Control: 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible


ActionTrail logs a record of every API call made in your Alibaba Cloud account. These logs file are stored in an OSS bucket. It is recommended that the access control list (ACL) of the OSS bucket, which ActionTrail logs to, shall prevent public access to the ActionTrail logs.


Perform the following to remove any public access that has been granted to the bucket via an ACL:

From Console

  1. Logon to OSS Console.
  2. Right on the bucket and click Basic Settings.
  3. In the Access Control List pane, click the Configure.
  4. The Bucket ACL tab shows three kind of grants. Like Private, Public Read, Public Read/Write.
  5. Ensure Private be set to the bucket.
  6. Click Save to save the ACL.


Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_2_2 --share


This control uses a named query: