Best practice rules for Alibaba Cloud OSS
- Enable Access Logging for OSS Buckets
Ensure OSS Bucket Access Logging is enabled for security and access audits.
- Enable Secure Transfer for OSS Buckets
Ensure that OSS buckets enforce SSL to secure data in transit.
- Enable Server-Side Encryption with Customer Managed Key
Ensure that Server-Side Encryption is using customer-managed keys for OSS data encryption.
- Enable Server-Side Encryption with Service Managed Key
Ensure that Server-Side Encryption with service managed key is enabled.
- Limit Network Access to Selected Networks
Ensure that OSS bucket access is limited to selected networks only.
- OSS Bucket Public Access
Ensure that OSS buckets are not configured to allow public and/or anonymous access.
- Object URL Signature Validity Period
Ensure that the shared URL signature is set to expire within 3600 seconds (1 hour).
- Publicly Accessible OSS Objects
Ensure that there are no publicly accessible objects in OSS buckets.
- Use HTTPS for Object URL Signature
Ensure that the object URL signature is allowed only over HTTPS.