April 19, 2019 | Written by: Viju Hullur
Categorized: How-tos | Storage | What's New
Share this post:
IBM Cloud Object Storage Firewall
IBM Cloud Object Storage (COS) is giving you more control over who can access your data. We have introduced a new capability allowing you to configure your buckets with trusted IP address(es), and your users will only be able to access the data in COS if the request originates from this list of trusted IP addresses.
This new feature will bring additional security because it allows you to protect your data if credentials are leaked, preventing a malicious user from access the data from non-configured IP (e.g., home office). Also, if your goal is public isolation and disabling public endpoints, you will be able to achieve do so by configuring the trusted IP addresses. Users will need to be set up with proper IBM Cloud Identity and Access Management (IAM) permissions in order to access the data.
Steps to configure firewall on your bucket
You can configure a list of authorized IPs on your bucket using either the IBM Cloud console or the COS resource configuration API. Before you begin, ensure you have Manager service role access to the bucket you are about to configure.
- From the IBM Cloud console, select Resource List from the navigation menu in the left corner and then select Storage in your resource list.
- Select the COS service instance where your buckets are. It will take you to COS Object Storage console.
- Pick the bucket to which you want to restrict access to authorized IP addresses.
- Choose Access policies from the navigation menu.
- Select the Authorized IPs tab.
- Click Add IP addresses, then choose Add.
- Add a list of IP addresses in CIDR notation. For example, 192.168.0.0/16, fe80:021b::0/64. Addresses can follow either IPv4 or IPv6 standards. Click Add.
- Save the list.
Once configured, your users will be allowed to access all the data in this bucket from these configured IP addresses. If your users want to upload new objects in this bucket, they will be allowed to do so from these configured IP addresses only.
Note: As a Manager on the bucket, you will be able to view and edit the list of authorized IP addresses from any IP address to prevent accidental lockouts.
Great! You have successfully restricted access to your data based on the user’s IP address. Any requests on this bucket outside of the configured IPs will be denied access.