检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
The OBS URL specifies the location of an object stored in an OBS bucket. To obtain an OBS URL on the OBS console, you need to locate the object and choose More > Copy Object URL in the Operation column on the Objects page.
${bucket_name}: the name of an OBS bucket ${folder_name}: the name of a folder in the OBS bucket If you do not need to specify a folder or object in an OBS bucket, you do not need to configure this parameter. { "Statement": [ { "Sid": "org-bucket-policy", "Effect
Configuring the Resource Recorder OBS You can specify an OBS bucket when you enable the resource recorder. NOTE: If you have configured an SMN topic and you do not need an OBS bucket for resource dump, you do not need to configure an OBS bucket.
None None SYS.RMS Exporting resource changes failed Major Exporting resource change records to OBS failed. You can check OBS bucket permissions. Resource changes cannot be recorded.
If there are no alarm rules configured for OBS bucket policy changes, this rule is noncompliant. alarm-vpc-change ces, vpc If there are no alarm rules configured for VPC changes, the current account is noncompliant.
Stores your resource change notifications every 6 hours if you have configured an OBS bucket and an SMN topic. Stores resource snapshots every 24 hours if you have configured an OBS bucket.
Description alarm-action-enabled-check ces If an alarm rule is not enabled, this rule is noncompliant. alarm-kms-disable-or-delete-key ces, kms If there are no alarm rules configured for disabling or deleting KMS keys, this rule is noncompliant. alarm-obs-bucket-policy-change ces, obs
Trace file encryption: After enabling trace transfer, you can use Data Encryption Workshop (DEW) to encrypt trace files stored in OBS buckets. Trace transfer to LTS: When this function is enabled, traces are transferred to a specified OBS bucket.
C.CS.FOUNDATION.G_5_1.R_5 Using bucket policies to restrict access to obs buckets using HTTPS obs-bucket-ssl-requests-only obs If an OBS bucket allows HTTP requests, this bucket is noncompliant.
Storing resource snapshots: Config will store your resource snapshots into the specified OBS bucket every 24 hours after you have enabled the resource recorder and configured an OBS bucket.
Table 2 detail Parameter Type Description snapshot_id String Resource snapshot ID. region_id String The ID of the region where resource snapshots reside. bucket_name String The name of the OBS bucket where resource snapshots are stored. object_keys Array of String Path of the OBS
Table 2 detail parameters Parameter Type Description region_id String The ID of the region where resource change notifications are stored. bucket_name String The name of the OBS bucket where resource change notifications are stored. object_key String The path of an object in an OBS
C.CS.FOUNDATION.G_5_1.R_4 Controlling permissions of OBS resources using both VPC endpoint and OBS bucket policies obs-bucket-policy-grantee-check obs If an OBS bucket has a policy that allows access from an object that is not one of the specified ones, this bucket is noncompliant
Cloud Eye Alarm Rules Are Enabled Alarm Rules Have Been Configured for Key Disablement and Deletion There Are Alarm Rules Configured for OBS Bucket Policy Changes Specified Resources Have Certain Metric Attached Alarm Rule Configurations Check Alarms Have Been Created for VPC Changes
Cloud Trace Service CTS Trackers Have Traces Encrypted CTS Trackers Have Trace Transfer to LTS Enabled CTS Trackers Have Been Created for the Specified OBS Bucket Trace File Verification Is Enabled At Least One Tracker Is Enabled There Are CTS Trackers In the Specified Regions CTS
If an OBS bucket allows HTTP requests, this bucket is noncompliant. rds-instance-ssl-enable rds If SSL is not enabled for an RDS instance, this instance is noncompliant.
Log in to the OBS console and go to the details page of the OBS bucket. Check if the bucket policy has been modified. FAQs What Are the Differences Between Manual Remediation and Automatic Remediation?
IAM user's access key is not rotated within the specified number of days, this user is noncompliant. alarm-kms-disable-or-delete-key ces, kms If there are no alarm rules configured for disabling or deleting KMS keys, this rule is noncompliant. alarm-obs-bucket-policy-change ces, obs
To store operation records for longer than seven days, you must configure transfer to OBS or Log Tank Service (LTS) so that you can view them in OBS buckets or LTS log groups.
Evaluating Resources By Region Scenario: If you do not want your OBS buckets in the regions outside of the Chinese mainland to be publicly accessed, you can create a rule to check if your OBS buckets are correctly configured to meet your exceptions.
