Enable Secure Transfer for OSS Buckets

Risk Level: Medium (should be achieved)

Rule ID: AlibabaCloud-OSS-001

Ensure that your Object Storage Service (OSS) buckets enforce encryption of data over the network, as it travels to and from OSS, using Secure Sockets Layer (SSL).

Security

When OSS buckets are not configured to strictly require SSL connections, the communication between the buckets and their clients (users and applications) is vulnerable to eavesdropping and Man-in-the-Middle (MITM) attacks. Trend Vision One™ strongly recommends enforcing SSL-only access by denying all regular, unencrypted HTTP requests to your OSS buckets when dealing with business-critical, sensitive, or private data.

Audit

To determine if your OSS buckets are protecting data in transit using SSL, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

05 On the selected OSS bucket page, choose Permission Control from the resource navigation panel, to access the permission control settings available for the OSS bucket.

06 Select the Bucket Policy tab, choose Add by Syntax, and check the policy document for the SecureTransport condition, i.e. "Condition": {"Bool": {"acs:SecureTransport": ["true/false"]}}. If the policy document does not contain one of the following combination of elements: "Condition": {"Bool": {"acs:SecureTransport": ["true"]}} with the "Effect" element value set to "Allow", or "Condition": {"Bool": {"acs:SecureTransport": ["false"]}} with the "Effect" set to "Deny", the selected OSS bucket is not configured to enforce encryption in transit.

07 Repeat steps no. 4 - 6 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run bucket-policy command (macOS/Linux/Windows) with --method set to get to describe the bucket policy configured for the specified OSS bucket:

ossutil bucket-policy --method get oss://tm-project-data-bucket

03 The command output should return the bucket policy document (in JSON format):

{
	"Version": "1",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"oss:*"
			],
			"Principal": [
				"1234567890123456"
			],
			"Resource": [
				"acs:oss:*:1234567890123456:tm-project-logs-bucket",
				"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
			]
		}
	]
}

Check the policy document for the SecureTransport condition, i.e. "Condition": {"Bool": {"acs:SecureTransport": ["true/false"]}}. If the policy document does not contain one of the following combination of elements: "Condition": {"Bool": {"acs:SecureTransport": ["true"]}} with the "Effect" element value set to "Allow", or "Condition": {"Bool": {"acs:SecureTransport": ["false"]}} with the "Effect" set to "Deny", the selected OSS bucket is not configured to enforce encryption in transit.

04 Repeat steps no. 2 and 3 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To enable in-transit encryption for your Object Storage Service (OSS) buckets using bucket policies, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

05 On the selected OSS bucket page, choose Permission Control from the resource navigation panel, to access the permission control settings available for the selected bucket.

06 Select the Bucket Policy tab, choose Add by Syntax, select Edit, and modify the existing policy document or create a new policy statement to implement the SecureTransport condition, i.e.

{
	"Version": "1",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"oss:*"
		],
		"Principal": [
			"123412341234123412"
		],
		"Resource": [
			"acs:oss:*:1234567890123456:tm-project-logs-bucket",
			"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
		],
		"Condition": {
			"Bool": {
				"acs:SecureTransport": [
					"true"
				]
			}
		}
	}]
}

07 Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

Using ossutil

01 Modify the existing bucket policy or create a new policy document to implement the SecureTransport condition, i.e. "Condition": {"Bool": {"acs:SecureTransport": ["true"]}}, as shown in the example below. Save the policy document to a JSON file named bucket-policy.json. Because existing bucket policies are overwritten by the ossutil commands, make sure that you include all the existing policy statements in the bucket-policy.json file:

{
	"Version": "1",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"oss:*"
		],
		"Principal": [
			"123412341234123412"
		],
		"Resource": [
			"acs:oss:*:1234567890123456:tm-project-logs-bucket",
			"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
		],
		"Condition": {
			"Bool": {
				"acs:SecureTransport": [
					"true"
				]
			}
		}
	}]
}

02 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

03 Run bucket-policy command (macOS/Linux/Windows) with --method set to put to set the bucket policy. When you add or modify bucket policies, ossutil reads bucket policies from the local JSON file (e.g. bucket-policy.json) and adds the policies to your bucket:

ossutil bucket-policy --method put oss://tm-project-data-bucket bucket-policy.json

04 Repeat steps no. 1 - 3 for each OSS bucket available in your Alibaba Cloud account.

References

Alibaba Cloud Documentation
Buckets Overview
Access and Control Overview
Authorize other users to access OSS by using bucket policies

ossutil Documentation
bucket-policy

Publication date Feb 22, 2024

Audit

Using Alibaba Cloud Console

Using ossutil

Remediation / Resolution

Using Alibaba Cloud Console

Using ossutil

References

Related AlibabaCloud-OSS rules