You can use the OSS sensitive data protection feature to identify and locate sensitive data, such as personal information and passwords, in large volumes of data in OSS. This allows you to classify, manage, and protect your data to maintain security and meet compliance requirements.
Notes
-
The new and previous versions of sensitive data protection are supported in the China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), and China (Hong Kong) regions.
-
When you enable the new version of sensitive data protection for the first time, OSS provides each Alibaba Cloud account UID with a free detection quota of 200 GB, which is valid for one year. If the total amount of scanned data exceeds the free quota within the year, the excess is charged at a rate of CNY 0.20 per GB.
-
Each Alibaba Cloud account UID using the previous version of sensitive data protection receives a 100 GB free monthly detection quota. This quota does not roll over to the next month. Scanned data exceeding this quota is charged at CNY 0.20 per GB.
Limitations
The new and previous versions of sensitive data protection have the following limitations:
-
Object storage class
Only objects in the Standard and Infrequent Access storage classes support sensitive data detection. Objects in the Archive, Cold Archive, and Deep Cold Archive storage classes are not supported.
-
Single object size limit
The maximum size of a single object that can be scanned is 200 MB.
-
Archive file limits
An archive file can be decompressed up to 5 levels deep, with a maximum of 1,000 files after decompression. The system does not scan files that exceed these limits.
Sensitivity levels
New version
By default, OSS uses the data classification template for the internet industry to identify sensitive data. Sensitivity levels are categorized as S0, S1, S2, S3, and S4. S0 indicates that no sensitive content was detected, and higher numbers signify greater sensitivity levels.
In the Data Security Center console, navigate to Data Classification > Identification Configuration in the left-side navigation pane. Then, click View next to the internet industry classification template to review the sensitivity levels and data categories.
Previous version
|
Level |
Data category |
|
S1: Low |
|
|
S2: Medium |
|
|
S3: High |
|
|
N/A: Unknown risk level |
No risks identified |
OSS console
If you are using the previous version of sensitive data protection, we recommend upgrading. The new version offers the following core capabilities:
-
Customizable detection jobs to flexibly scan all data in a bucket or only data that matches a specified prefix.
-
Integration of large model-based detection to improve the accuracy of identifying key patterns, such as AccessKeys.
-
Comprehensive data security analysis reports with clear visualizations of sensitive data and its risk distribution.
New version
-
The first time you use sensitive data protection, you must authorize and enable the service.
Log on to the OSS console.
-
In the left-side navigation pane, click Buckets. On the page that appears, click the name of the target bucket.
-
In the left-side navigation pane, choose .
-
On the page, click Authorize and Activate.
-
In the Configure Detection Job dialog box, set the automatic scan schedule and start time, and then click OK.
After the configuration is complete, OSS performs a full scan on all data or data that matches a specified prefix in the bucket and charges a fee for the scan. The duration of the initial scan depends on the amount of data. Allow some time for the scan to complete before checking the results.
-
Configure a detection job.
If you want to scan new or modified objects in the bucket after the initial full scan, or if you want to customize the scan schedule or start time, follow these steps:
-
On the page, click Identification Configuration in the upper-right corner.
-
In the Configure Detection Job dialog box, modify the automatic scan schedule and start time, and then click OK.
After the configuration is complete, OSS performs an incremental scan on the data in the specified bucket by default and charges a fee for the scan.
-
-
View the scan results.
After a scan is complete, OSS automatically organizes, classifies, and labels sensitive data, and displays the results in a centralized location. This allows you to continuously monitor the security posture of your OSS data assets.
Single bucket
On the page, view the scan results for the bucket.
The results page displays the following statistics: Data Classification Statistics (percentage of each sensitivity level), Sensitive Data Tag Statistics (percentage by tag type), Data Recognition Rate (ratio of sensitive to non-sensitive objects), and Top 5 Hit Models. Below the statistics, a list of sensitive objects is displayed, which you can filter by Hit Model and Sensitivity Level. The Identification Configuration and Disable Sensitive Data Protection buttons are available in the upper-right corner.
Multiple buckets
After scanning multiple buckets for sensitive data, navigate to Data Service > Content Security in the left-side navigation pane. On the Content Security page, you can view data for all scanned buckets.
This page lists a summary of scan information for each bucket, including Region, Total Objects, Sensitivity Level, Sensitive Objects, Data Tags, and Last Scan Time. You can filter the list by Region, Bucket Name, and Sensitivity Level. Click Object Details to the right of a target bucket to view detailed scan results.
-
View sensitive data details for an object.
To view details such as the sensitive data type, sensitivity level, matched rule, and number of matches for an object, click Hit Details to the right of the target object.
Previous version
Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
-
In the left-side navigation pane, choose Data Security > Sensitive Data Discovery and Protection (SDDP).
ImportantThe new version of sensitive data protection is now fully available. We strongly recommend that you upgrade.
When you go to the Sensitive Data Protection page for the previous version, an upgrade banner appears at the top. Click Upgrade to switch to the new version.
When you use the previous version of sensitive data protection, OSS performs only a full scan on the data in the specified bucket and charges a fee for the scan. After the scan is complete, you can view the percentage of each sensitivity level and the top 5 sensitive data types.
At the bottom of the page, the Sensitive Data List displays the name, size, type, number of sensitive fields, highest sensitivity level, and number of matched rules for each object. You can click Hit Details to the right of a target object to view detailed information. You can also manage the scan job by using the Stop Scan and Scan Settings buttons.
Next steps
You can perform the following actions on objects that contain sensitive information:
-
Apply data masking to objects that contain sensitive information. For more information, see Mask sensitive data in images and Mask sensitive data in tables.
-
Set permission policies for objects with different sensitivity levels. For more information, see Synchronize sensitivity level tags to OSS objects.
-
Delete objects that contain sensitive information. For more information, see Delete objects.
Permissions
By default, an Alibaba Cloud account has full permissions. RAM users or RAM roles under an Alibaba Cloud account do not have any permissions by default. The Alibaba Cloud account or account administrator must grant operation permissions through RAM policies or Bucket Policy.
New version
|
Actions |
Description |
|
|
Upgrades the version of sensitive data protection. |
|
|
Creates a detection job to start scanning data in a bucket. |
|
|
Queries the detection results for a single bucket or object. |
|
|
Lists the detection results for multiple buckets and objects. |
|
|
Starts or pauses a detection job. |
|
|
Modifies the configuration of a detection job. |
|
|
Deletes a detection job to stop scanning data in a bucket. |
Previous version
|
Actions |
Description |
|
|
Scans data in a bucket. |
|
|
Views the scan results for a single bucket. |
|
|
Views the scan results for all buckets. |
Billing
Fees for both the new and previous versions of sensitive data protection are based on the following billable items. For pricing details, see OSS Pricing.
|
Billable item |
Description |
|
Sensitive data protection |
Fees are charged based on the amount of data scanned when a full or incremental scan is performed on the data in an authorized bucket. |