Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
1Dashboards
78Benchmarks
40Queries
2Variables
GitHub

Control: 5.1 Ensure that OSS bucket is not anonymously or publicly accessible

Description

It is recommended that the access policy on OSS bucket does not allows anonymous and/or public access.

Remediation

The anonymous or public access to OSS bucket can be restricted through both Bucket ACL and Bucket Policy.

From Console

Using the Bucket ACL:

  1. Logon to OSS console.
  2. In the bucket-list pane, click on a target OSS bucket.
  3. Click on Basic Setting in top middle of the console.
  4. Under ACL section, click on configure.
  5. Click Private.
  6. Click Save.

Using Bucket Policy:

  1. Logon to OSS console.
  2. Click Bucket, and then click the name of target bucket.
  3. Click the Files tab. On the page that appears, click Authorize.
  4. In the Authorize dialog box that appears, click Authorize.
  5. In the Authorize dialog box that appears, choose the Anonymous Accounts (*) for Accounts and choose None for Authorized Operation.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_5_1 --share

SQL

This control uses a named query:

select
  'acs:oss:::' || name as resource,
  case
    when acl = 'private' then 'ok'
    else 'alarm'
  end as status,
  case
    when acl = 'private' then title || ' not publicly accessible.'
    else name || ' publicly accessible.'
  end as reason
  
  , account_id as account_id, region as region
from
  alicloud_oss_bucket;

Tags

category = Compliance
cis = true
cis_item_id = 5.1
cis_level = 1
cis_section_id = 5
cis_type = automated
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/OSS