Control: 5.1.1 Ensure no Object Storage buckets are publicly visible

Description

A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.

Removing unfettered reading of objects in a bucket reduces an organization's exposure to data loss.

Remediation

From Console

Follow the audit procedure above.
For each bucket in the returned results, click the Bucket Display Name.
Click Edit Visibility.
Select Private.
Click Save Changes.

From CLI

Follow the audit procedure.
For each of the buckets identified, execute the following command:

oci os bucket update --bucket-name <bucket-name> --public-access-typeNoPublicAccess

Default Value

Private

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_5_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_5_1_1 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when public_access_type like 'Object%' then 'alarm'
    else 'ok'
  end as status,
  case
    when public_access_type like 'Object%' then a.title || ' publicly accessible.'
    else a.title || ' not publicly accessible.'
  end as reason
  
  , a.region as region, a.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_objectstorage_bucket as a
  left join oci_identity_compartment as c on c.id = a.compartment_id;