v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/alicloud_compliance
Overview
1Dashboards
78Controls
40Queries
2Variables
GitHub

Control: 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible

Description

ActionTrail logs a record of every API call made in your Alibaba Cloud account. These logs file are stored in an OSS bucket. It is recommended that the access control list (ACL) of the OSS bucket, which ActionTrail logs to, shall prevent public access to the ActionTrail logs.

Remediation

Perform the following to remove any public access that has been granted to the bucket via an ACL:

From Console

  1. Logon to OSS Console.
  2. Right on the bucket and click Basic Settings.
  3. In the Access Control List pane, click the Configure.
  4. The Bucket ACL tab shows three kind of grants. Like Private, Public Read, Public Read/Write.
  5. Ensure Private be set to the bucket.
  6. Click Save to save the ACL.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_2_2 --share

SQL

This control uses a named query:

action_trail_oss_bucket_not_public

Tags

category = Compliance
cis = true
cis_item_id = 2.2
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/ActionTrail