Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Object Storage Service/ OBS Bucket Policies Only Allow Access from the Specified Objects
Updated on 2024-10-15 GMT+08:00
View PDF
Share

OBS Bucket Policies Only Allow Access from the Specified Objects

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

obs-bucket-policy-grantee-check

Identifier

obs-bucket-policy-grantee-check

Description

If an OBS bucket has a policy that allows access from an object that is not within the specified scope, this bucket is noncompliant.

Tag

obs, access-analyzer-verified

Trigger Type

Configuration change

Filter Type

obs.buckets

Configure Rule Parameters
  • principal: authorized identities, for example, domain/aaaa:user/111111 and domain/bbbb
  • sourceIp: authorized source IPs, for example 192.168.0.0/16
  • sourceVpc: authorized source VPCs. Enter VPC IDs, for example, vpcidaaaa.
  • sourceVpce: authorized VPC endpoints. Enter VPC endpoint IDs, for example, vpceidaaaa.

Note: The format of the preceding fields must be the same as that of principal or condition in the OBS bucket policy.
Parent topic: Object Storage Service