Skip to main content

lacework-global-707

4.1.1 Ensure no Object Storage buckets are publicly visible (Automated)

Description

A bucket is a logical container for storing objects. It belongs to a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. Best practices recommend that no bucket be publicly accessible.

Remediation

From Console:

  1. Login into the OCI Console.

  2. Click in the search bar at the top of the screen.

  3. Type Advanced Resource Query and hit enter.

  4. Click the Advanced Resource Query button in the upper right of the screen.

  5. Enter the following query in the query box:

    query bucket resources where (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')

  6. For each bucket in the returned results, click the Bucket Display Name.

  7. Click Edit Visibility.

  8. Select Private.

  9. Click Save Changes.

From CLI:

  1. Execute the following command:

    oci search resource structured-search --query-text "query bucket resources where
    (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')"

  2. For each of the buckets identified, execute the following command:

    oci os bucket update --bucket-name <bucket-name> --public-access-type NoPublicAccess

Impact:

For updating an existing bucket, ensure it is possible to access objects in the bucket through either Identity and Access Management (IAM) policies or pre-authenticated requests.

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__BUCKET_IS_PUBLIC
https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm

Last updated on