
Control: 5.1 Ensure that OSS bucket is not anonymously or publicly accessible


It is recommended that the access policy on OSS bucket does not allows anonymous and/or public access.


The anonymous or public access to OSS bucket can be restricted through both Bucket ACL and Bucket Policy.

From Console

Using the Bucket ACL:

  1. Logon to OSS console.
  2. In the bucket-list pane, click on a target OSS bucket.
  3. Click on Basic Setting in top middle of the console.
  4. Under ACL section, click on configure.
  5. Click Private.
  6. Click Save.

Using Bucket Policy:

  1. Logon to OSS console.
  2. Click Bucket, and then click the name of target bucket.
  3. Click the Files tab. On the page that appears, click Authorize.
  4. In the Authorize dialog box that appears, click Authorize.
  5. In the Authorize dialog box that appears, choose the Anonymous Accounts (*) for Accounts and choose None for Authorized Operation.


Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_5_1 --share


This control uses a named query:

'acs:oss:::' || name as resource,
when acl = 'private' then 'ok'
else 'alarm'
end as status,
when acl = 'private' then title || ' not publicly accessible.'
else name || ' publicly accessible.'
end as reason
, account_id as account_id, region as region
