- Knowledge Base
- Alibaba Cloud
- Alibaba Cloud ActionTrail
- Ensure the OSS bucket used to store ActionTrail logs is not publicly accessible
Identify any publicly accessible ActionTrail trail log buckets in order to determine if your Alibaba Cloud account could be at risk. A publicly accessible trail bucket is a bucket were all users, including anonymous users, can perform read and write operations on the objects within the bucket.
Security A publicly accessible trail bucket enables anyone, including anonymous users, to read and write objects within the bucket. Using an overly permissive or insecure set of permissions for your ActionTrail trail buckets could provide malicious users access to your logging data, which can increase exponentially the risk of unauthorized access.
Audit
To determine if your ActionTrail trail buckets are publicly accessible, perform the following operations:
Using Alibaba Cloud Console
01 Sign in to your Alibaba Cloud account.
02 Navigate to ActionTrail console at https://actiontrail.console.aliyun.com.
03 In the left navigation panel, under ActionTrail, choose Trails.
04 Click on the name (link) of the ActionTrail trail that you want to examine, listed in the Trail Name column.
05 Select the Event Delivery tab and check the OSS attribute value to determine if your trail is configured to deliver events to an OSS bucket. If the OSS attribute is not available, there is no OSS bucket associated with the selected trail. If the OSS attribute value is set to Configured, you can continue the Audit process with the next step.
06 Click on the name (link) of the associated bucket, listed as the value of the OSS Bucket attribute.
07 On the selected OSS bucket page, choose Permission Control from the resource navigation panel, and perform the following actions:
- To verify the Access Control List (ACL) configured for your bucket, select the ACL tab, and check the Bucket ACL configuration setting to determine the level of access configured for the OSS bucket. If Bucket ACL is not set to Private, the OSS bucket associated with the selected ActionTrail trail is considered publicly accessible.
- To verify the authorization policy defined for your OSS bucket, select the Bucket Policy tab, choose Add by Syntax, and check the policy document to determine who is authorized to access the OSS bucket. If the "Effect" element value is set to "Allow" and the "Principal" element value is set to ["*"] without any "Condition" elements, the bucket associated with the selected ActionTrail trail is publicly accessible.
08 Repeat steps no. 4 – 7 for each ActionTrail trail available in your Alibaba Cloud account.
Using Alibaba Cloud CLI and ossutil
01 Run DescribeTrails command (OSX/Linux/UNIX) to describe the configuration details of each ActionTrail trail available in your Alibaba Cloud account:
aliyun actiontrail DescribeTrails
02 The command output should return the configuration information available for each deployed trail (including the name of the associated OSS bucket, i.e. "OssBucketName" attribute value). If the "OssBucketName" value is an empty string, i.e. "", there is no OSS bucket associated with the selected trail. If the "OssBucketName" value is not an empty string, as shown in the output example below, you can continue the Audit process with the next step:
{
"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
"TrailList": [
{
"CreateTime": "2024-02-02T10:02:11Z",
"EventRW": "All",
"HomeRegion": "us-west-1",
"IsOrganizationTrail": false,
"IsShadowTrail": 0,
"MaxComputeProjectArn": "",
"MaxComputeWriteRoleArn": "",
"Name": "tm-project-main-trail",
"OssBucketLocation": "oss-us-west-1",
"OssBucketName": "tm-project-trail-bucket",
"OssKeyPrefix": "",
"OssWriteRoleArn": "",
"Region": "us-west-1",
"StartLoggingTime": "2024-02-02T10:02:12Z",
"Status": "Enable",
"TrailRegion": "us-west-1",
"UpdateTime": "2024-02-02T10:02:24Z"
},
{
"CreateTime": "2024-02-02T09:45:44Z",
"EventRW": "All",
"HomeRegion": "eu-west-1",
"IsOrganizationTrail": false,
"IsShadowTrail": 0,
"MaxComputeProjectArn": "",
"MaxComputeWriteRoleArn": "",
"Name": "tm-project-cloud-trail",
"OssBucketLocation": "oss-eu-west-1",
"OssBucketName": "tm-project-trail-bucket",
"OssKeyPrefix": "",
"OssWriteRoleArn": "",
"Region": "eu-west-1",
"StartLoggingTime": "2024-02-02T09:45:45Z",
"Status": "Enable",
"TrailRegion": "eu-west-1",
"UpdateTime": "2024-02-02T09:45:45Z"
}
]
}
03 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).
04 Run stat command (macOS/Linux/Windows) to describe the configuration metadata available for the specified OSS bucket:
ossutil stat oss://tm-project-trail-bucket
05 The command output should return the requested configuration information (including the Access Control List (ACL) configured for the bucket):
Name : tm-project-trail-bucket Location : oss-eu-west-1 CreationDate : 2024-02-02 11:45:38 +0200 EET ExtranetEndpoint : oss-eu-west-1.aliyuncs.com IntranetEndpoint : oss-eu-west-1-internal.aliyuncs.com ACL : public-read-write Owner : 1234567890123456 StorageClass : Standard RedundancyType : LRS TransferAcceleration : Disabled CrossRegionReplication: Disabled AccessMonitor : Disabled
Check the ACL attribute value to determine the level of access configured for the trail bucket. If ACL is not set to private, the OSS bucket associated with the selected ActionTrail trail is considered publicly accessible.
06 Run bucket-policy command (macOS/Linux/Windows) with --method set to get to describe the bucket policy configured for the specified OSS bucket:
ossutil bucket-policy --method get oss://tm-project-trail-bucket
07 The command output should return the bucket policy document (in JSON format):
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:1234567890123456:tm-project-trail-bucket",
"acs:oss:*:1234567890123456:tm-project-trail-bucket/*"
]
}
]
}
Check the policy document to determine who is authorized to access the specified OSS bucket. If the "Effect" element value is set to "Allow" and the "Principal" element value is set to ["*"] without any "Condition" elements, the bucket associated with the selected ActionTrail trail is publicly accessible.
08 Repeat steps no. 1 - 7 for each ActionTrail trail available in your Alibaba Cloud account.
Remediation / Resolution
To disable public access to the OSS buckets associated with your ActionTrail trail, perform the following operations:
Using Alibaba Cloud Console
01 Sign in to your Alibaba Cloud account.
02 Navigate to Object Storage Service (OSS) console at https://oss.console.aliyun.com/overview.
03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.
04 Click on the name (link) of the OSS bucket associated with your ActionTrail trail, listed in the Bucket Name column.
05 On the selected OSS bucket page, choose Permission Control from the resource navigation panel, and perform the following actions:
- To deny public/anonymous access to your bucket using Access Control Lists (ACLs), select the ACL tab, choose Settings, set the Bucket ACL to Private, and choose Save to apply the changes. Once the ACL settings are applied, only the bucket owner or authorized users can perform read and write operations on the objects stored within the selected bucket.
- To restrict public/anonymous access to your bucket using authorization policies, select the Bucket Policy tab, choose Add by Syntax, select Edit, and replace the "Principal" element value "*" with the UID (e.g. "123412341234123412") of the trusted RAM identity or the ID (e.g. "1234567890123456") of the trusted account that can access the selected bucket, such as the bucket owner account. Choose Save to apply the permission changes. Select OK for confirmation.
06 Repeat steps no. 4 and 5 for each ActionTrail trail available in your Alibaba Cloud account.
Using ossutil
01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).
02 Run set-acl command (macOS/Linux/Windows) to set the Access Control List (ACL) to private for the specified OSS bucket. Once the ACL settings are saved, only the bucket owner or authorized users can perform read and write operations on the objects stored within the bucket:
ossutil set-acl oss://tm-project-trail-bucket private -b
03 Modify the existing bucket policy or create a new policy document to restrict public/anonymous access to your bucket. Replace the "Principal" element value "*" with the UID (e.g. "123412341234123412") of the trusted RAM identity or the ID (e.g. "1234567890123456") of the trusted account that can access the selected OSS bucket, such as the bucket owner account. Save the policy document to a JSON file named bucket-policy.json. Because existing bucket policies are overwritten by the ossutil commands, make sure that you include all the existing policy statements in the bucket-policy.json file:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Principal": [
"1234567890123456"
],
"Resource": [
"acs:oss:*:1234567890123456:tm-project-trail-bucket",
"acs:oss:*:1234567890123456:tm-project-trail-bucket/*"
]
}
]
}
04 Run bucket-policy command (macOS/Linux/Windows) with --method set to put to set the bucket policy. When you add or modify bucket policies, ossutil reads bucket policies from the local JSON file (e.g. bucket-policy.json) and adds the policies to your bucket:
ossutil bucket-policy --method put oss://tm-project-trail-bucket bucket-policy.json
05 Repeat step no. 2 - 4 for each ActionTrail trail available in your Alibaba Cloud account.
References
- Alibaba Cloud Documentation
- Single-account trail overview
- Overview
- Authentication
- Bucket ACLs
- Authorize other users to access OSS by using bucket policies
- Alibaba Cloud CLI Documentation
- DescribeTrails
- ossutil Documentation
- stat
- set-acl
- bucket-policy