OBS Bucket Policies Do Not Allow Public Write Access
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
obs-bucket-public-write-policy-check |
|
Identifier |
obs-bucket-public-write-policy-check |
|
Description |
If an OBS bucket allows public write access, this bucket is non-compliant. |
|
Tag |
obs, access-analyzer-verified |
|
Trigger Type |
Configuration change |
|
Filter Type |
obs.buckets |
|
Rule Parameters |
None |
Application Scenarios
A bucket policy applies to the configured OBS bucket and objects in the bucket. You can use bucket policies to control the access of IAM users or other account to your OBS buckets. You are advised to apply the principle of least privilege to ensure that a bucket policy only grants necessary permissions for certain tasks.
Solution
Modify policies of non-compliant buckets with the visual editor or the JSON view to block the unintended writes.
Rule Logic
- If an OBS bucket has a policy that allows write access from other accounts, this bucket is non-compliant.
- If an OBS bucket has an ACL that allows write access from other principles in addition to the current account and the log delivery user groups of the bucket, this bucket is noncompliant.
- If an OBS bucket has neither a policy nor an ACL as described above, this bucket is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
