Alibaba Cloud OSS bucket accessible to public
Description
This policy identifies Object Storage Service (OSS) buckets which are publicly accessible. Alibaba Cloud OSS allows customers to store and retrieve any type of content from anywhere on the web. Often, customers have legitimate reasons to expose the OSS bucket to the public, for example, to host website content. However, these buckets often contain highly sensitive enterprise data which if left open to the public may result in sensitive data leaks.
Code Example
go
resource "alicloud_oss_bucket" "example" {
...
- acl = "public-read"
+ acl = "private"
}Remediation
Terraform
- Resource: alicloud_oss_bucket
- Arguments: acl
To mitigate this issue, ensure the `acl` attribute of the `alicloud_oss_bucket` resource is set to `private`.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0001 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_ALI_1 |