Ensure OSS Bucket is Not Allow All Actions From All Principals

Prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. You can configure RAM policies to manage user access to your resources stored in Object Storage Service (OSS). A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.

Risk Level: high
Platform: Alicloud
Spectral Rule ID: TFALCLD049

REMEDIATION

set policy to not allow all actions (wildcard) from all principals

policy = <<POLICY
{"Statement": [
  {
  "Action": [
- "oss:*"
+ "oss:ListObjects"
  ]
  }
]}

Read more: