OBS Buckets Have Server-side Encryption Enabled
Rule Details
Parameter |
Description |
---|---|
Rule Name |
obs-bucket-server-side-encryption-enabled |
Identifier |
obs-bucket-server-side-encryption-enabled |
Description |
If an OBS bucket does not require server-side encryption, this bucket is non-compliant. |
Tag |
obs |
Trigger Type |
Configuration change |
Filter Type |
obs.buckets |
Rule Parameters |
None |
Application Scenarios
To enhance data security and compliance, enable server-side encryption to ensure that data transmitted to OBS is encrypted. For details, see Server-Side Encryption.
Solution
You can configure a bucket policy to explicitly deny all PutObject requests where the condition key x-obs-server-side-encryption is not kms. For details, see Bucket Policy Condition.
The following is an example. Original bucket policy: {"Statement": [{"Sid": "test", "Effect": "Allow", "Principal": "*", "Action": ["*"], "Resource": ["testBucket/*"]}]}
Remediated bucket policy: {"Statement": [{"Sid": "test", "Effect": "Allow", "Principal": "*", "Action": ["*"], "Resource": ["testBucket/*"]}, {"Sid": "test_add", "Effect": "Deny", "Principal": "*", "Action": ["*"], "Resource": ["testBucket/*"], "Condition": {"StringEquals": {"x-obs-server-side-encryption": ["kms"]}}}]}
Rule Logic
- If the OBS bucket policy explicitly denies all putObject requests where the condition key of x-obs-server-side-encryption is not kms, the bucket is compliant.
- If the OBS bucket policy does not explicitly denies all putObject requests where the condition key of x-obs-server-side-encryption is not kms, the bucket is non-compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot