Ensure OSS Bucket is Not Allow Put Action From All Principals
Prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. You can configure RAM policies to manage user access to your resources stored in Object Storage Service (OSS). A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.
Risk Level: high
Platform: Alicloud
Spectral Rule ID: TFALCLD052
REMEDIATION
set policy
to not accept put action from all principals
policy = <<POLICY
{"Statement": [
{
"Action": [
- "oss:PutObjectAcl", "oss:PutObject"
+ "oss:AbortMultipartUpload"
],
- "Effect": "Deny",
+ "Effect": "Allow",
"Principal": [
- "*"
+ "20214760404935xxxx"
],
]
]}
Read more:
Updated over 1 year ago