Table: alicloud_oss_bucket - Query Alibaba Cloud Object Storage Service Buckets using SQL

Alibaba Cloud Object Storage Service (OSS) is a cost-effective, highly secure, and easy-to-use object storage service that enables you to store, back up, and archive large amounts of data in the cloud. OSS is designed to store and retrieve any type of data, at any time, from anywhere on the web. It provides massive, secure, durable, and highly available storage capacity.

Table Usage Guide

The alicloud_oss_bucket table provides insights into OSS buckets within Alibaba Cloud Object Storage Service. As a cloud architect or developer, explore bucket-specific details through this table, including the bucket's name, location, storage class, and creation time. Utilize it to manage and analyze your OSS buckets, such as identifying buckets that are using outdated storage classes or located in regions with higher costs.

Examples

List of buckets where versioning is not enabled

Discover the segments that have not enabled versioning in their storage buckets. This is useful to identify potential areas of risk, as versioning provides a means of recovery in case of accidental deletion or alteration of data.

select
  name,
  arn,
  region,
  account_id,
  versioning
from
  alicloud_oss_bucket
where
  versioning <> 'Enabled';

select
  name,
  arn,
  region,
  account_id,
  versioning
from
  alicloud_oss_bucket
where
  versioning <> 'Enabled';

List of buckets which do not have default encryption enabled

Explore which storage buckets lack default encryption, providing a useful way to identify potential security weaknesses in your data storage. This can help prioritize security enhancements and ensure data protection compliance.

select
  name,
  server_side_encryption
from
  alicloud_oss_bucket
where
  server_side_encryption ->> 'SSEAlgorithm' = '';

select
  name,
  server_side_encryption
from
  alicloud_oss_bucket
where
  json_extract(server_side_encryption, '$.SSEAlgorithm') = '';

List of buckets where public access to bucket is not blocked

Explore which storage buckets have public access enabled, which could potentially expose sensitive data. This is useful for identifying and mitigating security risks associated with unauthorized data access.

select
  name,
  acl
from
  alicloud_oss_bucket
where
  acl <> 'private';

select
  name,
  acl
from
  alicloud_oss_bucket
where
  acl <> 'private';

List of buckets where server access logging destination is same as the source bucket

Determine the areas in which server access logging destinations are identical to their source buckets. This is useful for identifying potential security risks, as it could indicate a lack of segregation between log data and source data.

select
  name,
  logging ->> 'TargetBucket' as target_bucket
from
  alicloud_oss_bucket
where
  logging ->> 'TargetBucket' = name;

select
  name,
  json_extract(logging, '$.TargetBucket') as target_bucket
from
  alicloud_oss_bucket
where
  json_extract(logging, '$.TargetBucket') = name;

List of buckets without owner tag key

Explore which AliCloud OSS buckets lack an assigned owner. This can be crucial in managing resources and ensuring accountability within your cloud storage environment.

select
  name,
  tags
from
  alicloud_oss_bucket
where
  tags ->> 'owner' is null;

select
  name,
  tags
from
  alicloud_oss_bucket
where
  json_extract(tags, '$.owner') is null;

List of Bucket policy statements that grant external access

Identify instances where your OSS bucket policies may be granting external access. This is beneficial for assessing potential security vulnerabilities and ensuring that your data is protected.

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  alicloud_oss_bucket,
  jsonb_array_elements(policy -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal') as p,
  jsonb_array_elements_text(s -> 'Action') as a
where
  s ->> 'Effect' = 'Allow'
  and (
    p != account_id
    or p = '*'
  );

select
  title,
  p.value as principal,
  a.value as action,
  json_extract(s.value, '$.Effect') as effect,
  json_extract(s.value, '$.Condition') as conditions
from
  alicloud_oss_bucket,
  json_each(policy, '$.Statement') as s,
  json_each(s.value, '$.Principal') as p,
  json_each(s.value, '$.Action') as a
where
  json_extract(s.value, '$.Effect') = 'Allow'
  and (
    p.value != account_id
    or p.value = '*'
  );

List of buckets with no lifecycle policy

Explore which storage buckets are missing a lifecycle policy, allowing you to identify potential areas of risk and implement necessary changes to enhance data management. This is particularly useful in maintaining compliance and optimizing storage costs.

select
  name,
  arn,
  region,
  account_id,
  lifecycle_rules
from
  alicloud_oss_bucket
where
  lifecycle_rules is null;

select
  name,
  arn,
  region,
  account_id,
  lifecycle_rules
from
  alicloud_oss_bucket
where
  lifecycle_rules is null;

Query examples

Control examples

Schema for alicloud_oss_bucket

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form, e.g. connection_name.
account_id	text	The Alicloud Account ID in which the resource is located.
acl	text	The access control list setting for bucket. Valid values: public-read-write, public-read, and private. public-read-write: Any users, including anonymous users can read and write objects in the bucket. Exercise caution when you set the ACL of a bucket to public-read-write. public-read: Only the owner or authorized users of this bucket can write objects in the bucket. Other users, including anonymous users can only read objects in the bucket. Exercise caution when you set the ACL of a bucket to public-read. private: Only the owner or authorized users of this bucket can read and write objects in the bucket. Other users, including anonymous users cannot access the objects in the bucket without authorization.
akas	jsonb	Array of globally unique identifier strings (also known as) for the resource.
arn	text	The Alibaba Cloud Resource Name (ARN) of the OSS bucket.
creation_date	timestamp with time zone	Date when the bucket was created.
lifecycle_rules	jsonb	A list of lifecycle rules for a bucket.
location	text	Location of the Bucket.
logging	jsonb	Indicates the container used to store access logging configuration of a bucket.
name	text	Name of the Bucket.
policy	jsonb	Allows you to grant permissions on OSS resources to RAM users from your Alibaba Cloud and other Alibaba Cloud accounts. You can also control access based on the request source.
redundancy_type	text	The type of disaster recovery for a bucket. Valid values: LRS and ZRS
region	text	The Alicloud region in which the resource is located.
server_side_encryption	jsonb	The server-side encryption configuration for bucket
storage_class	text	The storage class of objects in the bucket.
tags	jsonb	A map of tags for the resource.
tags_src	jsonb	A list of tags assigned to bucket
title	text	Title of the resource.
versioning	text	The status of versioning for the bucket. Valid values: Enabled and Suspended.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_oss_bucket