When Data Security Center (DSC) scans Object Storage Service (OSS) objects for sensitive content, it can write the detected sensitivity level directly to each object as an OSS tag. Resource Access Management (RAM) policies can then read this tag to enforce access control — restricting or denying access based on the object's sensitivity level.
How it works
When DSC runs a data identification task on authorized OSS buckets, it writes the detected sensitivity level as the value of the SensitiveLevelForSDDP tag on each scanned object.
After a scan, each object carries a tag in this format:
SensitiveLevelForSDDP = <sensitivity-level>To restrict access based on this tag, use the oss:ExistingObjectTag condition key with the Deny method in a RAM policy. For policy details, see RAM policies.
Use cases
Protect sensitive data: Assign high sensitivity levels to objects containing personally identifiable information (PII), financial data, or trade secrets. Pair the tags with RAM policies that deny access to all but specific RAM users, such as security personnel or senior management.
Comply with data protection regulations: In regulated industries, use sensitivity levels to classify data that falls under compliance requirements, then attach RAM policies to enforce the required access controls.
Share data with third parties: When collaborating with partners or customers, grant access only to objects tagged at or below a specific sensitivity level. This lets you share a bucket without exposing its most sensitive content.
Enable OSS tag synchronization
The OSS synchronization feature is disabled by default. To activate it, select an identification template and turn on the feature. DSC then synchronizes sensitivity levels to OSS tags each time you run a data identification task using that template.
The OSS synchronization configuration takes effect only after you select an identification template. The feature remains inactive even when the toggle is on if no template is selected.
Turn on the OSS synchronization feature
Log on to the DSC console.
In the left-side navigation pane, choose System Settings > Alert notification.
Click the OSS Synchronization Configurations tab.
Turn on Synchronize Tags to OSS.
Select a template from the Identification Template drop-down list. Select a built-in template or a custom template. To create a custom template first, see View and configure identification templates.
Click Submit.
Run a data identification task to sync tags
After enabling the feature, run a data identification task using the selected identification template. DSC synchronizes sensitivity levels to OSS only after the task completes.
Authorized OSS assets include buckets authorized on the Authorization Management page and the OSS Data Leak (AccessKey Pair Scenarios) page. For authorization steps, see Authorize DSC to access unstructured data in OSS and Simple Log Service and Authorize the data detection and response feature to access OSS buckets and add AccessKey pair intelligence.
To re-run or create a data identification task, see Data identification task.
Billing
Enabling the OSS synchronization feature in DSC is free. When DSC writes or updates tags on OSS objects, it uses PUT requests. Fees are calculated based on the number of PUT requests. For details, see API operation calling fees.
What's next
After tags are synchronized to OSS, create RAM policies that use the SensitiveLevelForSDDP tag and the oss:ExistingObjectTag condition key to control who can access objects at each sensitivity level. For policy examples, see RAM policies.