OSS Bucket Ip Restriction Disabled
- Query id: 6107c530-7178-464a-88bc-df9cdd364ac8
- Query name: OSS Bucket Ip Restriction Disabled
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
OSS Bucket should have ip restricted access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy" {
bucket = "bucket-170309-policy"
acl = "private"
policy = <<POLICY
{"Statement":
[{"Action":
["oss:PutObject", "oss:GetObject", "oss:DeleteBucket"],
"Effect":"Allow",
"Resource":
["acs:oss:*:*:*"]}],
"Version":"1"}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-securetransport2"{
policy = <<POLICY
{
"Version": "1",
"Statement":
[
{
"Effect": "Deny",
"Action":
[
"oss:RestoreObject",
"oss:ListObjects",
"oss:AbortMultipartUpload",
"oss:PutObjectAcl",
"oss:GetObjectAcl",
"oss:ListParts",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":
[
"*"
],
"Resource":
[
"acs:oss:*:0000111122223334:af/*"
],
"Condition":
{
"IpAdress":
{
"acs:SourceIp": "10.0.0.0"
}
}
}
]
}
POLICY
}
Negative test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-securetransport2"{
policy = <<POLICY
{
"Version": "1",
"Statement":
[
{
"Effect": "Deny",
"Action":
[
"oss:RestoreObject",
"oss:ListObjects",
"oss:AbortMultipartUpload",
"oss:PutObjectAcl",
"oss:GetObjectAcl",
"oss:ListParts",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":
[
"*"
],
"Resource":
[
"acs:oss:*:0000111122223334:af/*"
],
"Condition":
{
"NotIpAdress":
{
"acs:SourceIp": "10.0.0.0"
}
}
}
]
}
POLICY
}