Ensure OSS Bucket is Not Allow Put Action From All Principals

Prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. You can configure RAM policies to manage user access to your resources stored in Object Storage Service (OSS). A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.

Suggest Edits

Risk Level: high
Platform: Alicloud
Spectral Rule ID: TFALCLD052

REMEDIATION

set policy to not accept put action from all principals

policy = <<POLICY
{"Statement": [
  {
    "Action": [
- "oss:PutObjectAcl", "oss:PutObject"
+ "oss:AbortMultipartUpload"
    ],
- "Effect": "Deny",
+ "Effect": "Allow",
    "Principal": [
- "*"
+ "20214760404935xxxx"
    ],
  ]
]}

https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy
https://www.alibabacloud.com/help/en/object-storage-service/latest/ram-policy-overview
https://www.alibabacloud.com/help/en/resource-orchestration-service/latest/oos

Updated about 1 year ago

REMEDIATION

Read more: