| copyright | lastupdated | keywords | subcollection | content-type | account-plan | completion-time | ||
|---|---|---|---|---|---|---|---|---|
|
2022-05-02 |
tutorials, cbr, firewall, allowlist |
cloud-object-storage |
tutorial |
lite |
10m |
{{site.data.keyword.attribute-definition-list}}
{: #cos-tutorial-cbr} {: toc-content-type="tutorial"} {: toc-completion-time="10m"}
In this tutorial, you will establish context-based restrictions that prevent any access to object storage data unless the request originates from a trusted network zone. {: shortdesc}
{: #cos-tutorial-cbr-prereqs}
Before you plan on using context-based restrictions with Cloud Object Storage buckets, you need:
- An IBM Cloud™ Platform account
- An instance of IBM Cloud Object Storage
- A role of
Administratorfor context-based restrictions - A bucket
{: #cos-tutorial-cbr-console} {: step}
From the Manage menu, select Context-based restrictions.
{: #cos-tutorial-cbr-new-rule} {: step}
- Click on Rules.
- Choose a name for the rule. This will help keep things organized if you end up with a lot of different rules across all of your cloud services.
- Click Continue.
{: #cos-tutorial-cbr-scope} {: step}
Now you can choose the specific object storage resources to which you would like to apply the context-based restrictions. This can become as specific or generic as you wish - you could apply the rule to all object storage instances and buckets, a specific service instance, or even a specific bucket. Additionally, you can choose which networks (public, private, or direct) you wish to be included.
In this example, we will choose a service instance.
- Select IAM services.
- Choose Cloud Object Storage from the drop down menu.
- Select the Resources based on specific attributes radio button.
- Check the Service instance box.
- Select the service instance you want the rule to affect.
If you want to instead only limit access to a specific bucket, you can select the Resource ID checkbox instead. Provide the name of the bucket in the field - nothing else is necessary.
{: tip}
{: #cos-tutorial-cbr-network} {: step}
Now that we know what the rule will affect, we need to decide what the rule will allow. To do this, we'll create a new network zone and apply it to the new rule.
- Click on Create +.
- Give the network zone a helpful name and description.
- Add some IP ranges to the Allowed IP addresses text box.
- Click Next.
{: #cos-tutorial-cbr-network} {: step}
Finally, all you need to do is click Create and your new rule will be active.
An easy way to check that it works is to [send a simple CLI command] from outside of the allowed network zone, such as a bucket listing (ic cos buckets). It will fail with a 403 error code.
{: #cos-tutorial-cbr-next}
Learn more about context-based restrictions and how they relate to legacy bucket firewalls.