Alibaba Cloud OSS bucket has access logging enabled
Description
This policy identifies Alibaba Cloud Object Storage Service (OSS) buckets that do not have logging enabled.
Enabling logging for OSS buckets helps capture access and operation events, which are critical for security monitoring, troubleshooting, and auditing. Without logging, you lack visibility into who accesses and interacts with your bucket, potentially missing unauthorized access or suspicious behaviour.
As a security best practice, it is recommended to enable logging for OSS buckets.
Code Example
go
resource "alicloud_oss_bucket" "example" {
...
+ logging {
+ target_bucket = "my-log-bucket"
+ target_prefix = "log/"
+ }
}Remediation
Terraform
- Resource: alicloud_oss_bucket
- Arguments: logging
To mitigate this issue, ensure the `logging` attribute in the `alicloud_oss_bucket` resource is configured.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0012 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_ALI_12 |