Enable Write Level Logging for Object Storage Buckets

Risk Level: Medium (should be achieved)

Ensure that write level logging is enabled for your Oracle Cloud Infrastructure (OCI) Object Storage buckets in order to capture write access events necessary for auditing and monitoring changes to your bucket data.

Security

Enabling write level logging for OCI Object Storage buckets helps monitor and track changes, providing visibility into object creation, updates, and deletions. This not only boosts security but also helps with compliance audits and makes troubleshooting easier by recording detailed access and activity information.

Audit

To determine if write level logging is enabled for your OCI Object Storage buckets, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Object Storage & Archive Storage console available at https://cloud.oracle.com/object-storage/.

03 In the left navigation panel, choose Buckets, and select an OCI compartment from the Compartment dropdown menu, to list the Object Storage buckets available within that compartment.

04 Click on the name (link) of the bucket that you want to examine, listed in the Name column.

05 In the Resources navigation panel, select Logs, and check the Write Access Events feature status, listed in the Enable Log column. If the Write Access Events feature status is set to Not enabled, write level logging is not enabled for the selected OCI Object Storage bucket.

06 Repeat steps no. 4 and 5 for each Object Storage bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the requested OCI compartment identifiers (IDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run os bucket list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the name of each Object Storage bucket available in the selected OCI compartment:

oci os bucket list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."name"'

04 The command output should return the requested bucket names:

[
	"cc-project5-data-bucket",
	"cc-cloud-artifacts-bucket"
]

05 Run logging log-group list command (Windows/macOS/Linux) to list the ID of each log group created for the specified OCI compartment:

oci logging log-group list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[]."id"'

06 The command output should return the requested log group IDs:

[
	"ocid1.loggroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"ocid1.loggroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

07 Run logging log list command (Windows/macOS/Linux) to determine if there is a write level logging stream created for the specified bucket, within the selected OCI log group. Replace \<bucket-name\> with the name of the Object Storage bucket that you want to examine, returned in step no. 4:

oci logging log list
	--log-group-id 'ocid1.loggroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query "data[?(configuration.source.resource=='<bucket-name>') && (configuration.source.category=='write')]"

08 The command output should return the write level logging object configured for the specified bucket. If the command output returns an empty array, as shown in the example below, no logging configuration data was found for the specified bucket:

[]

09 Repeat steps no. 7 and 8 for every log group available in the selected OCI compartment. If the logging log list command returns an empty array (i.e. []) for each log group, write level logging is not enabled for the selected OCI Object Storage bucket.

10 Repeat steps no. 5 - 9 for each Object Storage bucket provisioned in the selected OCI compartment.

11 Repeat steps no. 3 – 10 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To enable write level logging for your OCI Object Storage buckets, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Logging console available at https://cloud.oracle.com/logging/.

03 In the left navigation panel, choose Log Groups, and select the OCI compartment where you want to deploy your new log group, from the Compartment dropdown menu.

04 Choose Create Log Group and perform the following actions to create the log group that will manage your bucket's write logs:

For Name, enter a unique name for the new log group.
For Description, provide a short description for the log group usage.
(Optional) Choose Show advanced options and use the Tag key and Tag value fields to improve resource management by adding tags.
Choose Create to deploy your new OCI log group.

05 Navigate to Object Storage & Archive Storage console available at https://cloud.oracle.com/object-storage/.

06 In the left navigation panel, choose Buckets, and select an OCI compartment from the Compartment dropdown menu, to list the Object Storage buckets available in that compartment.

07 Click on the name (link) of the bucket that you want to configure, listed in the Name column.

08 In the Resources navigation panel, select Logs, and perform the following actions to enable write level logging for the selected bucket:

Click on the toggle button for the Write Access Events feature, available in the Enable Log column.
For Log group, select the OCI log group created in step no. 4.
(Optional) For Log name, you can edit or change the log name provided by default.
(Optional) For Log retention, select a log retention period for your logging data.
Choose Enable log to enable write level logging for your Object Storage bucket.

09 Repeat steps no. 7 and 8 for each bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 2 – 9 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run logging log-group create command (Windows/macOS/Linux) to create the OCI log group that will manage your bucket's write logs:

oci logging log-group create
	--display-name 'cc-project5-bucket-log-group'
	--description "Log Group for Write Access Events"
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

02 The command output should return the work request ID:

{
	"opc-work-request-id": "ocid1.logworkrequest.oc1.ap-sydney-1.aaaa1234ccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
}

03 Run logging work-request get command (Windows/macOS/Linux) to describe the identifier (ID) of the newly created log group:

oci logging work-request get
	--work-request-id 'ocid1.logworkrequest.oc1.ap-sydney-1.aaaa1234ccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data.resources[].identifier'

04 The command output should return the requested log group ID:

[
	"ocid1.loggroup.oc1.ap-sydney-1.abcdbbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

05 Specify the parameters and settings for the required write level logging object. Save this configuration to a JSON file named cc-write-logging-config.json. Replace \<compartment-id\> with the ID of your OCI compartment and \<bucket-name\> with the name of the bucket that you want to configure for logging:

{
	"archiving": {
		"isEnabled": false
	},
	"compartment-id": "<compartment-id>",
	"source": {
		"category": "write",
		"resource": "<bucket-name>",
		"service": "objectstorage",
		"sourceType": "OCISERVICE"
	}
}

06 Run logging log create command (Windows/macOS/Linux) to enable write level logging for your Object Storage bucket by creating the necessary log resource. For --configuration, use the JSON configuration file defined in the previous step (i.e., cc-write-logging-config.json):

oci logging log create
	--display-name 'cc-project5-data-bucket-write'
	--log-group-id 'ocid1.loggroup.oc1.ap-sydney-1.abcdbbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--log-type 'SERVICE'
	--is-enabled true
	--configuration file://cc-write-logging-config.json

07 The command output should return the work request ID:

{
	"opc-work-request-id": "ocid1.logworkrequest.oc1.ap-sydney-1.aaaaaaaaermzvzfwrces6oitkrdgcayrqd7buhrhc5kryuari6ezun4dk54a"
}

08 Repeat steps no. 5 - 7 for each bucket created in the selected Oracle Cloud Infrastructure (OCI) compartment.

09 Repeat steps no. 1 – 8 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Oracle Cloud Infrastructure Documentation
Logging Overview
Enabling Logging for a Resource
Collect Logs from Your OCI Object Storage Bucket
Creating a Log Group
Details for Object Storage
Creating a Log

Oracle Cloud Infrastructure CLI Documentation
compartment list
bucket list
log-group list
log list
log-group create
work-request get
log create

Publication date Mar 12, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related ObjectStorage rules