Control: 4.1.3 Ensure Versioning is Enabled for Object Storage Buckets
Description
A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.
Remediation
From Console
- Login to OCI Console.
- Select
Object Storagefrom the Services menu. - Select
Object Storagefrom the Object Storage menu. - Click on an individual bucket under the Name heading.
- Ensure that the
Object Versioningis not set to Enabled. - Repeat for each compartment.
- For each bucket in the returned results, click the Bucket Display Name.
- Click
Editnext toObject Versioning: Disabled. - Click
Enable Versioning.
From Command Line
- Executethefollowingcommand:
for region in `oci iam region list | jq -r '.data[] | .name'`; do for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'` do for bkt in `oci os bucket list --compartment-id $compid --region$region 2>/dev/null | jq -r '.data[] | .name'` do output=`oci os bucket get --bucket-name $bkt --region $region 2>/dev/null | jq -r '.data | select(."versioning" == "Disabled").name'` if [ ! -z "$output" ]; then echo $output; fi done done done
- Ensure no results are returned.
- For each of the buckets identified get the bucket name
oci os bucket update --bucket-name <bucket name> --versioning Enabled
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_4_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_4_1_3 --shareSQL
This control uses a named query:
objectstorage_bucket_versioning_enabled