IBM Cloud Docs
Securing data using context-based restrictions

Securing data using context-based restrictions

In this tutorial, you will establish context-based restrictions that prevent any access to object storage data unless the request originates from a trusted network zone.

Before you begin

Before you plan on using context-based restrictions with Cloud Object Storage buckets, you need:

Navigate to the context-based restrictions console

From the Manage menu, select Context-based restrictions.

Navigate to CBR
Navigate to CBR

Create a new rule

  1. Click on Rules.
  2. Choose a name for the rule. This will help keep things organized if you end up with a lot of different rules across all of your cloud services.
  3. Click Continue.

Name the rule
Name the rule

Scope the rule

Now you can choose the specific object storage resources to which you would like to apply the context-based restrictions. This can become as specific or generic as you wish - you could apply the rule to all object storage instances and buckets, a specific service instance, or even a specific bucket. Additionally, you can choose which networks (public, private, or direct) you wish to be included.

In this example, we will choose a service instance.

  1. Select IAM services.
  2. Choose Cloud Object Storage from the drop down menu.
  3. Select the Resources based on specific attributes radio button.
  4. Check the Service instance box.
  5. Select the service instance you want the rule to affect.

Scope the rule
Scope the rule

If you want to instead only limit access to a specific bucket, you can select the Resource ID checkbox instead. Provide the name of the bucket in the field - nothing else is necessary.

Create a network zone

Now that we know what the rule will affect, we need to decide what the rule will allow. To do this, we'll create a new network zone and apply it to the new rule.

  1. Click on Create +.

Scope the rule
Scope the rule

  1. Give the network zone a helpful name and description.
  2. Add some IP ranges to the Allowed IP addresses text box.
  3. Click Next.

Scope the rule
Scope the rule

Finish the rule and verify that it works

Finally, all you need to do is click Create and your new rule will be active.

An easy way to check that it works is to [send a simple CLI command] from outside of the allowed network zone, such as a bucket listing (ic cos buckets). It will fail with a 403 error code.

Next steps

Learn more about context-based restrictions and how they relate to legacy bucket firewalls.