[best practice] patrol item: object storage (COS) bucket public read / write

Problem description

A customer uses COS Store some files , Recently, I found some files that I didn't upload in the bucket 、 Some files have been deleted , There are also some traffic generation , After investigation, it is because the bucket is open for public reading and writing , Anyone can read and write to the bucket .

This patrol inspection item is used to check COS Whether the bucket has public read / write enabled , If the permission of the bucket is public, read and write , Then there may be a security risk in the storage bucket .

Solution

According to the principle of minimizing permissions , For the bucket [ACL Access control ](https://cloud.tencent.com/document/product/436/12470) close 「 Public reading and writing 」 Options , Or configure [ Bucket of policy jurisdiction ]（https://cloud.tencent.com/document/product/436/33369）, Allocate bucket read and write permissions as needed , Improve data security

Configuration method ：

Set the bucket ACL The following example shows that another master account is allowed to access a bucket Have read permission ：

Set on object ACL The following example shows that another master account is allowed to access a object Have read permission ：

Bucket setting Policy jurisdiction

1. Sign in Object Storage Console .
2. In the left navigation bar , single click Bucket list , Select the bucket to which you want to add a bucket policy , Into the bucket .
3. single click Rights management , find Policy permissions ,COS The way to add bucket policy is Graphic settings and Strategy grammar , Please refer to the following steps . You can choose one of the ways to add bucket policy . More instructions on configuration items , Please see the Overview of access policy language .

1. After confirming that the configuration information is correct , single click determine or preservation that will do . At this time, log in with a sub account COS Console , Will only be able to access the resource range set by the policy .

Graphic settings

In the graphic settings section , single click Add a policy , Configure the policy in the pop-up window . First step Select template , The second step Configure policy .

First step ： Select template

By selecting different authorized users 、 Resource range combination ,COS Provides you with a variety of policy templates , Help you quickly configure bucket policies .

• Authorized user
  • All users （ Can be accessed anonymously ）： When you want to open operation permission for anonymous users , You can choose this option , When configuring the policy in the second step, all users will be automatically added for you , Expressed as *. Because the list of objects will be listed （ListBucket）、 Bucket configuration permissions and other operations are open to anonymous users with high risk , When this option is selected COS No corresponding template is provided , If you need it, you can do it later “ Configure policy ” Step add by yourself .
  • Designated user ： When you want to specify a sub account 、 When the master account or cloud service opens the operation permission , You can choose to specify the user . In the second step, configure the policy , You need to further specify a specific account UIN.

• Scope of resources
  • The whole bucket ： When you want to configure bucket configuration related permissions , Or specify the resource range as the entire bucket , You can choose this option , When you configure the policy in the second step, you will automatically add the entire bucket as a resource .
  • Specify the directory ： When you want to limit the scope of resources to a specified folder , You can choose this option . In the second step, configure the policy , You need to further specify the specific directory . When this option is selected ,COS Policy templates related to bucket configuration will not be provided , Because this kind of permission must specify the resource as the whole bucket .

• Templates ： The set of operations you want to authorize .
  • Custom policy （ No preset configuration is provided ）： If you don't need a template , You can select this item , In the second step “ Configure policy ” Add your own policies according to your needs .
  • Other templates ： According to the different combinations of authorized users and resource ranges you choose ,COS Provide you with different recommended templates . Check the corresponding template , In the second step, configure the policy ,COS The corresponding operation will be automatically added for you .

  explain ： The authorization provided by the template does not meet your needs , You can in the second step " Configure policy " Add or remove authorization actions from .

Please refer to the following table for template description ：

The second step ： Configure policy

For the authorized user you selected in the first step 、 Specify the directory and template combination ,COS Corresponding actions are automatically added in the configuration policy for you 、 Authorized user 、 Resources, etc . among , When you select the specified user 、 When specifying a directory , You need to specify specific users when configuring policies UIN And contents .

When COS When the recommended template provided does not meet your needs , You can also adjust the policy content in this step , add to 、 Delete authorized user 、 Resources and operations . The configuration items are described as follows ：

• effect ： Support choice “ allow ” or “ Refuse ”, Corresponding to... In policy syntax “allow” and “deny”.
• user ： Support adding 、 Delete authorized user , Including all users (*)、 Master account 、 Sub accounts and cloud services .
• resources ： It supports adding entire storage bucket or specified directory resources .
• operation ： add to 、 Delete the operation you need to authorize .
• Conditions ： Specify conditions when granting permissions , For example, restrict user access IP.