Logo of Trend Micro

Limit Network Access to Selected Networks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-OSS-003

Ensure that your Object Storage Service (OSS) buckets are configured to allow access only to selected, trusted networks (i.e. authorized IP addresses/IP address ranges) in order to protect against unapproved access. Before running this Trend Vision One™ - Cloud Posture rule, you must define the list of public IPv4 addresses and/or IPv4 address ranges that are permitted to access your OSS buckets in the rule settings on your Trend Vision One™ account.

Security

Allowing public and unauthorized access to your Object Storage Service (OSS) buckets can lead to unapproved actions such as viewing, uploading, modifying, or deleting OSS objects. To prevent Object Storage Service (OSS) data exposure, data loss, unexpected charges on your Alibaba Cloud bill or you just want a central place to manage bucket access using bucket policies, make sure that your OSS buckets are accessible to selected networks only.

Audit

To determine if the access to your OSS buckets is limited to selected networks via bucket policies, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Trend Vision One™ account, open the Limit Network Access to Selected Networks Trend Vision One™ - Cloud Posture rule settings, and identify the list of trusted public IPv4 addresses/ranges authorized to access your OSS buckets.

02 Sign in to your Alibaba Cloud account.

03 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

04 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

05 Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

06 Because OSS ignores existing ACLs and bucket policies in which public access is granted when Block Public Access is enabled, the status of the Block Public Access feature should be verified first. To determine if Block Public Access is enabled, perform the following actions:

  1. In the resource navigation panel, under Permission Control, choose Block Public Access.
  2. Select the Block Public Access tab and check the Block Public Access setting status. If Block Public Access is set to Enabled, the Block Public Access feature is enabled, therefore, existing public access permissions are ignored and the Trend Vision One™ - Cloud Posture rule will return a No Check.

07 In the resource navigation panel, under Permission Control, choose Bucket Policy to access the bucket access policy.

08 Select the Bucket Policy tab, choose Add by Syntax, and check the policy document for the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}. If the policy document does not contain the following combination of elements: "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}} with the "Effect" element value set to "Allow", where "xxx.xxx.xxx.xxx/xx" is the IP address/IP address range authorized for access, the access to the selected OSS bucket is not limited to selected networks only. If the policy document contains "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, compare the IP address/IP range with the IPs list identified at step no. 1. If the bucket's IP address/IP range is not authorized in the Trend Vision One™ - Cloud Posture rule settings, the access to the selected OSS bucket is not limited to specific (trusted) networks only.

09 Repeat steps no. 5 - 8 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

Note: Getting the Block Public Access feature status using ossutil is not currently supported.

01 Sign in to your Trend Vision One™ account, open the Limit Network Access to Selected Networks Trend Vision One™ - Cloud Posture rule settings, and identify the list of trusted public IPv4 addresses/ranges authorized to access your OSS buckets.

02 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

03 Run bucket-policy command (macOS/Linux/Windows) with --method set to get to describe the bucket policy configured for the specified OSS bucket: 

ossutil bucket-policy --method get oss://tm-project-data-bucket

04 The command output should return the bucket policy document (in JSON format): 

{
	"Version": "1",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"oss:*"
			],
			"Principal": [
				"1234567890123456"
			],
			"Resource": [
				"acs:oss:*:1234567890123456:tm-project-logs-bucket",
				"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
			]
		}
	]
}

Check the policy document for the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}. If the policy document does not contain the following combination of elements: "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}} with the "Effect" element value set to "Allow", where "xxx.xxx.xxx.xxx/xx" is the IP address/IP address range authorized for access, the access to the selected OSS bucket is not limited to trusted networks only. If the policy document contains "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, compare the IP address/IP range with the IPs list identified at step no. 1. If the bucket's IP address/IP range is not authorized in the Trend Vision One™ - Cloud Posture rule settings, the access to the selected OSS bucket is not limited to specific (trusted) networks only.

05 Repeat steps no. 3 and 4 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that OSS bucket access is limited to selected, trusted networks only via bucket policies, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

05 In the resource navigation panel, under Permission Control, choose Bucket Policy to access the bucket access policy.

06 Select the Bucket Policy tab, choose Add by Syntax, select Edit, and modify the existing policy document or create a new policy statement to implement the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, as shown in the policy example below. To secure access, use only the IP addresses/IP ranges that are authorized in the Trend Vision One™ - Cloud Posture rule settings, in your Trend Vision One™ account: 

{
	"Version": "1",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"oss:*"
		],
		"Principal": [
			"123412341234123412"
		],
		"Resource": [
			"acs:oss:*:1234567890123456:tm-project-logs-bucket",
			"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
		],
		"Condition": {
			"IpAddress": {
				"acs:SourceIp": [
					"10.15.1.0/24"
				]
			}
		}
	}]
}

07 Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

Using ossutil

01 Modify the existing bucket policy or create a new policy document to implement the SourceIp condition, i.e. "Condition": {"IpAddress": {"acs:SourceIp": ["xxx.xxx.xxx.xxx/xx"]}}, as shown in the policy example below. Ensure access security by using only the IP addresses/IP ranges authorized in the Trend Vision One™ - Cloud Posture rule settings, in your Trend Vision One™ account. Save the policy document to a JSON file named bucket-policy.json. Because existing bucket policies are overwritten by the ossutil commands, ensure that you include all the existing policy statements in the bucket-policy.json file: 

{
	"Version": "1",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"oss:*"
		],
		"Principal": [
			"123412341234123412"
		],
		"Resource": [
			"acs:oss:*:1234567890123456:tm-project-logs-bucket",
			"acs:oss:*:1234567890123456:tm-project-logs-bucket/*"
		],
		"Condition": {
			"IpAddress": {
				"acs:SourceIp": [
					"10.15.1.0/24"
				]
			}
		}
	}]
}

02 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

03 Run bucket-policy command (macOS/Linux/Windows) with --method set to put to set the bucket policy. When you add or modify bucket policies, ossutil reads bucket policies from the local JSON file (e.g. bucket-policy.json) and adds the policies to your bucket: 

ossutil bucket-policy --method put oss://tm-project-data-bucket bucket-policy.json

04 Repeat steps no. 1 - 3 for each OSS bucket available in your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-OSS rules