Identity and Access

Management: Create a
Network Source to Restrict
Access to Object Storage
Service

Lab 5 Practices

Estimated time: 20 mins

Setup Instructions for the Lab
This lab needs to be performed in your own tenancy. The required IAM policies are listed
below.

Note: If you're logged in as the administrator of your tenancy, you don't need to add the
following IAM policies since you already have the highest privilege over all resources in your
tenancy. However, if you're not logged in as the administrator, you'll need to add the following
IAM policies to perform this lab.

IAM Policies at Tenancy (Root Compartment):

Allow group <Group_Name> to manage network-sources in tenancy

IAM Policies at Compartment Level:

Allow group <Group_Name> to manage object-family in compartment
<Compartment_Name> where request.networkSource.name='IAD-SP-LAB05-1-
NS-01'

Allow group <Group_Name> to manage policies in compartment

<Compartment_Name>

Copyright © 2023, Oracle and/or its affiliates.

54 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
Get Started

Overview

A network source allows you to specify the IP addresses that are allowed. So, in your policy, you
can include a condition that only allows access from IP addresses specified in your network
source. When a policy specifies it, IAM verifies that a request to access a resource comes from
an allowed IP address.

For example, you can restrict access to Object Storage buckets in your compartment to only
users who are signed in to Oracle Cloud Infrastructure through your corporate network.
Similarly, you can restrict access requests from specific VCN subnets.

Prerequisites
• You must have access to the OCI Console.
• The Oracle University lab team has set up all the IAM policies required for you to
complete this lab.
• You have the pre-created network source in your tenancy.

Assumptions
• Select the region that is available in the tenancy allotted to you. In this lab, we are
considering US East (Ashburn) (IAD) as your region.
• The compartment you have selected to place resources for this lab is referred to as
the "working compartment" in this document.
• You must be familiar with navigating the OCI Console.

Copyright © 2023, Oracle and/or its affiliates.

Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 55
Create a Network Source
You will learn how to create a network source that can restrict access to requests made from a
specific VCN’s IP address, Public IP addresses, or both.

Tasks

1. From the navigation menu, select Identity & Security and under Identity, click Network
Sources.

2. In the Create Network Source dialog box, enter the following details:
• Name: IAD-SP-LAB05-1-NS-01
• Description: Add a meaningful description.
• In the Networks section:
o Network type: Select Public Network.
o IP Address/CIDR Block: Enter 1.1.1.1

Note: Use any random IP address for now; later we will add the IP address that needs
to have the permission to create resources.

3. Click Create.

The network source has been successfully created.

Copyright © 2023, Oracle and/or its affiliates.

56 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
Specify the Network Source in an IAM Policy
You will learn how to create a policy that makes use of the network source variable
request.networkSource.name in a condition to restrict resource access.

For Example: You create a network source named “OfficeNet.” You can restrict users of the
group “OfficeUsers” to access your Object Storage resources only when their requests
originate from the IP addresses you had specified in OfficeNet.

Tasks

1. From the navigation menu, select Identity & Security. Under Identity, click Policies.

a. Click Create Policy.

2. In the Create Policy dialog box, enter the following:

• Name: <Enter the Policy Name>
• Description: Add a meaningful description
• Compartment: <Select compartment where policies to be applied>
• Under Policy Builder, enable Show manual editor.
• Add the following policy:

ALLOW GROUP <Group_Name> TO MANAGE object-family IN COMPARTMENT

<compartment_name> where request.networkSource.name='IAD-SP-
LAB05-1-NS-01'

Note: The IAM service includes a variable request.networkSource.name to be

used in the policy that allows you to scope your policy using a condition.

3. Click Create.

This policy allows users in a group to manage Object Storage resources only when their
requests originate from an allowed IP address specified in the network source “IAD-SP-
LAB05-1-NS-01”. Requests from IP addresses outside the specified ranges are denied.

Copyright © 2023, Oracle and/or its affiliates.

Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 57
Add Network to Access Object Storage Service
You will learn how to add the allowed IP addresses to the network source. This restricts access
to Object Storage buckets in your compartment to users who are signed in to Oracle Cloud
Infrastructure through the IP addresses listed in network sources.

Note: When you try to create an object storage in the working compartment, you will now
encounter the authorization failed error because in the previous steps a random IP address,
1.1.1.1, was added to the network source.

Task 1

1. From the navigation menu, select Storage. Under Object Storage, click Buckets.

2. In the left navigation pane, under List Scope, select the working compartment from the
drop-down menu.

3. Click Create Bucket.

4. In the Create Bucket dialog box, specify the attributes of the bucket:
• Bucket Name: IAD-SP-LAB05-1-BKT-01
• Default Storage Tier: Select Standard.

Note: Leave all the other options in their default setting.

5. Click Create.

On the bucket creation page, you get the authorization failed or Bucket Already Exists
error.

Task 2

You will now update your Public IP address in the network source and attempt to create a
bucket again.

1. To obtain your Public IP address, open a web browser and perform a Google search for
“what is my public IP?”

Note down the Public IP address.

2. From the navigation menu, select Identity & Security and then click Network Sources.

Copyright © 2023, Oracle and/or its affiliates.

58 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
3. Locate and click the IAD-SP-LAB05-1-NS-01 network source in the list to view its
details.

In your environment, an IAD-SP-LAB05-1-NS-01 network source was pre-created.

4. Click Add Networks.

5. In the Add Networks dialog box, enter the following:

• Network type: Select Public Network.
• IP Address/CIDR Block: <YOUR_PUBLIC_IP_ADDRESS>

6. Click Update.

7. Your Public IP address or CIDR block has successfully been added as a network to the
IA4` From the navigation menu, select Identity & Security. Under Identity, click Policies.

D-SP-LAB05-1-NS-01 network source.

Copyright © 2023, Oracle and/or its affiliates.

Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 59
Verify Your Access to Create a Bucket
After adding your Public IP address to the network source, verify the access to create a bucket.

Tasks

1. From the navigation menu, select Storage and then click Buckets.

2. In the left navigation pane, under List Scope, select the working compartment from the
drop-down menu.

3. Click Create Bucket.

4. In the Create Bucket dialog box, specify the attributes of the bucket:
• Bucket Name: IAD-SP-LAB-05-1-BKT-01
• Default Storage Tier: Select Standard.

Note: Leave all the other options in their default setting.

5. Click Create.

You can see the bucket created and listed in your compartment.

Congratulations! You have created a network source in this lab to restrict resource access from
a specific VCN's IP address, a list of Public IP addresses, or both.

Copyright © 2023, Oracle and/or its affiliates.

60 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
Purge Instructions
Perform the purge operation, as instructed below, before proceeding to the next practice.

Delete Network Source

1. From the navigation menu, click Identity & Security. Under Identity, click Network
Sources. The list of network sources in your tenancy is displayed.

2. Locate the network source IAD-SP-LAB05-1-NS-01 in the list and click the Actions
menu for the item.

3. Click Delete.

4. Confirm when prompted.

Delete Bucket

5. From the navigation menu, select Storage and then click Buckets.

6. Select your working compartment from the drop-down menu on the left part of the
screen under List Scope.

7. Click the bucket: IAD-SP-LAB05-1-BKT-01.

8. Click Delete and then click Delete in the Confirmation window. Click Close after the
bucket is deleted.

Copyright © 2023, Oracle and/or its affiliates.

Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 61
 Copyright © 2023, Oracle and/or its affiliates.

62 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service