.
When configuring an SCP, ensure that the configuration data matches the account's actual data (for example, account ID).
cts:TargetType must be used together with the other three service condition keys. If cts:TargetType is set to obs, cts:TargetOrgPath, cts:TargetOrgId, and cts:TargetAccountId will take effect. For details, see Examples of CTS SCPs.

CTS Service Condition Keys

A Condition element lets you specify conditions for when an SCP is in effect. It contains condition keys and operators.

The condition key that you specify can be a global condition key or a service-specific condition key.
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
- Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, cts:) only apply to operations of the CTS service. For details, see Table 1.
- The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
A condition operator, condition key, and a condition value together constitute a complete condition statement. An SCP can be applied only when its request conditions are met. For supported condition operators, see Operators.

The following table lists the condition keys that you can define in SCPs for CTS. You can include these condition keys to specify conditions for when your SCP is in effect.

**Table 1** Service-specific condition keys supported by CTS
Condition Key	Type	Single-valued/Multivalued	Description
cts:TargetType	string	Single-valued	Filter access permissions by data dump type.
cts:TargetAccountId	string	Single-valued	Filter access permissions based on the domain ID (account ID) of the user to which the OBS bucket belongs.
cts:TargetOrgId	string	Single-valued	Filter access permissions based on the organization to which the OBS bucket belongs.
cts:TargetOrgPath	string	Single-valued	Filter access permissions based on the OU path of the organization to which the OBS bucket belongs.

cts:TargetType must be used together with the other three service condition keys. If cts:TargetType is set to obs, cts:TargetOrgPath, cts:TargetOrgId, and cts:TargetAccountId will take effect. For details, see Examples of CTS SCPs.

Examples of CTS SCPs

For details about the SCP principles and syntax, see SCP Principles and SCP Syntax.

If you only want to transfer audit logs to an account in your organization, regardless of the Organizational Unit (OU) it belongs to, use the method described in Example 2. This method is flexible and widely applicable, allowing logs to be transferred to an OBS bucket of any account in an organization.

If you only want to transfer audit logs to a specified OU in your organization, refer to Example 3. This method is designed for scenarios where logs must be transferred to an OBS bucket belonging to an account within a specified OU in an organization, meeting stricter compliance and isolation requirements.

Example 1: Use the service condition key cts:TargetAccountId to ensure audit logs are transferred only to an OBS bucket of a specified account.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cts:tracker:create",
        "cts:tracker:update"
      ],
      "Condition": {
        "StringEquals": {
          "cts:TargetType": [
            "obs"
          ]
        },
        "StringNotEquals": {
          "cts:TargetAccountId": [
            "051d********d3420f9bc01403fd8da0",
            "2883********4c6380e59a4d416a60ee"
          ]
        }
      }
    }
  ]
}

Example 2: Use the service condition key cts:TargetOrgId to ensure audit logs are transferred only to an OBS bucket of an account in a specified organization.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cts:tracker:create",
        "cts:tracker:update"
      ],
      "Condition": {
        "StringEquals": {
          "cts:TargetType": [
            "obs"
          ]
        },
        "StringNotEquals": {
          "cts:TargetOrgId": [
            "o-fa9h4ghf0hnp********tah2nxmtugrf",
            "o-1vs0zv5azbbt********asbfd4oekb7z"
          ]
        }
      }
    }
  ]
}

Example 3: Use the service condition key cts:TargetOrgPath to ensure audit logs are transferred only to an OBS bucket of an account within an OU of a specified organization.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cts:tracker:create",
        "cts:tracker:update"
      ],
      "Condition": {
        "StringEquals": {
          "cts:TargetType": [
            "obs"
          ]
        },
        "StringNotEquals": {
          "cts:TargetOrgPath": [
            "o-1vs0zv5azbbt********asbfd4oekb7z/r-zk3fox3t********cvfd7b1av5yuzikp/ou-x0m71md5k0bz********xfq7kj2uy9ck/ou-la1j52h39hi********jkmlbstb9jk8p/ou-67ax22d********duqqov9xd6ld5udpv",
            "o-sdfwesdfw232********1j52hasf2346/r-43fdghwt********etmgdfnb9ersdfg6"
          ]
        }
      }
    }
  ]
}

Parent topic: Trace Transfer

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot