Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Use HTTPS for Object URL Signature

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Very High (act immediately)

URL signatures are secure mechanisms for granting temporary access to OSS objects. By adding a unique digital signature to a URL, you can control who can access your object and for how long. In Object Storage Service (OSS), a URL signature can be provided to a third party for authorized access. To follow security best practices, ensure that the URL signatures configured for your OSS objects are allowed only over HTTPS protocol.

Security

Allowing object URL signatures over HTTPS ensures secure, encrypted transmission of authentication tokens, preventing interception and tampering by malicious entities. Restricting the URL signature to HTTPS helps prevent unauthorized access, data breaches, and maintains the integrity of the data being transferred, enhancing overall security measures.

Audit

To determine if your object URL signatures are configured to use HTTPS, perform the following operations:

Getting the URL signature protocol via Alibaba Cloud ossutil is not currently supported.

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to examine.

  5. In the bucket navigation panel, under Object Management, choose Objects.

  6. Choose the OSS object that you want to examine and select View Details.

  7. Check Use HTTPS setting status to determine if the HTTPS protocol is enforced for the object URL signature. If Use HTTPS setting is disabled, the object URL signature is not configured to use the HTTPS protocol only.

  8. Repeat steps no. 6 and 7 for each OSS object that you want to examine, stored within the selected OSS bucket.

  9. Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that the URL signatures configured for your OSS objects are allowed only over HTTPS, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to access.

  5. In the bucket navigation panel, under Object Management, choose Objects.

  6. Choose the OSS object that you want to configure and select View Details.

  7. On the View Details panel, enable the Use HTTPS configuration setting to enforce HTTPS for the object URL signature. Choose x to close the View Details panel.

  8. Repeat steps no. 6 and 7 for each OSS object that you want to configure, stored within the selected OSS bucket.

  9. Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run ls command (macOS/Linux/Windows) to list the OSS buckets available in your Alibaba Cloud account:

    ossutil ls -s

  3. The command output should return the name of each object available in the selected bucket:

    oss://tm-project-data-bucket
oss://tm-trail-logs-bucket
oss://tm-web-app-utils
oss://tm-audit-logs-repo
Bucket Number is: 4

0.235205(s) elapsed

  4. Run ls command (macOS/Linux/Windows) to list all the objects stored within the specified OSS bucket:

    ossutil ls oss://tm-project-data-bucket

  5. The command output should return the name of each object available in the selected bucket:

    oss://tm-project-data-bucket/tm-project-files.zip
oss://tm-project-data-bucket/tm-project-config.yaml
oss://tm-project-data-bucket/tm-project-access-logs.zip

  6. Run sign command (macOS/Linux/Windows) to generate a new signed URL for the specified OSS object:

    ossutil sign oss://tm-project-data-bucket/tm-project-files.zip

  7. If the operation is successful, the command output should return the signed URL with HTTPS, e.g.:

    https://tm-project-data-bucket.oss-eu-west-1.aliyuncs.com/tm-project-files.zip?Expires=1708527994&OSSAccessKeyId=ABCDABCDABCDABCDABCD&Signature=ABCD1234ABCD1234ABCD1234ABCD1234ABCD

0.000471(s) elapsed

  8. Repeat steps no. 6 and 7 for each OSS object that you want to configure, available in the selected OSS bucket.

  9. Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

References

Publication date Apr 25, 2024

Related AlibabaCloud-OSS rules