docs(obj): add compliant bucket creation how to MTA-6389

menu/navigation.json

@@ -5234,6 +5234,10 @@
                     "label": "Manage lifecycle rules",
                     "slug": "manage-lifecycle-rules"
                   },
+                  {
+                    "label":"Host healthcare data (HDS)",
+                    "slug":"host-healthcare-data"
+                  },
                   {
                     "label": "View and abort incomplete multipart uploads",
                     "slug": "abort-incomplete-mpu"

pages/object-storage/how-to/host-healthcare-data.mdx

@@ -0,0 +1,127 @@
+---
+title: How to create a compliant bucket to host healthcare data
+description: This page details the steps to follow to create a compliant bucket using Scaleway Object Storage to host healthcare data
+tags: 
+dates:
+  validation: 2025-08-27
+  posted: 2025-08-27
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+When hosting healthcare data using Scaleway Object Storage, you must follow the recommendations outlined in the [shared responsibility model](/object-storage/reference-content/) to ensure compliance with legal and regulatory requirements, such as data protection laws, and industry standards.
+
+Adhering to these guidelines helps safeguard sensitive information against unauthorized access, breaches, and data loss, while also clarifying the roles and responsibilities between the cloud provider and the customer.
+
+This documentation provides the following elements:
+
+- A procedure to create a compliant bucket
+- Information on prohibited actions
+- Compliant encryption methods
+- Compliant deletion methods
+- A checklist to ensure you are ready to safely store healthcare data
+
+<Requirements />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- Signed an HDS contract with Scaleway for the garantees outlined in the [shared responsibility model]() to apply
+
+## How to create a compliant bucket
+
+Even though you can use an existing bucket to host healthcare data, we strongly recommend you create a dedicated bucket for this purpose. This is to make sure that no lifecycle rule exists, and that every object uploaded to this bucket is properly encrypted.
+
+1. Click **Object Storage** on the left side menu of the console. The Object Storage dashboard displays.
+
+2. Click **+ Create bucket**. The bucket creation page displays.
+
+3. Enter a **name** for your bucket.
+
+4. Select the **Paris** region.
+
+5. Set the bucket visibility to **Private**.
+
+6. Select a **use case** for your bucket.
+
+7. Enable [bucket versioning](/object-storage/how-to/use-bucket-versioning/) if you want to store multiple versions of your objects (this may lead to higher storage costs).
+
+8. Optionally, you can use the cost estimator to simulate your Object Storage costs.
+
+9. Click **Create bucket** to confirm.
+
+10. If you use a [customer-side encryption mechanism](#customer-side-encryption), enable bucket encryption using the [PutBucketEncryption]() action.
+
+Your bucket is now ready to store healthcare data. Before uploading objects, refer to the sections below for information on how to encrypt and delete your objects in compliance with regulations.
+
+## Prohibited actions on a compliant Bucket
+
+to host healthcare data, you must comply to the following requirements:
+
+- You must not use the [Glacier](/object-storage/concepts/#storage-classes) storage class. Refer to the [Shared responsibility model]() for more information on this requirement.
+
+- You must not use [lifecycle rules](/object-storage/concepts/#lifecycle-configuration) in your compliant bucket.
+
+- If you use a [customer-side encryption mechanism](#customer-side-encryption), you must no delete the bucket encryption.
+
+<Message type="important">
+Failure to comply with these requirements may lead to voiding compliance on the objects contained in the bucket.
+</Message>
+
+## How to encrypt objects
+
+Objects in a compliant bucket must be encrypted to make sure data is protected. To achieve this, you can either use Scaleway's SSE-C feature, or encrypt objects yourself before uploading them to your bucket.
+
+### Encryption with SSE-C
+
+Scaleway's SSE-C (**S**erver-**S**ide **E**ncryption with **C**ustomer-provided keys) mechanism garantees that objects uploaded to the bucket are properly encrypted.
+
+You can check that your objects are propery encrypted by performing a simple `HeadObject` operation on an encrypted object. Scaleway Object Storage will return a `400` error if SSE-C has been used to upload this object.
+
+Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for comprehensive information on how to encrypt objects using SSE-C.
+
+### Customer-side encryption
+
+Customer-side encryption ensures that sensitive data is protected before reaching Scaleway Object Storage, giving you control on the encryption mechanism, and keys managemnent. This method must be used in combination with [Scaleway's HDS-compliant deletion method](#deleting-objects-with-customer-side-encryption).
+
+## How to delete objects
+
+Objects must be deleted in a compliant way to make sure data can not be retrieved by any means immediately afterward. When using the HDS-compliant method (using the `PutBucketEncryption` action), Scaleway encrypts your uploaded objects with a dedicated key that will be instantly deleted upon receiving a deletion request for the targeted objects.
+
+This mechanism guarantees your objects can not be immediately retrieved, even if it takes additionnal time to process the delete of all the remaining chunks of your deleted objects.
+
+### Deleting objects encrypted with SSE-C
+
+If you use Scaleway's SSE-C to encrypt your data, using [DeleteObject](/object-storage/api-cli/object-operations/#deleteobject) is sufficient to garantee that your object is deleted in compliance with the regulatory requirements. 
+
+### Deleting objects with customer-side encrpytion
+
+If you do not use Scaleway's SSE-C to encrypt your data, you must use Scaleway's HDS-compliant method to delete objects. You must enable bucket encryption beforehand, using the `PutBucketEncryption` operation. 
+
+<Message type="note">
+This mechanism is designed to handle compliant deletion of your data, and not its encryption. Make sure to use it in combination with a compliant encryption method, such as SSE-C or any other customer-side approach to upload your objects.
+</Message>
+
+## Enforcing compliance using bucket policies
+
+To enforce compliance regarding the storage class and lifecycle rules, you can set up a bucket policy. **Bucket policies automatically deny any action that is not explicitly allowed in a statement**, allowing for fine-grained permissions management.
+
+Refer to the [dedicated documentation](/object-storage/api-cli/bucket-policy/) for more information on bucket policies.
+
+## Compliant bucket creation checklist
+
+Make sure that your bucket follows the requirements below:
+
+1. Make sure you [created your bucket](#how-to-create-a-compliant-bucket) in the **France - Paris** (`fr-par`) region.
+
+2. Make sure that there is no active lifecycle rules for your bucket.
+
+3. Make sure that your objects within this bucket are not stored using the **Glacier** storage class.
+
+4. Use a valid [encryption method](#how-to-encrypt-objects).
+
+5. Use a valid [deletion method](#how-to-delete-objects).
+
+6. Use [bucket policies](#enforcing-compliance-using-bucket-policies) to restrict permissions and prevent unwanted operations.
+
+7. Follow the provided security best practices at all times.
+
+Refer to the [Object Storage Shared Responsibility Model]() for comprehensive information on the legal framework to host healthcare data.