Control: 3.17 Ensure write level Object Storage logging is enabled for all buckets
Description
Object Storage write logs will log all write requests made to objects in a bucket.
Remediation
From Console
First, if a log group for holding these logs has not already been created, create a log group by the following steps:
- Go to the Log Groups page.
- Click the Create Log Groups button in the middle of the screen.
- Select the relevant compartment to place these logs.
- Type a name for the log group in the Name box.
- Add an optional description in the Description box.
- Click the Create button in the lower left hand corner.
Second, enable Object Storage write log logging for your bucket(s) by the following steps:
- Go to the Logs page.
- Click the Enable Service Log button in the middle of the screen.
- Select the relevant resource compartment.
- Select Object Storage from the Service drop down menu.
- Select the relevant bucket from the resource drop down menu.
- Select
Write Access Events
from the Log Category drop down menu. - Type a name for your Object Storage write log in the Log Name drop down menu.
- Click the
Enable Log
button in the lower left hand corner.
From Command Line
First, if a log group for holding these logs has not already been created, create a log group by the following steps:
- Create a log group:
oci logging log-group create --compartment-id <compartment-id> \ --display-name "<DisplayName>" \ --description "<Description>"
The output of the command gives you a work request id. You can query the work request to see the status of the job by issuing the following command:
oci logging work-request get --work-request-id <output from command above>
Look for status filed to be SUCCEEDED.
Second, enable Object Storage write log logging for your bucket(s) by the following steps:
- Get the Log group ID needed for creating the Log:
oci logging log-group list --compartment-id <compartment-id> \ --query 'data[?contains("display-name", `'"<DisplayName>"'`)].id|join(`\n`, @)' \ --raw-output
- Create a JSON file called
config.json
with the following content:
{ "compartmentid":"ocid1.compartment.oc1..aaaaaaaamaywlaznovmvdwk3uqx2sedfavssagba5cxufe6wy llqgwzcq43a", "source": { "resource": "<bucket-name.", "service": "ObjectStorage", "source-type": "OCISERVICE", "category": "write" }}
The compartment-id is the Compartment OCID of where the bucket is exists. The resource value is the bucket name.
- Create the Service Log:
oci logging log create --log-group-id <value from step 2.> \ --display-name "<DisplayName>" \ --log-type SERVICE --is-enabled TRUE \ --configuration file://config.json
The output of the command gives you a work request id. You can query the work request to see that status of the job by issuing the following command:
oci logging work-request get --work-request-id <output from command above>
Look for the status filed to be SUCCEEDED.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_3_17
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_3_17 --share
SQL
This control uses a named query:
manual_control