The OSS bucket used to store ActionTrail logs is not publicly accessible
actiontrail_oss_bucket_not_publicly_accessible
Alibaba Cloud ActionTrail logs a record of every API call made in your account and stores these log files in an OSS bucket. It is recommended that the Access Control List (ACL) of the OSS bucket used by ActionTrail is set to private to prevent unauthorized public access to sensitive audit log data.
Risk
Allowing public access to the OSS bucket containing ActionTrail logs may expose sensitive information about your infrastructure, API usage patterns, and security configurations. An adversary could use this information to identify weaknesses in the affected account, leading to potential data breaches, privilege escalation, and compliance violations.
prowler alibabacloud --checks actiontrail_oss_bucket_not_publicly_accessible
Recommendation
Set the ACL of the OSS bucket used to store ActionTrail logs to private to prevent unauthorized public access to sensitive audit log data.
Remediation
ossutil set-acl oss://<bucketName> private -b
- Log on to the OSS Console
- Right-click on the bucket and select Basic Settings
- In the Access Control List pane, click Configure
- The Bucket ACL tab shows three types of grants:
Private,Public Read,Public Read/Write - Ensure Private is set for the bucket
- Click Save to save the ACL
Source Code
Resource Type
ALIYUN::ACTIONTRAIL::Trail
References
Depends On
- oss_bucket_not_publicly_accessible