Secure transfer required is enabled for OSS buckets
oss_bucket_secure_transport_enabled
Alibaba Cloud OSS buckets should enforce secure transfer by requiring all requests to use HTTPS. A bucket policy that denies requests with acs:SecureTransport set to false ensures that data in transit is encrypted, rejecting any unencrypted HTTP connections to the storage endpoint.
Risk
Without secure transfer enforcement, OSS buckets accept HTTP requests that transmit data in plaintext. This exposes stored data to potential interception, man-in-the-middle attacks, and eavesdropping, compromising data confidentiality and integrity during transit.
prowler alibabacloud --checks oss_bucket_secure_transport_enabled
Recommendation
Enforce secure transfer on OSS buckets by applying a bucket policy that denies all requests not using HTTPS, ensuring data in transit is always encrypted.
Remediation
aliyun oss PutBucketPolicy --bucket <bucket-name> --policy '{"Version":"1","Statement":[{"Effect":"Deny","Principal":[""],"Action":["oss:"],"Resource":["acs:oss:::<bucket-name>","acs:oss:::<bucket-name>/*"],"Condition":{"Bool":{"acs:SecureTransport":"false"}}}]}'
- Log on to the OSS Console
- In the bucket-list pane, click on a target OSS bucket
- Click on Files in the top middle of the console
- Click on Authorize
- Configure:
Whole Bucket,*,None(Authorized Operation) andhttp(Conditions: Access Method) to deny HTTP access - Click Save
Source Code
Resource Type
ALIYUN::OSS::Bucket