Loading controls...
Control: 4.1.1 Ensure no Object Storage buckets are publicly visible
Description
A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.
Remediation
From Console
- Login to OCI Console.
- Click in the search bar, top of the screen.
- Type
Advanced ResourceQuery and clickenter. - Click the
Advanced Resource Querybutton in the upper right of the screen. - Enter the following query in the query box:
querybucket resourceswhere (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')- For each
bucketin the returned results, click the BucketDisplay Name. - Click
Edit Visibility. - Select
Private. - Click
Save Changes.
From Command Line
- Execute the following command:
oci search resource structured-search --query-text "query bucket resourceswhere (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')"Ensure query returns no results
For each of the buckets identified get the bucket name
oci os bucket update --bucket-name <bucket-name> --public-access-type NoPublicAccessUsage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_4_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_4_1_1 --shareSQL
This control uses a named query:
objectstorage_bucket_public_access_blocked