Object Storage - Denial of access from source IP

From Cloud Avenue
Jump to navigation Jump to search

Overview

This involves using a condition with the source IP address of the request to deny access to the data (bucket and object).


The condition is used in a bucket policy and applies to the bucket and its objects.


Source IP identification behavior:

  • from the Internet: this is the public IP originating the request (or forwarding it in the case of an organization)
  • from inside the Cloud Director's tenant: this is the external IP address configured in the SNAT setting to directly access object storage.


Typical use case: deny access from the Internet, allowing access only from the Cloud Director's tenant.


Use case with AWS CLI

AWS CLI (Command Line Interface) is an open source tool that enables you to configure and use object storage with commands in a text interface (Linux shell or Windows command line).

A user guide is available at https://docs.aws.amazon.com/cli/latest/userguide/.


Prerequisite: identify the IP address to be used

Display your default gateway NAT service in network configuration.

Consult the SNAT configuration authorizing access to object storage and note the external IP address that appears.

Stockage Objet VCD EDGE SNAT S3 external ip.png


Add a compartment policy to deny access from the Internet

Create a file DenyAccessOutsideTenant.json with content below changing the bucket name and IP address: 

{
  "Id": "Policy1729261020318",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1729261013302",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.94.6.1"
        }
      },
      "Principal": "*"
    }
  ]
}

Apply policy to bucket: 

[root@mytest ]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api put-bucket-policy --bucket compartiment --policy file://DenyAccessOutsideTenant.json


Check that access to the bucket from the Internet is denied

On a host connected to the Internet, configure AWS CLI with a valid AK/SK pair:

  • it is possible to list buckets from the Internet
  • access to the bucket and its objects is denied


Please note

  • bucket policy can be applied from Cloud Director's interface
  • the strategy is very restrictive and greatly disrupts access to the bucket and its objects from the Cloud Director's interface
  • after applying the strategy, it is “impossible” to go back from the Cloud Director's interface (the S3 API must be used from inside the tenant)
Retrieved from "https://wiki.cloudavenue.orange-business.com/mediawiki/index.php?title=Object_Storage_-_Denial_of_access_from_source_IP&oldid=10334"