Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Object Storage Buckets

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Very High (act immediately)
Rule ID: OCI-ObjectStorage-001

Ensure that your Oracle Cloud Infrastructure (OCI) Object Storage buckets are not publicly accessible to the Internet in order to protect against unauthorized access and keep sensitive data secure.

Security

Allowing anonymous, unauthenticated access to your Oracle Cloud Infrastructure (OCI) Object Storage buckets can allow malicious threat actors to list bucket contents, obtain object metadata, and download bucket objects, which can lead to data breaches, data loss, and unexpected charges on your OCI bill.

Audit

To determine if your Object Storage buckets allow public, anonymous access, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Object Storage & Archive Storage console available at https://cloud.oracle.com/object-storage/.

03 In the left navigation panel, choose Buckets, and select an OCI compartment from the Compartment dropdown menu, to list the Object Storage buckets available within that compartment.

04 Click on the name (link) of the bucket that you want to examine, listed in the Name column.

05 Select the Bucket Information tab and check the Visibility attribute value, listed under Features. If Visibility is set to Public, the selected OCI Object Storage bucket is publicly accessible. This configuration allows anonymous and unauthenticated users to access data stored within the bucket.

06 Repeat steps no. 4 and 5 for each Object Storage bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run os bucket list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the name of each Object Storage bucket available in the selected OCI compartment: 

oci os bucket list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."name"'

04 The command output should return the requested bucket names: 

[
	"cc-project5-data-bucket",
	"cc-tenancy-logging-bucket",
	"cc-cloud-artifacts-bucket"
]

05 Run os bucket get command (Windows/macOS/Linux) with the name of the Object Storage bucket that you want to examine as the identifier parameter and custom output filters to determine if the selected bucket is configured to allow public, anonymous access: 

oci os bucket get
	--bucket-name 'cc-project5-data-bucket'
	--query 'data."public-access-type"'

06 The command output should return the public access type configured for the selected bucket. "ObjectRead" allows public access for the GetObject and HeadObject operations, "ObjectReadWithoutList" allows public access for the GetObject, HeadObject, and ListObjects operations, and "NoPublicAccess" blocks public access (allows only authenticated callers to access the bucket and its contents): 

"ObjectRead"

If the os bucket get command output returns "ObjectRead" or "ObjectReadWithoutList", the selected OCI Object Storage bucket is publicly accessible. This configuration allows anonymous and unauthenticated users to access objects stored within the bucket.

07 Repeat steps no. 5 and 6 for each Object Storage bucket provisioned in the selected OCI compartment.

08 Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that public, anonymous access to your OCI Object Storage buckets is restricted, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Object Storage & Archive Storage console available at https://cloud.oracle.com/object-storage/.

03 In the left navigation panel, choose Buckets, and select an OCI compartment from the Compartment dropdown menu, to list the Object Storage buckets available within that compartment.

04 Click on the name (link) of the publicly accessible bucket that you want to configure, listed in the Name column.

05 Choose Edit Visibility from the top menu, set Visibility to Private, and choose Save changes to apply the configuration changes. The bucket is now considered private, meaning that accessing both the bucket and its contents requires authentication and authorization.

06 Repeat steps no. 4 and 5 for each publicly accessible bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run os bucket update command (Windows/macOS/Linux) with the name of the publicly accessible bucket that you want to configure as the identifier parameter, to block the public, anonymous access to the selected bucket by setting the --public-access-type parameter to 'NoPublicAcces'. The bucket is now considered private, meaning that accessing both the bucket and its contents requires authentication and authorization: 

oci os bucket update
	--bucket-name 'cc-project5-data-bucket'
	--public-access-type 'NoPublicAccess'
	--query 'data."public-access-type"'

02 The command output should return the public access type for the configured bucket (i.e., "NoPublicAccess"): 

"ocid1.onstopic.oc1.ap-sydney-1.amaaaaaarda2cfyaozua2hj2b2btbdj3sz3fcy7qox4jtryji54godksyicq"

03 Repeat steps no. 1 and 2 for each publicly accessible bucket provisioned in the selected Oracle Cloud Infrastructure (OCI) compartment.

04 Repeat steps no. 1 – 3 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 6, 2025

Related OCI-ObjectStorage rules