Updated on 2024-12-10 GMT+08:00

Permission Boundary Check

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

obs-bucket-policy-not-more-permissive

Identifier

obs-bucket-policy-not-more-permissive

Description

If an OBS bucket policy allows more permissions than the specified policy, this bucket policy is noncompliant.

Tag

obs, access-analyzer-verified

Trigger Type

Configuration change

Filter Type

obs.buckets

Configure Rule Parameters

controlPolicy: the provided policy that defines the permission boundary.

NOTE:
  • Parameter example 1: A bucket policy grants only permissions for operating objects instead of buckets.

    {"Statement": [{"Action": ["*Object*"], "Resource": ["*/*"], "Effect": "Allow", "Principal": {"ID": ["*"]}}]}

  • Example 2: A policy grants access only to Huawei Cloud accounts instead of federated users or anonymous users.

    {"Statement": [{"Action": ["*"], "Resource": ["*"], "Effect": "Allow", "Principal": {"ID": ["domain/*"]}}]}