Updated on 2024-11-19 GMT+08:00

OBS Usage Audit

DSC detects OBS buckets based on sensitive data identification rules and monitors identified sensitive data. After abnormal operations of the sensitive data are detected, DSC allows you to view the monitoring result and handle the abnormal events as required.

Prerequisites

  • An abnormal event has been detected and displayed on the page.
  • The OBS audit function has been enabled in the asset center.

    After OBS audit is enabled, you will be charged for reading and writing logs using the logging function of OBS. For details about the fees, see Requests.

  • Sensitive data of OBS assets has been identified.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation tree on the left, choose Data Security Operation > OBS Usage Audit. The OBS Usage Audit page is displayed. For details about the parameters, see Table 1.

    In the upper right corner of the list, select a time range, set the time period, and select an event type and status to query the abnormal behaviors you want to view.

    Table 1 Parameters of detected risky behaviors

    Parameter

    Description

    User ID

    ID of a resource owner

    Event Type

    DSC classifies abnormal events into the following three types:
    • Unauthorized data access
      • Access sensitive files without granted permissions.
      • Download sensitive files.
    • Abnormal data operations
      • Update sensitive files.
      • Append data to sensitive files.
      • Delete sensitive files.
      • Copy sensitive files.
    • Abnormal data management
      • When a bucket is added, the system detects that the bucket is a public read or a public read/write bucket.
      • When a bucket is added, the system detects that the access/ACL access permissions of a private bucket are granted for anonymous users or registered user groups.
      • The policy of a bucket containing sensitive files is changed or deleted.
      • The ACL of a bucket containing sensitive files is changed or deleted.
      • The cross-region replication configuration of a bucket containing sensitive files is modified or deleted.
      • The ACL of a sensitive file is modified or deleted.

    Event Name

    Event that causes an exception

    Alarm Time

    Time when an exception occurs

    Status

    Status description is as follows:

    • Unhandled: indicates that an abnormal event is not handled.
    • Confirmed Violation: indicates that a handled abnormal event causes an exception.
    • Confirmed Non-violation: indicates that a handled abnormal event does not cause any exceptions.

  5. Click View Details in the Operation column of an abnormal event to view details about the event.

    Figure 1 Abnormal event details

  6. In the Operation column of the abnormal event, click Handle to handle the event. The handling method is as follows:

    • The event is confirmed as a violation.

      Should a policy violation occur and remain unhandled, DSC will persistently alert the event.

    • The event is deemed normal and requires no action.

      It can be configured to be ignored. Once set, DSC will cease alerts for this event, and it will not appear in the list of abnormal events.