Control: 4.1 Ensure no Object Storage buckets are publicly visible
Description
A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.
Remediation
From Console
- Login to OCI Console.
- Click in the search bar, top of the screen.
- Type
Advanced Resource
Query and clickenter
. - Click the
Advanced Resource Query
button in the upper right of the screen. - Enter the following query in the query box:
querybucket resourceswhere (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')
- For each
bucket
in the returned results, click the BucketDisplay Name
. - Click
Edit Visibility
. - Select
Private
. - Click
Save Changes
.
From Command Line
- Execute the following command:
oci search resource structured-search --query-text "query bucket resourceswhere (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')"
- For each of the buckets identified get the bucket name
oci os bucket update --bucket-name <bucket-name> --public-access-type NoPublicAccess
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v110_4_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v110_4_1 --share
SQL
This control uses a named query:
objectstorage_bucket_public_access_blocked