Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Read-Level Logging for Object Storage Buckets

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-ObjectStorage-008

Ensure that read-level logging is enabled for your Oracle Cloud Infrastructure (OCI) Object Storage buckets in order to capture read access events necessary for auditing and monitoring changes made to your bucket data.

Security

Enabling read-level logging for Oracle Cloud Infrastructure (OCI) Object Storage buckets is essential because it provides a comprehensive audit trail of data download events, which is necessary for meeting compliance and regulatory requirements (like GDPR or HIPAA). Furthermore, this detailed logging significantly enhances security monitoring and streamlines troubleshooting by offering granular visibility into all bucket access and activity.

Audit

To determine if read-level logging is enabled for your OCI Object Storage buckets, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Object Storage & Archive Storage console available at https://cloud.oracle.com/object-storage/.

03 In the left navigation panel, choose Buckets, and select an OCI compartment from the Compartment dropdown menu available next to Applied filters, to list the Object Storage buckets available within that compartment.

04 Click on the name (link) of the bucket that you want to examine, listed in the Name column.

05 Select the Monitoring tab, and check the Status of the Read Access Events log category, listed in the Logs section. If the Read Access Events log category Status is not set to Active, read-level logging is not enabled for the selected OCI Object Storage bucket.

06 Repeat steps no. 4 and 5 for each Object Storage bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run os bucket list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the name of each Object Storage bucket available in the selected OCI compartment: 

oci os bucket list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."name"'

04 The command output should return the requested bucket names: 

[
	"cc-project5-data-bucket",
	"cc-cloud-artifacts-bucket"
]

05 Run logging log-group list command (Windows/macOS/Linux) to list the ID of each log group created for the specified OCI compartment: 

oci logging log-group list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[]."id"'

06 The command output should return the requested log group IDs: 

[
	"ocid1.loggroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"ocid1.loggroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

07 Run logging log list command (Windows/macOS/Linux) to determine if there is a read-level logging stream created for the specified bucket, within the selected OCI log group. Replace \<bucket-name\> with the name of the Object Storage bucket that you want to examine, returned in step no. 4: 

oci logging log list
	--log-group-id 'ocid1.loggroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query "data[?(configuration.source.resource=='<bucket-name>') && (configuration.source.category=='read')]"

08 The command output should return the read-level logging object configured for the specified bucket. If the command output returns an empty array, as shown in the example below, no logging configuration data was found for the specified bucket: 

[]

09 Repeat steps no. 7 and 8 for every log group available in the selected OCI compartment. If the logging log list command returns an empty array (i.e., []) for each log group, read-level logging is not enabled for the selected OCI Object Storage bucket.

10 Repeat steps no. 5 - 9 for each Object Storage bucket provisioned in the selected OCI compartment.

11 Repeat steps no. 3 – 10 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To enable read-level logging for your OCI Object Storage buckets, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Logging console available at https://cloud.oracle.com/logging/.

03 In the left navigation panel, choose Log Groups, and select the OCI compartment where you want to deploy your new log group, from the Compartment dropdown menu, available next to Applied filters.

04 Choose Create Log Group and perform the following actions to create the log group that will manage your bucket's read logs:

  1. For Name, enter a unique name for the new log group.
  2. For Description, provide a short description for the log group usage.
  3. (Optional) Choose Tags, select Add tag, and use the Key and Value fields to improve resource management by adding tags.
  4. Choose Create to deploy your new OCI log group.

05 Navigate to Object Storage & Archive Storage console available at https://cloud.oracle.com/object-storage/.

06 In the left navigation panel, choose Buckets, and select an OCI compartment from the Compartment dropdown menu available next to Applied filters, to list the Object Storage buckets available in that compartment.

07 Click on the name (link) of the bucket that you want to configure, listed in the Name column.

08 Select the Monitoring tab, locate the Read Access Events log category in the Logs section, choose the Action button (3-dot icon), select Enable log, and perform the following actions to enable read-level logging for the selected bucket:

  1. Choose the appropriate OCI compartment from the Compartment dropdown menu.
  2. For Log group, select the OCI log group created in step no. 4.
  3. (Optional) For Log name, you can edit or change the log name provided by default.
  4. (Optional) Choose Show advanced options and select a log retention period for your logging data from the Log retention dropdown list.
  5. Choose Enable log to enable read-level logging for your Object Storage bucket.

09 Repeat steps no. 7 and 8 for each bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 2 – 9 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run logging log-group create command (Windows/macOS/Linux) to create the OCI log group that will manage your bucket's read logs: 

oci logging log-group create
	--display-name 'cc-project5-bucket-log-group'
	--description "Log Group for Read Access Events"
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

02 The command output should return the work request ID: 

{
	"opc-work-request-id": "ocid1.logworkrequest.oc1.ap-sydney-1.aaaa1234ccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
}

03 Run logging work-request get command (Windows/macOS/Linux) to describe the identifier (ID) of the newly created log group: 

oci logging work-request get
	--work-request-id 'ocid1.logworkrequest.oc1.ap-sydney-1.aaaa1234ccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data.resources[].identifier'

04 The command output should return the requested log group ID: 

[
	"ocid1.loggroup.oc1.ap-sydney-1.abcdbbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

05 Specify the parameters and settings for the required read-level logging object. Save this configuration to a JSON file named cc-read-logging-config.json. Replace \<compartment-id\> with the ID of your OCI compartment and \<bucket-name\> with the name of the bucket that you want to configure for logging: 

{
	"archiving": {
	"isEnabled": false
	},
	"compartment-id": "<compartment-id>",
	"source": {
		"category": "read",
		"resource": "<bucket-name>",
		"service": "objectstorage",
		"sourceType": "OCISERVICE"
	}
}

06 Run logging log create command (Windows/macOS/Linux) to enable read-level logging for your Object Storage bucket by creating the necessary log resource. For --configuration, use the JSON configuration file defined in the previous step (i.e., cc-read-logging-config.json): 

oci logging log create
	--display-name 'cc-project5-data-bucket-read'
	--log-group-id 'ocid1.loggroup.oc1.ap-sydney-1.abcdbbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--log-type 'SERVICE'
	--is-enabled true
	--configuration file://cc-read-logging-config.json

07 The command output should return the work request ID: 

{
	"opc-work-request-id": "ocid1.logworkrequest.oc1.ap-sydney-1.abcdbbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

08 Repeat steps no. 5 - 7 for each bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

09 Repeat steps no. 1 – 8 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Dec 7, 2025

Related OCI-ObjectStorage rules