Skip to main content

πŸ›‘οΈ Oracle Storage Bucket allows public access🟒

  • Contextual name: πŸ›‘οΈ Storage Bucket allows public access🟒
  • ID: /ce/ca/oracle/bucket/bucket-public-access
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-87b8e6c7

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-87b8e6c71

Description​

Open File

Description​

This policy identifies Oracle Storage Buckets that allow public access.

Rationale​

Public Object Storage buckets can expose stored objects to anonymous users without requiring Oracle Cloud authentication. If public access is enabled, data can be discovered, downloaded, or indexed outside the intended trust boundary, which increases the risk of data leakage and unauthorized disclosure.

Object Storage buckets should remain private unless there is a documented business requirement for public distribution and the bucket contains only data approved for public access.

Impact​

Disabling public access can interrupt workloads that intentionally serve objects directly from the bucket. Review application dependencies before changing the setting and use signed URLs, pre-authenticated requests, a CDN, or another controlled distribution pattern where public delivery is required.

Audit​

This policy flags an Oracle Storage Bucket as INCOMPLIANT when Public Access Type is set to ObjectRead or ObjectReadWithoutList.

... see more

Remediation​

Open File

Remediation​

Disable Public Access for the Object Storage Bucket​

Set the affected bucket visibility to private by changing its public access type to NoPublicAccess. Before remediation, confirm that no approved workload depends on anonymous object reads. If public delivery is required, use a controlled access pattern such as pre-authenticated requests, signed URLs, or a CDN configuration that exposes only approved content.

From Oracle Cloud Console​
  1. Open the OCI Console.
  2. Go to Storage > Object Storage & Archive Storage > Buckets.
  3. Select the compartment that contains the affected bucket.
  4. Open the affected bucket.
  5. Click Edit Visibility or edit the bucket visibility settings.
  6. Set visibility to Private or set Public Access Type to NoPublicAccess.
  7. Save the change.
From Command Line​

For each affected bucket, run:

oci os bucket update \
    --namespace-name "{{namespace-name}}" \
    --bucket-name "{{bucket-name}}" \
    --public-access-type "NoPublicAccess"

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1717no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1919no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;3435no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.4042no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52d appropriate segmentation of data, based on sensitivity and access needs;1111no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1111no data
πŸ’Ό CIS Oracle v3.1.0 β†’ πŸ’Ό 5.1.1 Ensure no Object Storage buckets are publicly visible. - Level 1 (Automated)11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public Data Access13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3790no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)90no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)90no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction2425no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1228no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1532no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1125no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties2362no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented5498no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage129no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15666no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7145no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.40no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.3040no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet4244no data