Control: 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible
Description
ActionTrail logs a record of every API call made in your Alibaba Cloud account. These logs file are stored in an OSS bucket. It is recommended that the access control list (ACL) of the OSS bucket, which ActionTrail logs to, shall prevent public access to the ActionTrail logs.
Remediation
Perform the following to remove any public access that has been granted to the bucket via an ACL:
From Console
- Logon to OSS Console.
- Right on the bucket and click
Basic Settings. - In the
Access Control Listpane, click theConfigure. - The
Bucket ACLtab shows three kind of grants. LikePrivate,Public Read,Public Read/Write. - Ensure
Privatebe set to the bucket. - Click
Saveto save the ACL.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_2_2 --shareSQL
This control uses a named query:
select 'acs' || ':actiontrail:' || trail.region || ':account_id' || ':actiontrail/' || trail.name as resource, case when bucket.acl <> 'private' then 'alarm' else 'ok' end as status, case when bucket.acl <> 'private' then 'oss bucket ' || bucket.name || ' used to store ActionTrail logs is publicly accessible.' else 'oss bucket ' || bucket.name || ' used to store ActionTrail logs is not publicly accessible.' end as reason , trail.account_id as account_id, trail.region as regionfrom alicloud_action_trail as trail join alicloud_oss_bucket as bucket on trail.oss_bucket_name = bucket.name;