OSS Bucket Allows List Action From All Principals
- Query id: 88541597-6f88-42c8-bac6-7e0b855e8ff6
- Query name: OSS Bucket Allows List Action From All Principals
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy1" {
bucket = "bucket-1-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:ListObjectVersions", "oss:ListObjects", "oss:ListParts"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Positive test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-policy5" {
bucket = "bucket-5-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:ListObjectVersions", "oss:RestoreObject"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy2" {
bucket = "bucket-2-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:AbortMultipartUpload"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-policy3" {
bucket = "bucket-3-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:ListObjectVersions", "oss:ListObjects", "oss:ListParts"
],
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 3 - tf file
resource "alicloud_oss_bucket" "bucket-policy4" {
bucket = "bucket-4-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:ListObjectVersions", "oss:ListObjects", "oss:ListParts"
],
"Effect": "Deny",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}