OSS Bucket Logging Disabled

  • Query id: 05db341e-de7d-4972-a106-3e2bd5ee53e1
  • Query name: OSS Bucket Logging Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

OSS Bucket should have logging enabled, for better visibility of resources and objects.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket_logging2" {
  bucket = "bucket-170309-acl"
  acl    = "public-read"
}
Positive test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket_logging1" {
  bucket = "bucket-170309-logging"
  logging_isenable = false

  logging {
    target_bucket = alicloud_oss_bucket.bucket-target.id
    target_prefix = "log/"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket_logging1" {
  bucket = "bucket-170309-logging"

  logging {
    target_bucket = alicloud_oss_bucket.bucket-target.id
    target_prefix = "log/"
  }
}