Ensure OSS Bucket is Not Allow Delete Action From All Principals

Risk Level: high
Platform: Alicloud
Spectral Rule ID: TFALCLD051

REMEDIATION

set policy to to not accept delete action from all principals

policy = <<POLICY
{"Statement": [
  {
    "Action": [
- "oss:ListObjectVersions", "oss:ListObjects", "oss:ListParts"
+ "oss:ListObjectVersions"
    ],
- "Effect": "Deny"
+ "Effect": "Allow",
    "Principal": [
- "*"
+ "20214760404935xxxx"
    ],
  ]
]}

https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy
https://www.alibabacloud.com/help/en/object-storage-service/latest/ram-policy-overview
https://www.alibabacloud.com/help/en/resource-orchestration-service/latest/oos

Updated 7 months ago

REMEDIATION

Read more: