Logo of Trend Micro

Enable Access Logging for OSS Buckets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-OSS-002

Ensure that the OSS Bucket Access Logging feature is enabled for your Object Storage Service (OSS) buckets in order to track access requests useful for security and access audits. By default, access logging for OSS buckets is disabled.

Security

OSS Bucket Access Logging provides detailed records for the requests that are made to your OSS buckets. The log data includes the request type, the resources that are specified in the request, and the time and date that the request was processed. Once enabled, the feature can provide useful data for security and compliance audits, and can help you learn about your user base and understand your Alibaba Cloud bill for OSS.

Audit

To determine if access logging is enabled for your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

05 On the selected OSS bucket page, choose Logging from the resource navigation panel, to access the logging configuration settings available for the OSS bucket.

06 Select the Logging tab and check the Logging configuration setting to determine the OSS Bucket Access Logging feature status. If Logging is set to Disabled, the OSS Bucket Access Logging feature is not enabled for the selected OSS bucket.

07 Repeat steps no. 4 - 6 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run logging command (macOS/Linux/Windows) with --method set to get to describe the access logging configuration information available for the specified OSS bucket: 

ossutil logging --method get oss://tm-project-trail-bucket

03 The command output should return the requested configuration information (in XML format): 

<?xml version="1.0" encoding="UTF-8"?>
	<BucketLoggingStatus>
		<LoggingEnabled>
			<TargetBucket></TargetBucket>
			<TargetPrefix></TargetPrefix>
		</LoggingEnabled>
	</BucketLoggingStatus>

Check the \<TargetBucket\>\<\/TargetBucket> element value to identify the name of the bucket that will store the access logs (i.e. logs target bucket). If the \<TargetBucket\>\<\/TargetBucket> element has no value, as shown in the example above, the Access Logging feature is not enabled for the selected OSS bucket.

04 Repeat steps no. 2 and 3 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To enable access logging for your Object Storage Service (OSS) buckets, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

05 On the selected OSS bucket page, choose Logging from the resource navigation panel, to access the logging configuration settings available for the OSS bucket.

06 Select the Logging tab and perform the following actions:

  1. Turn on the Logging setting to enable access logging for the selected OSS bucket.
  2. Select the name of the destination bucket from the Log Storage Bucket dropdown list. You can only select a log destination bucket that is located in the same region as your OSS bucket.
  3. For Log Prefix, specify the path to the directory that stores the access logs. If you omit this parameter, the log files are stored in the root directory of the destination bucket.
  4. Choose Save to apply the changes. Access logging immediately takes effect after you choose Save. The Object Storage Service (OSS) service starts to generate access logs within 24 hours after you enable logging.

07 Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

Using ossutil

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run logging command (macOS/Linux/Windows) with --method set to put to enable access logging for the specified OSS bucket. Replace [target_bucket] and [prefix] with your own OSS bucket details: 

ossutil logging --method put oss://tm-project-data-bucket oss://[target_bucket]/[prefix]

03 Repeat step no. 2 for each OSS bucket available in your Alibaba Cloud account.

References

Publication date Feb 22, 2024

Related AlibabaCloud-OSS rules