Control: 4.1 Ensure no Object Storage buckets are publicly visible

Description

A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.

Remediation

From Console

Login to OCI Console.
Click in the search bar, top of the screen.
Type Advanced Resource Query and click enter.
Click the Advanced Resource Query button in the upper right of the screen.
Enter the following query in the query box:

query
bucket resources
where
  (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')

For each bucket in the returned results, click the Bucket Display Name.
Click Edit Visibility.
Select Private.
Click Save Changes.

From Command Line

Execute the following command:

oci search resource structured-search --query-text "query bucket resources
where
  (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')"

For each of the buckets identified get the bucket name

oci os bucket update --bucket-name <bucket-name> --public-access-type NoPublicAccess

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_4_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_4_1 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when public_access_type like 'Object%' then 'alarm'
    else 'ok'
  end as status,
  case
    when public_access_type like 'Object%' then a.title || ' publicly accessible.'
    else a.title || ' not publicly accessible.'
  end as reason
  
  , a.region as region, a.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_objectstorage_bucket as a
  left join oci_identity_compartment as c on c.id = a.compartment_id;