Ensure OSS Bucket is Not Allow All Actions From All Principals

Prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. You can configure RAM policies to manage user access to your resources stored in Object Storage Service (OSS). A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.

Suggest Edits

Risk Level: high
Platform: Alicloud
Spectral Rule ID: TFALCLD049

REMEDIATION

set policy to not allow all actions (wildcard) from all principals

policy = <<POLICY
{"Statement": [
  {
  "Action": [
- "oss:*"
+ "oss:ListObjects"
  ]
  }
]}

https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy
https://www.alibabacloud.com/help/en/object-storage-service/latest/ram-policy-overview
https://www.alibabacloud.com/help/en/resource-orchestration-service/latest/oos

Updated over 1 year ago

REMEDIATION

Read more: