Page Comparison

Severity : High

Description: Adding deletion protection to Oracle object store policies mitigates unintended deletion of object store services by unauthorized users or groups. Remediation Steps : When writing policies, avoid blanket statements, and add a where statement with the line This control ensures that OCI Object Storage buckets are protected against unintended and malicious deletion by unauthorized groups and users . Regular users/groups for the buckets and its objects must be configured with least privilege to only specific objects or buckets. Also access policies for non-privilege users and groups should remove add statements for permission for OBJECT-DELETE or BUCKET_DELETE with statement request.permission != {OBJECT_DELETE, BUCKET_DELETE}.

Remediation Steps:

Perform following to update bucket access policies :

1. Login to the OCI console at https://www.oracle.com/cloud/sign-in.html .

2. In the navigation, Click Identity & Security.

3. Under Identity, click Policies.

4. Select the compartment and then reported policy .  The policy's details and statements are displayed.

5. Click Edit Policy Statements.

6. In Policy Builder Select Basic or Advance editor to update the policy statements with request.permission != {OBJECT_DELETE, BUCKET_DELETE}.

7. Click Save Changes.

Important:

Reference:

• https://docs.oracle.com/en-us/iaas/Content/Security/Reference/objectstorage_security.htm

• https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingpolicies.htm

• https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm