v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/alicloud_compliance
Overview
1Dashboards
78Controls
40Queries
2Variables
GitHub

Control: 5.1 Ensure that OSS bucket is not anonymously or publicly accessible

Description

It is recommended that the access policy on OSS bucket does not allows anonymous and/or public access.

Remediation

The anonymous or public access to OSS bucket can be restricted through both Bucket ACL and Bucket Policy.

From Console

Using the Bucket ACL:

  1. Logon to OSS console.
  2. In the bucket-list pane, click on a target OSS bucket.
  3. Click on Basic Setting in top middle of the console.
  4. Under ACL section, click on configure.
  5. Click Private.
  6. Click Save.

Using Bucket Policy:

  1. Logon to OSS console.
  2. Click Bucket, and then click the name of target bucket.
  3. Click the Files tab. On the page that appears, click Authorize.
  4. In the Authorize dialog box that appears, click Authorize.
  5. In the Authorize dialog box that appears, choose the Anonymous Accounts (*) for Accounts and choose None for Authorized Operation.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_5_1 --share

SQL

This control uses a named query:

oss_bucket_public_access_blocked

Tags

category = Compliance
cis = true
cis_item_id = 5.1
cis_level = 1
cis_section_id = 5
cis_type = automated
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/OSS