OSS Bucket Allows Delete Action From All Principals
- Query id: 8c0695d8-2378-4cd6-8243-7fd5894fa574
- Query name: OSS Bucket Allows Delete Action From All Principals
- Platform: Terraform
- Severity: Critical
- Category: Access Control
- URL: Github
Description¶
OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy1" {
bucket = "bucket-1-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObject", "oss:DeleteBucket"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket-policy2" {
bucket = "bucket-2-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:ListObjects"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket-policy3" {
bucket = "bucket-3-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObject", "oss:DeleteBucket"
],
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}
Negative test num. 3 - tf file
resource "alicloud_oss_bucket" "bucket-policy4" {
bucket = "bucket-4-policy"
acl = "private"
policy = <<POLICY
{"Statement": [
{
"Action": [
"oss:PutObject", "oss:DeleteBucket"
],
"Effect": "Deny",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
],
"Version":"1"}
POLICY
}