Logo of Trend Micro

Use HTTPS for Object URL Signature

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act immediately)

URL signatures are secure mechanisms for granting temporary access to OSS objects. By adding a unique digital signature to a URL, you can control who can access your object and for how long. In Object Storage Service (OSS), a URL signature can be provided to a third party for authorized access. To follow security best practices, ensure that the URL signatures configured for your OSS objects are allowed only over HTTPS protocol.

Security

Allowing object URL signatures over HTTPS ensures secure, encrypted transmission of authentication tokens, preventing interception and tampering by malicious entities. Restricting the URL signature to HTTPS helps prevent unauthorized access, data breaches, and maintains the integrity of the data being transferred, enhancing overall security measures.

Audit

To determine if your object URL signatures are configured to use HTTPS, perform the following operations:

Getting the URL signature protocol via Alibaba Cloud ossutil is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine.

05 In the bucket navigation panel, under Object Management, choose Objects.

06 Choose the OSS object that you want to examine and select View Details.

07 Check Use HTTPS setting status to determine if the HTTPS protocol is enforced for the object URL signature. If Use HTTPS setting is disabled, the object URL signature is not configured to use the HTTPS protocol only.

08 Repeat steps no. 6 and 7 for each OSS object that you want to examine, stored within the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that the URL signatures configured for your OSS objects are allowed only over HTTPS, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to access.

05 In the bucket navigation panel, under Object Management, choose Objects.

06 Choose the OSS object that you want to configure and select View Details.

07 On the View Details panel, enable the Use HTTPS configuration setting to enforce HTTPS for the object URL signature. Choose x to close the View Details panel.

08 Repeat steps no. 6 and 7 for each OSS object that you want to configure, stored within the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run ls command (macOS/Linux/Windows) to list the OSS buckets available in your Alibaba Cloud account: 

ossutil ls -s

03 The command output should return the name of each object available in the selected bucket: 

oss://tm-project-data-bucket
oss://tm-trail-logs-bucket
oss://tm-web-app-utils
oss://tm-audit-logs-repo
Bucket Number is: 4

0.235205(s) elapsed

04 Run ls command (macOS/Linux/Windows) to list all the objects stored within the specified OSS bucket: 

ossutil ls oss://tm-project-data-bucket

05 The command output should return the name of each object available in the selected bucket: 

oss://tm-project-data-bucket/tm-project-files.zip
oss://tm-project-data-bucket/tm-project-config.yaml
oss://tm-project-data-bucket/tm-project-access-logs.zip

06 Run sign command (macOS/Linux/Windows) to generate a new signed URL for the specified OSS object: 

ossutil sign oss://tm-project-data-bucket/tm-project-files.zip

07 If the operation is successful, the command output should return the signed URL with HTTPS, e.g.: 

https://tm-project-data-bucket.oss-eu-west-1.aliyuncs.com/tm-project-files.zip?Expires=1708527994&OSSAccessKeyId=ABCDABCDABCDABCDABCD&Signature=ABCD1234ABCD1234ABCD1234ABCD1234ABCD

0.000471(s) elapsed

08 Repeat steps no. 6 and 7 for each OSS object that you want to configure, available in the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

References

Publication date Apr 25, 2024

Related AlibabaCloud-OSS rules