Ensure Alibaba Cloud OSS bucket is not public

Error: Alibaba Cloud OSS bucket is public

Bridgecrew Policy ID: BC_ALI_GENERAL_5
Checkov Check ID: CKV_ALI_1
Severity: LOW

Alibaba Cloud OSS bucket is public

Description

This policy identifies Object Storage Service (OSS) buckets which are publicly accessible. Alibaba Cloud OSS allows customers to store and retrieve any type of content from anywhere on the web. Often, customers have legitimate reasons to expose the OSS bucket to the public, for example, to host website content. However, these buckets often contain highly sensitive enterprise data which if left open to the public may result in sensitive data leaks.

Fix - Runtime

Alibaba Cloud Portal

  1. Log in to Alibaba Cloud Portal
  2. Go to Object Storage Service
  3. In the left-side navigation pane, click on the reported bucket
  4. In the 'Basic Settings' tab, In the 'Access Control List (ACL)' Section, Click on 'Configure'
  5. For 'Bucket ACL' field, Choose 'Private' option
  6. Click on 'Save'

Fix - Buildtime

Terraform

resource "alicloud_oss_bucket" "good-bucket" {
  bucket = "bucket-1732-acl"
  acl    = "private"
}