Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Publicly Accessible OSS Objects

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Very High (act immediately)

Ensure that your Object Storage Service (OSS) objects are not publicly accessible to the Internet in order to protect against unauthorized access. Allowing public, anonymous access through object ACLs gives everyone the ability to access the object's data.

Security

Granting public and/or anonymous access to your Object Storage Service (OSS) objects can pose significant security risks. It increases the likelihood of unauthorized access, data breaches, and potential exploitation of sensitive information. Keeping access restricted helps maintain control over your data, safeguarding it from malicious actors and ensuring compliance with privacy regulations. And while an OSS bucket ACL may restrict public access to storage, individual object ACLs could still grant public access to specific objects within the bucket. Therefore, it's crucial to review object ACLs at the individual object level to ensure comprehensive access control measures are in place.

Audit

To determine if there are publicly accessible objects in your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to examine.

  5. In the bucket navigation panel, under Object Management, choose Objects.

  6. Choose the OSS object that you want to examine and select View Details.

  7. Check the Object ACL attribute value to determine the level of access configured for the selected object via object ACL:

    1. If the Object ACL value is set to Public Read or Public Read/Write, the selected OSS object is considered publicly accessible.
    2. If the Object ACL value is set to Inherited from Bucket, the ACL of the object is the same as the ACL of the bucket in which the object is stored. To verify the ACL configured for your bucket, choose Permission Control from the bucket navigation panel, select ACL, and check the Bucket ACL configuration setting to determine the level of access configured for your bucket. If Bucket ACL is not set to Private, the OSS bucket is publicly accessible, therefore the selected OSS object is also considered publicly accessible.

  8. Repeat steps no. 6 and 7 for each OSS object that you want to examine, stored within the selected OSS bucket.

  9. Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run ls command (macOS/Linux/Windows) to list the OSS buckets available in your Alibaba Cloud account:

    ossutil ls -s

  3. The command output should return the name of each object available in the selected bucket:

    oss://tm-project-data-bucket
oss://tm-trail-logs-bucket
oss://tm-web-app-utils
oss://tm-audit-logs-repo
Bucket Number is: 4

0.235205(s) elapsed

  4. Run ls command (macOS/Linux/Windows) to list all the objects stored within the specified OSS bucket:

    ossutil ls oss://tm-project-data-bucket

  5. The command output should return the name of each object available in the selected bucket:

    oss://tm-project-data-bucket/tm-project-files.zip
oss://tm-project-data-bucket/tm-project-config.yaml
oss://tm-project-data-bucket/tm-project-access-logs.zip

  6. Run stat command (macOS/Linux/Windows) to describe the configuration metadata available for the selected OSS object:

    ossutil stat oss://tm-project-trail-bucket/tm-project-files.zip

  7. The command output should return the requested configuration information (including the ACL configured for the object):

    ACL                   : public-read-write
Accept-Ranges         : bytes
Content-Length        : 2108860
Content-Md5           : abcd1234abcd1234abcd1234
Content-Type          : application/zip
Etag                  : ABCDABCDABCDABCDABCDABCDABCDABCD
Last-Modified         : 2024-02-21 11:06:33 +0000 UTC
Owner                 : 1234567890123456
X-Oss-Object-Type     : Normal
X-Oss-Storage-Class   : Standard

    Check the ACL attribute value to determine the level of access configured for the specified object. If ACL is set to public-read or public-read-write, the selected OSS object is considered publicly accessible. If ACL is set to default, the ACL of the object is the same as the ACL of the bucket in which the object is stored. If the ACL of the object is the same as the ACL of the bucket, continue the Audit process with the next step.

  8. Run stat command (macOS/Linux/Windows) to describe the configuration metadata available for the selected OSS bucket:

    ossutil stat oss://tm-project-data-bucket

  9. The command output should return the requested configuration information (including the ACL configured for the bucket):

    Name                  : tm-project-data-bucket
Location              : oss-eu-west-1
CreationDate          : 2024-02-02 09:45:38 +0000 UTC
ExtranetEndpoint      : oss-eu-west-1.aliyuncs.com
IntranetEndpoint      : oss-eu-west-1-internal.aliyuncs.com
ACL                   : public-read
Owner                 : 1234567890123456
StorageClass          : Standard
RedundancyType        : LRS
TransferAcceleration  : Disabled
CrossRegionReplication: Disabled
AccessMonitor         : Disabled

    Check the ACL attribute value to determine the level of access configured for the specified bucket. If ACL is not set to private, the OSS bucket is publicly accessible, therefore the selected OSS object is also considered publicly accessible.

  10. Repeat steps no. 6 - 9 for each OSS object that you want to examine, stored within the selected OSS bucket.

  11. Repeat steps no. 4 - 10 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that there are no publicly accessible objects stored within your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to access.

  5. In the bucket navigation panel, under Object Management, choose Objects.

  6. Choose the OSS object that you want to configure and select View Details.

  7. On the View Details panel, choose Set ACL next to Object ACL to modify the level of access configured for the selected object via object ACL.

  8. On the Set ACL panel, select Private next to ACL, and choose OK to apply the changes. Once the ACL settings are applied, only the bucket owner or authorized users can perform read and write operations on the selected object.

  9. Repeat steps no. 6 - 8 for each OSS object that you want to configure, available in the selected OSS bucket.

  10. Repeat steps no. 4 - 9 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run set-acl command (macOS/Linux/Windows) to set the Access Control List (ACL) to private for the specified OSS object. Once the ACL settings are saved, only the bucket owner or authorized users can perform read and write operations on the selected object:

    ossutil set-acl oss://tm-project-data-bucket/tm-project-files.zip private

  3. If the operation is successful, the command output should return the execution time, e.g.:

    0.224380(s) elapsed

  4. Repeat steps no. 2 and 3 for each OSS object that you want to configure, available in the selected OSS bucket.

  5. Repeat steps no. 2 - 4 for each OSS bucket available within your Alibaba Cloud account.

References

Publication date Apr 25, 2024

Related AlibabaCloud-OSS rules