Control: 5.1 Ensure that OSS bucket is not anonymously or publicly accessible

Description

A bucket is a container used to store objects in Object Storage Service (OSS). All objects in OSS are stored in buckets.

It is recommended that the access policy on OSS bucket does not allow anonymous and/or public access.

Remediation

The anonymous or public access to OSS bucket can be restricted through both Bucket ACL and Bucket Policy.

Using the Bucket ACL:

Logon to OSS console.
In the bucket-list pane, click on a target OSS bucket.
Click on Basic Setting in top middle of the console.
Under ACL section, click on configure.
Click Private.
Click Save.

Using Bucket Policy:

Logon to OSS console.
Click Bucket, and then click the name of target bucket.
Click the Files tab. On the page that appears, click Authorize.
In the Authorize dialog box that appears, click Authorize.
In the Authorize dialog box that appears, choose the Anonymous Accounts (*) for Accounts and choose None for Authorized Operation.
Click OK.

Default Value:

Private.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_5_1 --share

SQL

This control uses a named query:

select
  'acs:oss:::' || name as resource,
  case
    when acl = 'private' then 'ok'
    else 'alarm'
  end as status,
  case
    when acl = 'private' then title || ' not publicly accessible.'
    else name || ' publicly accessible.'
  end as reason
  
  , account_id as account_id, region as region
from
  alicloud_oss_bucket;