检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Solution Enable server-side encryption for non-compliant OBS buckets and select the SSE-KMS encryption method. Rule Logic If no server-side encryption is configured for an OBS bucket, this bucket is non-compliant.
OBS Buckets Have Server-side Encryption Enabled Rule Details Table 1 Rule details Parameter Description Rule Name obs-bucket-server-side-encryption-enabled Identifier obs-bucket-server-side-encryption-enabled Description If an OBS bucket does not require server-side encryption, this
Solution OBS supports cross-region replication configuration using the console, APIs, and obsutil. For details, see Cross-Region Replication. Rule Logic If an OBS bucket has cross-region replication enabled, this bucket is compliant.
Alarms Have Been Created for OBS Bucket Policy Changes Rule Details Table 1 Rule details Parameter Description Rule Name alarm-obs-bucket-policy-change Identifier Alarms Have Been Created for OBS Bucket Policy Changes Description If there are no alarm rules configured for bucket policy
CTS Trackers Have Been Created for the Specified OBS Bucket Rule Details Table 1 Rule details Parameter Description Rule Name cts-obs-bucket-track Identifier cts-obs-bucket-track Description If there are no CTS trackers created for the specified OBS bucket, the current account is
Solution Enable lifecycle management for non-compliant OBS buckets based on Creating a Lifecycle Rule. Rule Logic If an OBS bucket has lifecycle management enabled, this bucket is compliant.
Solution You can enable WORM for noncompliant OBS buckets based on Configuring WORM to Protect Objects from Being Overwritten or Deleted. Rule Logic If an OBS bucket has WORM enabled, this bucket is compliant.
Tag obs, access-analyzer-verified Trigger Type Configuration change Filter Type obs.buckets Rule Parameters None Application Scenarios A bucket policy applies to the configured OBS bucket and objects in the bucket.
Tag obs, access-analyzer-verified Trigger Type Configuration change Filter Type obs.buckets Rule Parameters None Application Scenarios A bucket policy applies to the configured OBS bucket and objects in the bucket.
Tag obs, access-analyzer-verified Trigger Type Configuration change Filter Type obs.buckets Rule Parameters blockedActionsPatterns: Blacklisted actions. Application Scenarios A bucket policy applies to the configured OBS bucket and objects in the bucket.
Rule Logic If an OBS bucket is not associated with any non-default ACLs, this bucket is compliant. If an OBS bucket is associated with a non-default ACL, this bucket is non-compliant.
Note: The parameters should have the same format as the principals or conditions in OBS bucket policies. Application Scenarios A bucket policy applies to the configured OBS bucket and objects in the bucket.
For details, see Using Logging to Record OBS Logs. Solution For details, see Using Logging to Record OBS Logs. Rule Logic If an OBS bucket has logging enabled, this bucket is compliant. If an OBS bucket does not have logging enabled, this bucket is noncompliant.
Rule Logic If an OBS bucket denies requests that are not encrypted with SSL, this bucket is compliant. If an OBS bucket allows requests that are not encrypted with SSL, this bucket is noncompliant.
OBS Bucket Policy Check Rule Details Table 1 Rule details Parameter Description Rule Name obs-bucket-policy-configured Identifier OBS Bucket Policy Check Description If no bucket policy is configured for an OBS bucket, this bucket is non-compliant.
Solution You can configure versioning for OBS buckets using the OBS console, APIs, or SDKs. For details, see Versioning. Rule Logic If an OBS bucket has versioning enabled, this bucket is compliant. If an OBS bucket does not have versioning enabled, this bucket is non-compliant.
Resource Recorder Are Resource Snapshots and Resource Change Notifications Stored into the Same OBS Bucket? Yes, they are stored into the same OBS bucket.
Billing The SMN topic and the OBS bucket that you configured for the resource recorder will be charged. For details, see SMN billing and OBS billing for OBS. The Function Graph functions used for creating custom rules will be charged.
Storing Resource Change Notifications After you enable the resource recorder and specify an SMN topic and an OBS bucket, Config stores your resource change notifications to the OBS bucket every 6 hours.
You can go to the Objects page on the OBS console and find your resource snapshots based on the paths.
