Logo of Trend Micro

Object URL Signature Validity Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act immediately)

URL signatures are secure mechanisms for granting temporary access to OSS objects. By adding a unique digital signature to a URL, you control who can access the object and for how long, even if you share the link with a third party. To follow security best practices, ensure that the shared URL signatures configured for your OSS objects expires within an hour.

Security

To enhance security by limiting the window of potential misuse, shared URL signatures configured for OSS objects should expire within an hour. Shorter expiration times mitigate the risk of unauthorized access and reduce the exposure of sensitive data, ensuring tighter control over object access.

Audit

To determine if the object's shared URL signature is set to expire within 3600 seconds (1 hour), perform the following operations:

Getting the shared URL signature validity period via Alibaba Cloud ossutil is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine.

05 In the bucket navigation panel, under Object Management, choose Objects.

06 Choose the OSS object that you want to examine and select View Details.

07 Check the Validity Period (Seconds) configuration attribute value to determine the validity period configured for the object URL. If Validity Period (Seconds) is set to a value less than 3600 (seconds), the validity period configured for the object's shared URL signature is not compliant, as the URL does not expire within an hour.

08 Repeat steps no. 6 and 7 for each OSS object that you want to examine, stored within the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that the shared URL signature configured for your OSS objects is set to expire within 3600 seconds (1 hour), perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to access.

05 In the bucket navigation panel, under Object Management, choose Objects.

06 Choose the OSS object that you want to configure and select View Details.

07 On the View Details panel, set the Validity Period (Seconds) configuration attribute to a value less than 3600 (seconds). Choose x to apply the changes and close the configuration panel.

08 Repeat steps no. 6 and 7 for each OSS object that you want to configure, stored within the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run ls command (macOS/Linux/Windows) to list the OSS buckets available in your Alibaba Cloud account: 

ossutil ls -s

03 The command output should return the name of each object available in the selected bucket: 

oss://tm-project-data-bucket
oss://tm-trail-logs-bucket
oss://tm-web-app-utils
oss://tm-audit-logs-repo
Bucket Number is: 4

0.235205(s) elapsed

04 Run ls command (macOS/Linux/Windows) to list all the objects stored within the specified OSS bucket: 

ossutil ls oss://tm-project-data-bucket

05 The command output should return the name of each object available in the selected bucket: 

oss://tm-project-data-bucket/tm-project-files.zip
oss://tm-project-data-bucket/tm-project-config.yaml
oss://tm-project-data-bucket/tm-project-access-logs.zip

06 Run sign command (macOS/Linux/Windows) to generate a new signed URL for the specified OSS object. Use the --timeout parameter to set the validity period, in seconds, for the object URL: 

ossutil sign oss://tm-project-data-bucket/tm-project-files.zip --timeout 600

07 If the operation is successful, the command output should return the signed URL, e.g.: 

http://tm-project-data-bucket.oss-eu-west-1.aliyuncs.com/tm-project-files.zip?Expires=1708527994&OSSAccessKeyId=ABCDABCDABCDABCDABCD&Signature=ABCD1234ABCD1234ABCD1234ABCD1234ABCD

0.000471(s) elapsed

08 Repeat steps no. 6 and 7 for each OSS object that you want to configure, available in the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

References

Publication date Apr 25, 2024

Related AlibabaCloud-OSS rules