Control: 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible
ActionTrail logs a record of every API call made in your Alibaba Cloud account. These logs file are stored in an OSS bucket. It is recommended that the access control list (ACL) of the OSS bucket, which ActionTrail logs to, shall prevent public access to the ActionTrail logs.
Perform the following to remove any public access that has been granted to the bucket via an ACL:
- Logon to OSS Console.
- Right on the bucket and click
- In the
Access Control Listpane, click the
Bucket ACLtab shows three kind of grants. Like
Privatebe set to the bucket.
Saveto save the ACL.
Run the control in your terminal:
steampipe check alicloud_compliance.control.cis_v100_2_2
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share alicloud_compliance.control.cis_v100_2_2
This control uses a named query:action_trail_oss_bucket_not_public