OBS Bucket Policies Only Allow Access from the Specified Objects
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
obs-bucket-policy-grantee-check |
|
Identifier |
obs-bucket-policy-grantee-check |
|
Description |
If an OBS bucket has a policy that allows access from an object that is not one of the specified ones, this bucket is noncompliant. |
|
Tag |
obs, access-analyzer-verified |
|
Trigger Type |
Configuration change |
|
Filter Type |
obs.buckets |
|
Configure Rule Parameters |
Note: The parameters should have the same format as the principals or conditions in OBS bucket policies. |
Application Scenarios
A bucket policy applies to the configured OBS bucket and objects in the bucket. You can use bucket policies to control the access of IAM users or other account to your OBS buckets. You are advised to apply the principle of least privilege to ensure that a bucket policy only grants necessary permissions for certain tasks.
Solution
You can modify policies for noncompliant buckets through the visual editor or the JSON view to restrict access from other objects than the authorized ones.
Rule Logic
- If an OBS bucket does not have any policies that allow access from an object except the specified ones, this bucket is compliant.
- If an OBS bucket has a policy that allows access from an object that is not one of the specified ones, this bucket is noncompliant.
- Note: The parameters specified in Configure Rule Parameters must have the same format as the principals or conditions in OBS bucket policies.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
