chore: add oraclecloud/objectstorage metadata update to changelog

prowler/CHANGELOG.md

@@ -83,6 +83,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
 - Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
 - Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
+- Update oraclecloud objectstorage service metadata to new format [(#9379)](https://github.com/prowler-cloud/prowler/pull/9379)
+
 
 ### Fixed
 - Check `check_name` has no `resource_name` error for GCP provider [(#9169)](https://github.com/prowler-cloud/prowler/pull/9169)

prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json

@@ -1,34 +1,33 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "objectstorage_bucket_encrypted_with_cmk",
-  "CheckTitle": "Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Object Storage bucket is encrypted with a Customer Managed Key (CMK)",
+  "CheckType": [],
   "ServiceName": "objectstorage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:objectstorage:bucket",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciBucket",
-  "Description": "Object Storage buckets should be encrypted with Customer Managed Keys.",
-  "Risk": "Not meeting this storage security requirement increases data security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm",
+  "ResourceType": "Bucket",
+  "Description": "**Object Storage buckets** use **customer-managed encryption keys** (`CMEK`) for server-side encryption, with an associated KMS key configured on the bucket.",
+  "Risk": "Without `CMEK`, encryption relies on provider-managed keys, reducing control over **confidentiality** and key lifecycle. You cannot strictly limit key usage, enforce custom rotation, or revoke keys for crypto-erasure, increasing exposure to unauthorized decryption, data exfiltration, and auditability gaps.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/buckets-encrypted-with-cmks.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci os bucket update --namespace-name <NAMESPACE> --bucket-name <BUCKET_NAME> --kms-key-id <KEY_OCID>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/buckets-encrypted-with-cmks.html",
-      "Terraform": ""
+      "Other": "1. Sign in to the OCI Console\n2. Go to Storage > Object Storage & Archive Storage > Buckets\n3. Open the target bucket\n4. Click Edit bucket\n5. Under Encryption, select Customer-managed key and choose the desired Vault key\n6. Click Save",
+      "Terraform": "```hcl\nresource \"oci_objectstorage_bucket\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  name           = \"<example_resource_name>\"\n  namespace      = \"<example_resource_name>\"\n\n  kms_key_id = \"<example_resource_id>\" # Critical: sets the Customer Managed Key to encrypt the bucket\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)",
-      "Url": "https://hub.prowler.com/check/oci/objectstorage_bucket_encrypted_with_cmk"
+      "Text": "Encrypt buckets with `CMEK`. Apply **least privilege** to key usage, enforce **separation of duties** between key and storage admins, mandate regular rotation, and monitor key access. Use **defense in depth** so encryption complements strict IAM and network controls rather than replacing them.",
+      "Url": "https://hub.prowler.com/check/objectstorage_bucket_encrypted_with_cmk"
     }
   },
   "Categories": [
-    "storage",
     "encryption"
   ],
   "DependsOn": [],

prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json

@@ -1,26 +1,31 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "objectstorage_bucket_logging_enabled",
-  "CheckTitle": "Ensure write level Object Storage logging is enabled for all buckets",
+  "CheckTitle": "Object Storage bucket has write-level logging enabled",
   "CheckType": [],
   "ServiceName": "objectstorage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciObjectStorageBucket",
-  "Description": "Write-level logging for Object Storage buckets provides an audit trail of all write operations (PUT, POST, DELETE) performed on buckets, enabling security monitoring and compliance requirements.",
-  "Risk": "Without write-level logging, unauthorized or malicious modifications to Object Storage data cannot be detected or investigated.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loggingoverview.htm",
+  "ResourceType": "Bucket",
+  "Description": "**Object Storage buckets** have service logs for **write access events** enabled.\n\nThe evaluation identifies buckets with an active `write` logging category scoped to the bucket and region; only `read` logging does not satisfy this condition.",
+  "Risk": "Without **write logging**, unauthorized or accidental overwrites and deletions can go **undetected**, degrading **data integrity** and **availability**.\n\nMissing audit evidence weakens **non-repudiation**, impedes incident response, and allows covert tampering without reliable forensic reconstruction.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/enable-write-level-logging.html",
+    "https://docs.prowler.com/checks/oci/oci-logging/objectstorage_bucket_logging_enabled",
+    "https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loggingoverview.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci logging log create --log-group-id <log-group-ocid> --display-name 'ObjectStorage-Write-Logs' --log-type SERVICE --configuration '{\"compartmentId\":\"<compartment-ocid>\",\"source\":{\"service\":\"objectstorage\",\"resource\":\"<bucket-name>\",\"category\":\"write\",\"sourceType\":\"OCISERVICE\"}}'",
+      "CLI": "oci logging log create --log-group-id <log-group-ocid> --display-name ObjectStorage-Write-Logs --log-type SERVICE --configuration '{\"compartmentId\":\"<compartment-ocid>\",\"source\":{\"service\":\"objectstorage\",\"resource\":\"<bucket-name>\",\"category\":\"write\",\"sourceType\":\"OCISERVICE\"}}'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/enable-write-level-logging.html",
-      "Terraform": "resource \"oci_logging_log\" \"objectstorage_write_log\" {\n  display_name = \"ObjectStorage-Write-Logs\"\n  log_group_id = oci_logging_log_group.log_group.id\n  log_type = \"SERVICE\"\n  configuration {\n    source {\n      category = \"write\"\n      resource = oci_objectstorage_bucket.bucket.name\n      service = \"objectstorage\"\n      source_type = \"OCISERVICE\"\n    }\n    compartment_id = var.compartment_id\n  }\n  is_enabled = true\n}"
+      "Other": "1. In the OCI Console, select the target region and go to Observability & Management > Logging > Log groups\n2. Open an existing log group or click Create log group\n3. Click Create log\n4. Type: Service\n5. Service: Object Storage\n6. Category: write\n7. Resource: select the target bucket (bucket name must match)\n8. Ensure Enabled is checked\n9. Click Create",
+      "Terraform": "```hcl\nresource \"oci_logging_log\" \"<example_resource_name>\" {\n  display_name = \"ObjectStorage-Write-Logs\"\n  log_group_id = \"<example_resource_id>\"\n  log_type     = \"SERVICE\"\n\n  configuration {\n    compartment_id = \"<example_resource_id>\"\n    source {\n      service     = \"objectstorage\"          # Critical: Service must be Object Storage\n      category    = \"write\"                   # Critical: Enable write-level logging\n      resource    = \"<example_resource_name>\" # Critical: Bucket name must match the target bucket\n      source_type = \"OCISERVICE\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable write-level logging for all Object Storage buckets to maintain audit trails of data modifications.",
-      "Url": "https://docs.prowler.com/checks/oci/oci-logging/objectstorage_bucket_logging_enabled"
+      "Text": "Enable `write` service logs on all buckets and route them to a centralized log group for monitoring.\n\nApply **least privilege** to log data, enforce retention and immutability, and alert on anomalous write activity. Use **defense in depth** so bucket changes are accountable and swiftly detected.",
+      "Url": "https://hub.prowler.com/check/objectstorage_bucket_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json

@@ -1,35 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "objectstorage_bucket_not_publicly_accessible",
-  "CheckTitle": "Ensure no Object Storage buckets are publicly visible",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Object Storage bucket is not publicly accessible",
+  "CheckType": [],
   "ServiceName": "objectstorage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:objectstorage:bucket",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
-  "ResourceType": "OciObjectStorageBucket",
-  "Description": "Ensure no Object Storage buckets are publicly visible. Public access to Object Storage buckets can lead to unauthorized data access or data leakage.",
-  "Risk": "Publicly accessible Object Storage buckets can expose sensitive data to unauthorized users on the internet.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm",
+  "ResourceType": "Bucket",
+  "Description": "**OCI Object Storage buckets** are assessed for **public accessibility**. Buckets configured as `NoPublicAccess` deny anonymous reads; any other public access setting indicates bucket contents may be reachable without authentication.",
+  "Risk": "**Public buckets** enable unauthenticated downloads and content listing, compromising **confidentiality** and exposing metadata. Hotlinking can drive unexpected **egress costs** and degrade **availability** through bandwidth exhaustion and service abuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/publicly-accessible-buckets.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci os bucket update --namespace <namespace> --bucket-name <bucket-name> --public-access-type NoPublicAccess",
+      "CLI": "oci os bucket update --namespace-name <namespace> --bucket-name <bucket-name> --public-access-type NoPublicAccess",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/publicly-accessible-buckets.html",
-      "Terraform": ""
+      "Other": "1. Sign in to the OCI Console\n2. Go to Object Storage > Buckets and open <bucket-name>\n3. Click Edit (Bucket details)\n4. Set Public access type to \"No public access\"\n5. Click Save",
+      "Terraform": "```hcl\nresource \"oci_objectstorage_bucket\" \"<example_resource_name>\" {\n  compartment_id     = \"<example_resource_id>\"\n  name               = \"<example_resource_name>\"\n  namespace          = \"<example_namespace_name>\"\n  public_access_type = \"NoPublicAccess\" # Critical: makes the bucket private\n}\n```"
     },
     "Recommendation": {
-      "Text": "Update the bucket's public access type to 'NoPublicAccess' to prevent unauthorized access.",
-      "Url": "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm"
+      "Text": "Keep buckets **private** (`NoPublicAccess`) under the **least privilege** principle. For external sharing, use **pre-authenticated requests** or signed URLs with scoped permissions and expiry. Restrict access via IAM policies, enforce guardrails (*e.g.*, Security Zones), and regularly review bucket visibility.",
+      "Url": "https://hub.prowler.com/check/objectstorage_bucket_not_publicly_accessible"
     }
   },
   "Categories": [
-    "internet-exposed",
-    "encryption"
+    "internet-exposed"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json

@@ -1,35 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "objectstorage_bucket_versioning_enabled",
-  "CheckTitle": "Ensure Versioning is Enabled for Object Storage Buckets",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Object Storage bucket has versioning enabled",
+  "CheckType": [],
   "ServiceName": "objectstorage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:objectstorage:bucket",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciBucket",
-  "Description": "Object Storage buckets should have versioning enabled.",
-  "Risk": "Not meeting this storage security requirement increases data security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm",
+  "ResourceType": "Bucket",
+  "Description": "**OCI Object Storage buckets** are assessed for **versioning** being set to `Enabled`, indicating prior object versions are retained when updates or deletions occur.",
+  "Risk": "**No versioning** lets overwrites or deletions permanently remove data, harming **availability** and **integrity**. Malicious or accidental actions, automated jobs, or malware can wipe or corrupt objects without rollback, enabling **ransomware-style** encryption and large-scale data loss.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/enable-versioning.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci os bucket update --namespace-name <NAMESPACE> --bucket-name <BUCKET_NAME> --versioning Enabled",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/enable-versioning.html",
-      "Terraform": ""
+      "Other": "1. Sign in to the OCI Console\n2. Go to Storage > Buckets and open the target bucket\n3. In Bucket details, find Versioning and click Edit\n4. Select Enabled and click Save",
+      "Terraform": "```hcl\nresource \"oci_objectstorage_bucket\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  name           = \"<example_resource_name>\"\n  namespace      = \"<example_resource_id>\"\n  versioning     = \"Enabled\" # Critical: enables bucket versioning to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Versioning is Enabled for Object Storage Buckets",
-      "Url": "https://hub.prowler.com/check/oci/objectstorage_bucket_versioning_enabled"
+      "Text": "Enable **bucket versioning** (`Enabled`) for data that needs recovery. Apply **least privilege** to delete and overwrite actions, use **retention rules** or legal holds for critical data, and add **lifecycle policies** to manage older versions-providing **defense in depth** against destructive changes.",
+      "Url": "https://hub.prowler.com/check/objectstorage_bucket_versioning_enabled"
     }
   },
   "Categories": [
-    "storage",
-    "encryption"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],