Professional Documents
Culture Documents
Management: Create a
Network Source to Restrict
Access to Object Storage
Service
Lab 5 Practices
Note: If you're logged in as the administrator of your tenancy, you don't need to add the
following IAM policies since you already have the highest privilege over all resources in your
tenancy. However, if you're not logged in as the administrator, you'll need to add the following
IAM policies to perform this lab.
54 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
Get Started
Overview
A network source allows you to specify the IP addresses that are allowed. So, in your policy, you
can include a condition that only allows access from IP addresses specified in your network
source. When a policy specifies it, IAM verifies that a request to access a resource comes from
an allowed IP address.
For example, you can restrict access to Object Storage buckets in your compartment to only
users who are signed in to Oracle Cloud Infrastructure through your corporate network.
Similarly, you can restrict access requests from specific VCN subnets.
Prerequisites
• You must have access to the OCI Console.
• The Oracle University lab team has set up all the IAM policies required for you to
complete this lab.
• You have the pre-created network source in your tenancy.
Assumptions
• Select the region that is available in the tenancy allotted to you. In this lab, we are
considering US East (Ashburn) (IAD) as your region.
• The compartment you have selected to place resources for this lab is referred to as
the "working compartment" in this document.
• You must be familiar with navigating the OCI Console.
Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 55
Create a Network Source
You will learn how to create a network source that can restrict access to requests made from a
specific VCN’s IP address, Public IP addresses, or both.
Tasks
1. From the navigation menu, select Identity & Security and under Identity, click Network
Sources.
2. In the Create Network Source dialog box, enter the following details:
• Name: IAD-SP-LAB05-1-NS-01
• Description: Add a meaningful description.
• In the Networks section:
o Network type: Select Public Network.
o IP Address/CIDR Block: Enter 1.1.1.1
Note: Use any random IP address for now; later we will add the IP address that needs
to have the permission to create resources.
3. Click Create.
56 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
Specify the Network Source in an IAM Policy
You will learn how to create a policy that makes use of the network source variable
request.networkSource.name in a condition to restrict resource access.
For Example: You create a network source named “OfficeNet.” You can restrict users of the
group “OfficeUsers” to access your Object Storage resources only when their requests
originate from the IP addresses you had specified in OfficeNet.
Tasks
1. From the navigation menu, select Identity & Security. Under Identity, click Policies.
3. Click Create.
This policy allows users in a group to manage Object Storage resources only when their
requests originate from an allowed IP address specified in the network source “IAD-SP-
LAB05-1-NS-01”. Requests from IP addresses outside the specified ranges are denied.
Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 57
Add Network to Access Object Storage Service
You will learn how to add the allowed IP addresses to the network source. This restricts access
to Object Storage buckets in your compartment to users who are signed in to Oracle Cloud
Infrastructure through the IP addresses listed in network sources.
Note: When you try to create an object storage in the working compartment, you will now
encounter the authorization failed error because in the previous steps a random IP address,
1.1.1.1, was added to the network source.
Task 1
1. From the navigation menu, select Storage. Under Object Storage, click Buckets.
2. In the left navigation pane, under List Scope, select the working compartment from the
drop-down menu.
4. In the Create Bucket dialog box, specify the attributes of the bucket:
• Bucket Name: IAD-SP-LAB05-1-BKT-01
• Default Storage Tier: Select Standard.
5. Click Create.
On the bucket creation page, you get the authorization failed or Bucket Already Exists
error.
Task 2
You will now update your Public IP address in the network source and attempt to create a
bucket again.
1. To obtain your Public IP address, open a web browser and perform a Google search for
“what is my public IP?”
2. From the navigation menu, select Identity & Security and then click Network Sources.
58 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
3. Locate and click the IAD-SP-LAB05-1-NS-01 network source in the list to view its
details.
6. Click Update.
7. Your Public IP address or CIDR block has successfully been added as a network to the
IA4` From the navigation menu, select Identity & Security. Under Identity, click Policies.
Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 59
Verify Your Access to Create a Bucket
After adding your Public IP address to the network source, verify the access to create a bucket.
Tasks
1. From the navigation menu, select Storage and then click Buckets.
2. In the left navigation pane, under List Scope, select the working compartment from the
drop-down menu.
4. In the Create Bucket dialog box, specify the attributes of the bucket:
• Bucket Name: IAD-SP-LAB-05-1-BKT-01
• Default Storage Tier: Select Standard.
5. Click Create.
You can see the bucket created and listed in your compartment.
Congratulations! You have created a network source in this lab to restrict resource access from
a specific VCN's IP address, a list of Public IP addresses, or both.
60 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service
Purge Instructions
Perform the purge operation, as instructed below, before proceeding to the next practice.
1. From the navigation menu, click Identity & Security. Under Identity, click Network
Sources. The list of network sources in your tenancy is displayed.
2. Locate the network source IAD-SP-LAB05-1-NS-01 in the list and click the Actions
menu for the item.
3. Click Delete.
Delete Bucket
5. From the navigation menu, select Storage and then click Buckets.
6. Select your working compartment from the drop-down menu on the left part of the
screen under List Scope.
8. Click Delete and then click Delete in the Confirmation window. Click Close after the
bucket is deleted.
Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service 61
Copyright © 2023, Oracle and/or its affiliates.
62 Infrastructure Security - Network: Create a Network Source to restrict access to Object Storage service