OSS Bucket Allows All Actions From All Principals
- Query id: ec62a32c-a297-41ca-a850-cab40b42094a
- Query name: OSS Bucket Allows All Actions From All Principals
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy1" {
bucket = "bucket-1-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy1" {
bucket = "bucket-1-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Deny",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-policy1" {
bucket = "bucket-1-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:ListObjects"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}