Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Object Storage Service/ OBS Buckets Have Server-side Encryption Enabled
Updated on 2025-08-25 GMT+08:00

OBS Buckets Have Server-side Encryption Enabled

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

obs-bucket-server-side-encryption-enabled

Identifier

obs-bucket-server-side-encryption-enabled

Description

If an OBS bucket does not require server-side encryption, this bucket is non-compliant.

Tag

obs

Trigger Type

Configuration change

Filter Type

obs.buckets

Rule Parameters

None

Application Scenarios

To enhance data security and compliance, enable server-side encryption to ensure that data transmitted to OBS is encrypted. For details, see Server-Side Encryption.

Solution

You can configure a bucket policy to explicitly deny all PutObject requests where the condition key x-obs-server-side-encryption is not kms. For details, see Bucket Policy Condition.

The following is an example. Original bucket policy: {"Statement": [{"Sid": "test", "Effect": "Allow", "Principal": "*", "Action": ["*"], "Resource": ["testBucket/*"]}]}

Remediated bucket policy: {"Statement": [{"Sid": "test", "Effect": "Allow", "Principal": "*", "Action": ["*"], "Resource": ["testBucket/*"]}, {"Sid": "test_add", "Effect": "Deny", "Principal": "*", "Action": ["*"], "Resource": ["testBucket/*"], "Condition": {"StringEquals": {"x-obs-server-side-encryption": ["kms"]}}}]}

Rule Logic

  • If the OBS bucket policy explicitly denies all putObject requests where the condition key of x-obs-server-side-encryption is not kms, the bucket is compliant.
  • If the OBS bucket policy does not explicitly denies all putObject requests where the condition key of x-obs-server-side-encryption is not kms, the bucket is non-compliant.