OCI-ObjectStore-Pre-Authenticated-Requests-Access

Severity : High

Description: This control ensures that OCI Object Storage buckets are accessible for non-credentials users through the pre-authenticated requests. Pre-authenticated requests allow for users who are not in the tenancy to access buckets, ensuring least access prevents malicious entities from leveraging this type of access to edit or delete objects in a bucket. A unique URL is generated for pre-authenticated request.

Remediation Steps:

Perform following to create a pre-authenticated request :

1. Login to the OCI console at Cloud Sign In .

2. In navigation menu and click Storage.

3. Under Object Storage, click Buckets.

4. Click the bucket name.

5. Click Pre-Authenticated Requests under Resources.

6. Click Create Pre-Authenticated Request.

7. Provide Name, Pre-Authenticated Request Target (Bucket or object), Access Type, Expiration, Object Listing permission.

8. Under Resources, click Metrics.

9. Click Create Pre-Authenticated Request.

10. On the details dialog box after creation, copy the URI shown to store in durable storage for future references.

11. Click Close.

Important:

• Permissions of the pre-authenticated request creator are checked each time a pre-authenticated request is used. If the creator of a pre-authenticated request is deleted or loses the required permissions after they created the request, the request will no longer work.

Reference:

• https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm#Using_PreAuthenticated_Requests