Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 5.7 Ensure network access rule for storage bucket is not set to publicly accessible

Description

Restricting default network access helps to provide a new layer of security, since OSS accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Remediation

Using the management console:

  1. Logon to OSS console.
  2. In the bucket-list pane, click on a target OSS bucket.
  3. Click on Files in top middle of the console.
  4. Click on Authorize.
  5. Click on Whole Bucket, *, None, Condition IP = specified IP address or IP address segment.
  6. Click on Save.

Default Value:

Not set.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_5_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_5_7 --share

SQL

This control uses a named query:

select
  'arn:acs:::' || account_id as resource,
  'info' as status,
  'Manual verification required.' as reason
  , account_id as account_id
from
  alicloud_account;

Tags

category = Compliance
cis = true
cis_item_id = 5.7
cis_level = 2
cis_section_id = 5
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/OSS