Ensure OSS Bucket is Not Allow Delete Action From All Principals

Prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. You can configure RAM policies to manage user access to your resources stored in Object Storage Service (OSS). A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.

Risk Level: high
Platform: Alicloud
Spectral Rule ID: TFALCLD051

REMEDIATION

set policy to to not accept delete action from all principals

policy = <<POLICY
{"Statement": [
  {
    "Action": [
- "oss:ListObjectVersions", "oss:ListObjects", "oss:ListParts"
+ "oss:ListObjectVersions"
    ],
- "Effect": "Deny"
+ "Effect": "Allow",
    "Principal": [
- "*"
+ "20214760404935xxxx"
    ],
  ]
]}

Read more: