v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 5.1.1 Ensure no Object Storage buckets are publicly visible

Description

A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.

Removing unfettered reading of objects in a bucket reduces an organization's exposure to data loss.

Remediation

From Console

  1. Follow the audit procedure above.
  2. For each bucket in the returned results, click the Bucket Display Name.
  3. Click Edit Visibility.
  4. Select Private.
  5. Click Save Changes.

From CLI

  1. Follow the audit procedure.
  2. For each of the buckets identified, execute the following command:
oci os bucket update --bucket-name <bucket-name> --public-access-typeNoPublicAccess

Default Value

Private

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_5_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_5_1_1 --share

SQL

This control uses a named query:

objectstorage_bucket_public_access_blocked

Tags

category = Compliance
cis = true
cis_item_id = 5.1.1
cis_level = 1
cis_section_id = 5.1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/ObjectStorage