OSS Buckets Secure Transport Disabled
- Query id: c01d10de-c468-4790-b3a0-fc887a56f289
- Query name: OSS Buckets Secure Transport Disabled
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
OSS Buckets should have secure transport enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-securetransport1"{
policy = <<POLICY
{
"Version": "1",
"Statement":
[
{
"Effect": "Allow",
"Action":
[
"oss:RestoreObject",
"oss:ListObjects",
"oss:AbortMultipartUpload",
"oss:PutObjectAcl",
"oss:GetObjectAcl",
"oss:ListParts",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":
[
"*"
],
"Resource":
[
"acs:oss:*:0000111122223334:af/*"
],
"Condition":
{
"Bool":
{
"acs:SecureTransport": [ "false" ]
}
}
}
]
}
POLICY
}
Positive test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-securetransport3" {
bucket = "bucket-170309-policy"
acl = "private"
policy = <<POLICY
{"Statement":
[{"Action":
["oss:PutObject", "oss:GetObject", "oss:DeleteBucket"],
"Effect":"Allow",
"Resource":
["acs:oss:*:*:*"]}],
"Version":"1"}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-securetransport2"{
policy = <<POLICY
{
"Version": "1",
"Statement":
[
{
"Effect": "Deny",
"Action":
[
"oss:RestoreObject",
"oss:ListObjects",
"oss:AbortMultipartUpload",
"oss:PutObjectAcl",
"oss:GetObjectAcl",
"oss:ListParts",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":
[
"*"
],
"Resource":
[
"acs:oss:*:0000111122223334:af/*"
],
"Condition":
{
"Bool":
{
"acs:SecureTransport": [ "false" ]
}
}
}
]
}
POLICY
}
Negative test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-securetransport4"{
policy = <<POLICY
{
"Version": "1",
"Statement":
[
{
"Effect": "Allow",
"Action":
[
"oss:RestoreObject",
"oss:ListObjects",
"oss:AbortMultipartUpload",
"oss:PutObjectAcl",
"oss:GetObjectAcl",
"oss:ListParts",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":
[
"*"
],
"Resource":
[
"acs:oss:*:0000111122223334:af/*"
],
"Condition":
{
"Bool":
{
"acs:SecureTransport": [ "true" ]
}
}
}
]
}
POLICY
}