OSS Bucket BYOK Encryption Check

ID: rule:aliyun:oss-encryption-byok-check
Severity: medium
IaC Types: ROS, Terraform

Description

Ensures OSS bucket uses KMS encryption with a customer-managed key (BYOK).

Reason for Violation

The OSS bucket does not use a customer-managed KMS key for encryption.

Recommendation

Set sse_algorithm to 'KMS' and specify a kms_master_key_id in server_side_encryption_rule.

Resource Types

• ROS: ALIYUN::OSS::Bucket
• Terraform: alicloud_oss_bucket