Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Object Storage Service/ OBS Buckets Are Not Associated with Non-Default ACLs
Updated on 2025-08-25 GMT+08:00

OBS Buckets Are Not Associated with Non-Default ACLs

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

obs-bucket-acl-prohibited

Identifier

obs-bucket-acl-prohibited

Description

If an OBS bucket is associated with any non-default ACLs, this bucket is non-compliant.

Tag

obs

Trigger Type

Configuration change

Filter Type

obs.buckets

Rule Parameters

None

Application Scenarios

  • Bucket ACLs control read and write permissions on buckets. Custom bucket policies allow a more refined control over more actions on buckets. In many cases, bucket policies can replace bucket ACLs to manage access to buckets more precisely. For more information about bucket policies, see Bucket Policies.
  • Not using bucket ACLs for access control can simplify access management and prevents unauthorized operations.

Solution

Delete non-default ACLs for non-compliant OBS buckets based on Configuring a Bucket ACL and use bucket policies to grant access permissions based on Creating a Custom Bucket Policy (Visual Editor).

Rule Logic

  • If an OBS bucket is not associated with any non-default ACLs, this bucket is compliant.
  • If an OBS bucket is associated with a non-default ACL, this bucket is non-compliant.
  • The default ACL grants a bucket owner the permissions to access ACLs and cannot be deleted or prohibited.