OSS Bucket Allows Put Action From All Principals
- Query id: fe286195-e75c-4359-bd58-00847c4f855a
- Query name: OSS Bucket Allows Put Action From All Principals
- Platform: Terraform
- Severity: Critical
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy4" {
bucket = "bucket-4-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObjectAcl", "oss:PutObject"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Positive test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-policy5" {
bucket = "bucket-5-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObject", "oss:RestoreObject"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy1" {
bucket = "bucket-1-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:AbortMultipartUpload"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-policy2" {
bucket = "bucket-2-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObjectAcl", "oss:PutObject"
],
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 3 - tf file
resource "alicloud_oss_bucket" "bucket-policy3" {
bucket = "bucket-3-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObjectAcl", "oss:PutObject"
],
"Effect": "Deny",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}