Enable Server-Side Encryption with Service Managed Key

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

05 Choose Content Security from the resource navigation panel and select Server-side Encryption.

06 Choose Settings from the Server-side Encryption section to view the Server-Side Encryption (SSE) feature settings.

07 For compliance, the Encryption Method must be set to KMS and the CMK value must start with alias/acs/oss. If the Encryption Method is not KMS and the CMK key alias is not alias/acs/oss, Server-Side Encryption (SSE) with the service-managed key is disabled for the selected OSS bucket.

08 Repeat steps no. 4 - 7 for each OSS bucket available within your Alibaba Cloud account.

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run ls command (macOS/Linux/Windows) to list the OSS buckets available within your Alibaba Cloud account:

ossutil ls -s

03 The command output should return the name of each OSS bucket available in your cloud account:

oss://tm-project-trail-bucket
oss://tm-project-data-bucket
oss://tm-project-app-utils
oss://tm-project-custom-logs
Bucket Number is: 4

0.235205(s) elapsed

04 Run bucket-encryption command (macOS/Linux/Windows) to describe the Server-Side Encryption (SSE) configuration information available for the selected OSS bucket:

ossutil bucket-encryption --method get oss://tm-project-trail-bucket

05 The command output should return the requested configuration information:

SSEAlgorithm: KMS
KMSMasterKeyID: abcd1234-abcd-1234-abcd-1234abcd1234
KMSDataEncryption:

06 Run kms ListAliasesByKeyId command (macOS/Linux/Windows) to describe the alias (name) of the KMS key configured for Server-Side Encryption (SSE), returned at the previous step (if the KMSMasterKeyID value is returned):

aliyun kms ListAliasesByKeyId --KeyId 'abcd1234-abcd-1234-abcd-1234abcd1234'

07 The command output should return the alias information available for the specified KMS key (including the alias name):

{
	"Aliases": {
	"Alias": [
		{
			"AliasArn": "acs:kms:eu-west-1:1234567890123456:alias/acs/rds",
			"AliasName": "alias/acs/rds",
			"KeyId": "abcd1234-abcd-1234-abcd-1234abcd1234"
		}
	]
	},
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 1
}

08 Check the information returned at steps no. 5 and 7 to determine the Server-Side Encryption (SSE) feature configuration available for the selected OSS bucket. For compliance, the SSEAlgorithm must be set to KMS and the Aliases.Alias.AliasName value for the KMS key specified by KMSMasterKeyID must be "alias/acs/oss". If the SSEAlgorithm is not KMS and the Aliases.Alias.AliasName value is not "alias/acs/oss", Server-Side Encryption (SSE) with the service-managed key is disabled for the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

05 Choose Content Security from the resource navigation panel and select Server-side Encryption.

06 Choose Settings from the Server-side Encryption section and perform the following actions:

1. For Encryption Method choose KMS.
2. For Encryption Algorithm choose AES256.
3. Select the KMS key with the alias alias/acs/oss from the CMK dropdown list.
4. Choose Save to apply the configuration changes. This will enable Server-Side Encryption (SSE) with the service-managed key for the selected OSS bucket.

07 Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run bucket-encryption command (macOS/Linux/Windows) to enable Server-Side Encryption (SSE) with the service-managed key for the selected OSS bucket. Use the --kms-masterkey-id parameter to specify the ID of the service-managed key (i.e. the KMS key with the alias alias/acs/oss):

ossutil bucket-encryption 
  --method put oss://tm-project-trail-bucket
  --sse-algorithm KMS
  --kms-masterkey-id 1234abcd-1234-abcd-1234-abcd1234abcd

03 If the operation is successful, the command output should return the execution time, e.g.:

0.217135(s) elapsed

04 Repeat steps no. 2 and 3 for each OSS bucket available in your Alibaba Cloud account.