OCI-ObjectStore-Pre-Authenticated-Requests-Expiry

Severity : High

Description: This control ensures that OCI Object Storage pre-authenticated requests has short expiration time-frame ensures that access does not last longer than intended. Pre-authenticated requests allow for users who are not in the tenancy to access buckets, ensuring least access prevents malicious entities from leveraging this type of access to edit or delete objects in a bucket. A unique URL is generated for pre-authenticated request. When creating pre-authenticated Requests, ensure the expiration date-time is limited to the minimum time possible

Remediation Steps:

Perform following to create a pre-authenticated request with short expiration:

1. Login to the OCI console at Cloud Sign In .

2. In navigation menu and click Storage.

3. Under Object Storage, click Buckets.

4. Click the bucket name.

5. Click Pre-Authenticated Requests under Resources.

6. Click Create Pre-Authenticated Request.

7. Provide Name, Pre-Authenticated Request Target (Bucket or object), Access Type, Expiration, Object Listing permission.

8. Under Resources, click Metrics.

9. Click Create Pre-Authenticated Request.

10. On the details dialog box after creation, copy the URI shown to store in durable storage for future references.

11. Click Close.

Important:

•  A pre-authenticated request can't be edited.  To change expiry options in response to changing requirements, a new pre-authenticated request creation is required.

Reference:

• Object Storage Pre-Authenticated Requests