Permission Boundary Check

Rule Details

**Table 1** Rule details
Parameter	Description
Rule Name	obs-bucket-policy-not-more-permissive
Identifier	obs-bucket-policy-not-more-permissive
Description	If an OBS bucket has a policy that allows more permissions than the specified policy, this bucket is noncompliant.
Tag	obs, access-analyzer-verified
Trigger Type	Configuration change
Filter Type	obs.buckets
Configure Rule Parameters	controlPolicy: the provided policy that defines the permission boundary. NOTE: Parameter example 1: A bucket policy grants only permissions for operating objects instead of buckets. {"Statement": [{"Action": ["Object"], "Resource": ["/"], "Effect": "Allow", "Principal": {"ID": [""]}}]} Example 2: A policy grants access only to Huawei Cloud accounts instead of federated users or anonymous users. {"Statement": [{"Action": [""], "Resource": [""], "Effect": "Allow", "Principal": {"ID": ["domain/"]}}]}

Application Scenarios

A bucket policy applies to the configured OBS bucket and objects in the bucket. You can use bucket policies to control the access of IAM users or other account to your OBS buckets. You are advised to apply the principle of least privilege to ensure that a bucket policy only grants necessary permissions for certain tasks.

Solution

You can modify policies for noncompliant buckets through the visual editor or the JSON view to restrict access from other objects than the authorized ones.

Rule Logic

If an OBS bucket policy allows more permissions than the specified controlPolicy, this bucket is noncompliant.
If an OBS bucket policy does not allow more permissions than the specified controlPolicy, this bucket is compliant.

Parent topic: Object Storage Service

Previous topic: OBS Bucket Policies Only Allow Access from the Specified Objects

Next topic: OBS Bucket Policies Do Not Allow Public Read Access