Control: 5.4 Ensure that 'Secure transfer required' is set to 'Enabled'
Description
Enable the data encryption in transit.
Remediation
From Console
- Logon to OSS console.
- In the bucket-list pane, click on a target OSS bucket.
- Click on
Filesin top middle of the console. - Click on
Authorize. - Click on
Whole Bucket,*,None (Authorized Operation)andhttp (Conditions:Access Method). - Click on
Save.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_5_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_5_4 --shareSQL
This control uses a named query:
with ssl_ok as ( select distinct name, 'ok' as status from alicloud_oss_bucket, jsonb_array_elements(policy -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal') as p, jsonb_array_elements_text(s -> 'Resource') as r, jsonb_array_elements_text( s -> 'Condition' -> 'Bool' -> 'acs:SecureTransport' ) as ssl where p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false)select 'acs:oss:::' || b.name as resource, case when ok.status = 'ok' then 'ok' else 'alarm' end status, case when ok.status = 'ok' then b.title || ' bucket policy enforces HTTPS.' else b.title || ' bucket policy does not enforce HTTPS.' end reason , b.account_id as account_id, b.region as regionfrom alicloud_oss_bucket as b left join ssl_ok as ok on ok.name = b.name;