Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Limit Network Access to Selected Networks

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-OSS-003

Ensure that your Object Storage Service (OSS) buckets are configured to allow access only to selected, trusted networks (i.e. authorized IP addresses/IP address ranges) in order to protect against unapproved access. Before running this TrendAI Vision One™ rule, you must define the list of public IPv4 addresses and/or IPv4 address ranges that are permitted to access your OSS buckets in the rule settings on your TrendAI Vision One™ account.

Security

Allowing public and unauthorized access to your Object Storage Service (OSS) buckets can lead to unapproved actions such as viewing, uploading, modifying, or deleting OSS objects. To prevent Object Storage Service (OSS) data exposure, data loss, unexpected charges on your Alibaba Cloud bill or you just want a central place to manage bucket access using bucket policies, make sure that your OSS buckets are accessible to selected networks only.

Audit

To determine if the access to your OSS buckets is limited to selected networks via bucket policies, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your TrendAI Vision One™ account, open the Limit Network Access to Selected Networks TrendAI Vision One™ rule settings, and identify the list of trusted public IPv4 addresses/ranges authorized to access your OSS buckets.

  2. Sign in to your Alibaba Cloud account.

  3. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  4. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  5. Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

  6. Because OSS ignores existing ACLs and bucket policies in which public access is granted when Block Public Access is enabled, the status of the Block Public Access feature should be verified first. To determine if Block Public Access is enabled, perform the following actions:

    1. In the resource navigation panel, under Permission Control, choose Block Public Access.
    2. Select the Block Public Access tab and check the Block Public Access setting status. If Block Public Access is set to Enabled, the Block Public Access feature is enabled, therefore, existing public access permissions are ignored and the TrendAI Vision One™ rule will return a No Check.

  7. In the resource navigation panel, under Permission Control, choose Bucket Policy to access the bucket access policy.

  8. Select the Bucket Policy tab, choose Add by Syntax, and check the policy document for the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}. If the policy document does not contain the following combination of elements: "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}} with the "Effect" element value set to "Allow", where "xxx.xxx.xxx.xxx/xx" is the IP address/IP address range authorized for access, the access to the selected OSS bucket is not limited to selected networks only. If the policy document contains "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, compare the IP address/IP range with the IPs list identified at step no. 1. If the bucket's IP address/IP range is not authorized in the TrendAI Vision One™ rule settings, the access to the selected OSS bucket is not limited to specific (trusted) networks only.

  9. Repeat steps no. 5 - 8 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

Note: Getting the Block Public Access feature status using ossutil is not currently supported.

  1. Sign in to your TrendAI Vision One™ account, open the Limit Network Access to Selected Networks TrendAI Vision One™ rule settings, and identify the list of trusted public IPv4 addresses/ranges authorized to access your OSS buckets.

  2. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  3. Run bucket-policy command (macOS/Linux/Windows) with --method set to get to describe the bucket policy configured for the specified OSS bucket:

    ossutil bucket-policy --method get oss://tm-project-data-bucket

  4. The command output should return the bucket policy document (in JSON format):

    {
	"Version": "1",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"oss:*"
			],
			"Principal": [
				"1234567890123456"
			],
			"Resource": [
				"acs:oss:*:1234567890123456:tm-project-logs-bucket",
				"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
			]
		}
	]
}

    Check the policy document for the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}. If the policy document does not contain the following combination of elements: "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}} with the "Effect" element value set to "Allow", where "xxx.xxx.xxx.xxx/xx" is the IP address/IP address range authorized for access, the access to the selected OSS bucket is not limited to trusted networks only. If the policy document contains "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, compare the IP address/IP range with the IPs list identified at step no. 1. If the bucket's IP address/IP range is not authorized in the TrendAI Vision One™ rule settings, the access to the selected OSS bucket is not limited to specific (trusted) networks only.

  5. Repeat steps no. 3 and 4 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that OSS bucket access is limited to selected, trusted networks only via bucket policies, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

  5. In the resource navigation panel, under Permission Control, choose Bucket Policy to access the bucket access policy.

  6. Select the Bucket Policy tab, choose Add by Syntax, select Edit, and modify the existing policy document or create a new policy statement to implement the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, as shown in the policy example below. To secure access, use only the IP addresses/IP ranges that are authorized in the TrendAI Vision One™ rule settings, in your TrendAI Vision One™ account:

    {
	"Version": "1",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"oss:*"
		],
		"Principal": [
			"123412341234123412"
		],
		"Resource": [
			"acs:oss:*:1234567890123456:tm-project-logs-bucket",
			"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
		],
		"Condition": {
			"IpAddress": {
				"acs:SourceIp": [
					"10.15.1.0/24"
				]
			}
		}
	}]
}

  7. Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

Using ossutil

  1. Modify the existing bucket policy or create a new policy document to implement the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, as shown in the policy example below. Ensure access security by using only the IP addresses/IP ranges authorized in the TrendAI Vision One™ rule settings, in your TrendAI Vision One™ account. Save the policy document to a JSON file named bucket-policy.json. Because existing bucket policies are overwritten by the ossutil commands, ensure that you include all the existing policy statements in the bucket-policy.json file:

    {
	"Version": "1",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"oss:*"
		],
		"Principal": [
			"123412341234123412"
		],
		"Resource": [
			"acs:oss:*:1234567890123456:tm-project-logs-bucket",
			"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
		],
		"Condition": {
			"IpAddress": {
				"acs:SourceIp": [
					"10.15.1.0/24"
				]
			}
		}
	}]
}

  2. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  3. Run bucket-policy command (macOS/Linux/Windows) with --method set to put to set the bucket policy. When you add or modify bucket policies, ossutil reads bucket policies from the local JSON file (e.g. bucket-policy.json) and adds the policies to your bucket:

    ossutil bucket-policy --method put oss://tm-project-data-bucket bucket-policy.json

  4. Repeat steps no. 1 - 3 for each OSS bucket available in your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-OSS rules