Table: alicloud_oss_bucket - Query Alibaba Cloud Object Storage Service Buckets using SQL
Alibaba Cloud Object Storage Service (OSS) is a cost-effective, highly secure, and easy-to-use object storage service that enables you to store, back up, and archive large amounts of data in the cloud. OSS is designed to store and retrieve any type of data, at any time, from anywhere on the web. It provides massive, secure, durable, and highly available storage capacity.
Table Usage Guide
The alicloud_oss_bucket table provides insights into OSS buckets within Alibaba Cloud Object Storage Service. As a cloud architect or developer, explore bucket-specific details through this table, including the bucket's name, location, storage class, and creation time. Utilize it to manage and analyze your OSS buckets, such as identifying buckets that are using outdated storage classes or located in regions with higher costs.
Examples
List of buckets where versioning is not enabled
Discover the segments that have not enabled versioning in their storage buckets. This is useful to identify potential areas of risk, as versioning provides a means of recovery in case of accidental deletion or alteration of data.
select name, arn, region, account_id, versioningfrom alicloud_oss_bucketwhere versioning <> 'Enabled';select name, arn, region, account_id, versioningfrom alicloud_oss_bucketwhere versioning <> 'Enabled';List of buckets which do not have default encryption enabled
Explore which storage buckets lack default encryption, providing a useful way to identify potential security weaknesses in your data storage. This can help prioritize security enhancements and ensure data protection compliance.
select name, server_side_encryptionfrom alicloud_oss_bucketwhere server_side_encryption ->> 'SSEAlgorithm' = '';select name, server_side_encryptionfrom alicloud_oss_bucketwhere json_extract(server_side_encryption, '$.SSEAlgorithm') = '';List of buckets where public access to bucket is not blocked
Explore which storage buckets have public access enabled, which could potentially expose sensitive data. This is useful for identifying and mitigating security risks associated with unauthorized data access.
select name, aclfrom alicloud_oss_bucketwhere acl <> 'private';select name, aclfrom alicloud_oss_bucketwhere acl <> 'private';List of buckets where server access logging destination is same as the source bucket
Determine the areas in which server access logging destinations are identical to their source buckets. This is useful for identifying potential security risks, as it could indicate a lack of segregation between log data and source data.
select name, logging ->> 'TargetBucket' as target_bucketfrom alicloud_oss_bucketwhere logging ->> 'TargetBucket' = name;select name, json_extract(logging, '$.TargetBucket') as target_bucketfrom alicloud_oss_bucketwhere json_extract(logging, '$.TargetBucket') = name;List of buckets without owner tag key
Explore which AliCloud OSS buckets lack an assigned owner. This can be crucial in managing resources and ensuring accountability within your cloud storage environment.
select name, tagsfrom alicloud_oss_bucketwhere tags ->> 'owner' is null;select name, tagsfrom alicloud_oss_bucketwhere json_extract(tags, '$.owner') is null;List of Bucket policy statements that grant external access
Identify instances where your OSS bucket policies may be granting external access. This is beneficial for assessing potential security vulnerabilities and ensuring that your data is protected.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom alicloud_oss_bucket, jsonb_array_elements(policy -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal') as p, jsonb_array_elements_text(s -> 'Action') as awhere s ->> 'Effect' = 'Allow' and ( p != account_id or p = '*' );select title, p.value as principal, a.value as action, json_extract(s.value, '$.Effect') as effect, json_extract(s.value, '$.Condition') as conditionsfrom alicloud_oss_bucket, json_each(policy, '$.Statement') as s, json_each(s.value, '$.Principal') as p, json_each(s.value, '$.Action') as awhere json_extract(s.value, '$.Effect') = 'Allow' and ( p.value != account_id or p.value = '*' );List of buckets with no lifecycle policy
Explore which storage buckets are missing a lifecycle policy, allowing you to identify potential areas of risk and implement necessary changes to enhance data management. This is particularly useful in maintaining compliance and optimizing storage costs.
select name, arn, region, account_id, lifecycle_rulesfrom alicloud_oss_bucketwhere lifecycle_rules is null;select name, arn, region, account_id, lifecycle_rulesfrom alicloud_oss_bucketwhere lifecycle_rules is null;Query examples
- action_trails_for_oss_bucket
- bucket_policy_stds_for_oss_bucket
- kms_keys_for_oss_bucket
- oss_bucket_1_year_count
- oss_bucket_24_hours_count
- oss_bucket_30_90_days_count
- oss_bucket_30_days_count
- oss_bucket_90_365_days_count
- oss_bucket_access_type
- oss_bucket_age_table
- oss_bucket_by_account
- oss_bucket_by_creation_month
- oss_bucket_by_region
- oss_bucket_by_storage_class
- oss_bucket_count
- oss_bucket_encrypted_with_byok_count
- oss_bucket_encrypted_with_servcie_key_count
- oss_bucket_encryption
- oss_bucket_https_enforce
- oss_bucket_input
- oss_bucket_lifecycle_policy
- oss_bucket_lifecycle_table
- oss_bucket_logging
- oss_bucket_logging_disabled_count
- oss_bucket_logging_table
- oss_bucket_overview
- oss_bucket_policy
- oss_bucket_public_access_not_blocked_count
- oss_bucket_public_access_table
- oss_bucket_server_side_encryption
- oss_bucket_ssl_not_enforced_count
- oss_bucket_tags_detail
- oss_bucket_unencrypted_count
- oss_bucket_versioning
- oss_bucket_versioning_disabled_count
- oss_buckets_for_kms_key
- source_logging_oss_buckets_for_oss_bucket
- target_logging_oss_buckets_for_oss_bucket
Control examples
- CIS v1.0.0 > 2 Logging and Monitoring > 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible
- CIS v1.0.0 > 5 Storage > 5.1 Ensure that OSS bucket is not anonymously or publicly accessible
- CIS v1.0.0 > 5 Storage > 5.3 Ensure that logging is enabled for OSS buckets
- CIS v1.0.0 > 5 Storage > 5.4 Ensure that 'Secure transfer required' is set to 'Enabled'
- CIS v1.0.0 > 5 Storage > 5.8 Ensure server-side encryption is set to 'Encrypt with Service Key'
- CIS v1.0.0 > 5 Storage > 5.9 Ensure server-side encryption is set to 'Encrypt with BYOK'
Schema for alicloud_oss_bucket
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Alicloud Account ID in which the resource is located. |
| acl | text | The access control list setting for bucket. Valid values: public-read-write, public-read, and private. public-read-write: Any users, including anonymous users can read and write objects in the bucket. Exercise caution when you set the ACL of a bucket to public-read-write. public-read: Only the owner or authorized users of this bucket can write objects in the bucket. Other users, including anonymous users can only read objects in the bucket. Exercise caution when you set the ACL of a bucket to public-read. private: Only the owner or authorized users of this bucket can read and write objects in the bucket. Other users, including anonymous users cannot access the objects in the bucket without authorization. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| arn | text | The Alibaba Cloud Resource Name (ARN) of the OSS bucket. | |
| creation_date | timestamp with time zone | Date when the bucket was created. | |
| lifecycle_rules | jsonb | A list of lifecycle rules for a bucket. | |
| location | text | Location of the Bucket. | |
| logging | jsonb | Indicates the container used to store access logging configuration of a bucket. | |
| name | text | Name of the Bucket. | |
| policy | jsonb | Allows you to grant permissions on OSS resources to RAM users from your Alibaba Cloud and other Alibaba Cloud accounts. You can also control access based on the request source. | |
| redundancy_type | text | The type of disaster recovery for a bucket. Valid values: LRS and ZRS | |
| region | text | The Alicloud region in which the resource is located. | |
| server_side_encryption | jsonb | The server-side encryption configuration for bucket | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| storage_class | text | The storage class of objects in the bucket. | |
| tags | jsonb | A map of tags for the resource. | |
| tags_src | jsonb | A list of tags assigned to bucket | |
| title | text | Title of the resource. | |
| versioning | text | The status of versioning for the bucket. Valid values: Enabled and Suspended. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloudYou can pass the configuration to the command with the --config argument:
steampipe_export_alicloud --config '<your_config>' alicloud_oss_bucket