v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 4.1.1 Ensure no Object Storage buckets are publicly visible

Description

A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.

Remediation

From Console

  1. Login to OCI Console.
  2. Click in the search bar, top of the screen.
  3. Type Advanced Resource Query and click enter.
  4. Click the Advanced Resource Query button in the upper right of the screen.
  5. Enter the following query in the query box:
query
bucket resources
where (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')
  1. For each bucket in the returned results, click the Bucket Display Name.
  2. Click Edit Visibility.
  3. Select Private.
  4. Click Save Changes.

From Command Line

  1. Execute the following command:
oci search resource structured-search --query-text "query bucket resources
where (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')"

  1. Ensure query returns no results

  2. For each of the buckets identified get the bucket name

oci os bucket update --bucket-name <bucket-name> --public-access-type NoPublicAccess

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_4_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_4_1_1 --share

SQL

This control uses a named query:

objectstorage_bucket_public_access_blocked

Tags

category = Compliance
cis = true
cis_item_id = 4.1.1
cis_level = 1
cis_section_id = 4.1
cis_type = manual
cis_version = v1.2.0
plugin = oci
service = OCI/ObjectStorage