I wanted to check if it's possible to restrict access to a Google Cloud bucket to a certain IP range and if yes how can we restrict the access. We are exposing our cloud bucket to a vendor and we want to restrict the bucket access only to the vendors IP range.
The best solution for this is VPC Service Controls. This allows you to define a service perimeter that includes your project's GCS service and add an access level to allow access from the IPs you want.
Related
Is it possible with Workspace and GCP to restrict geographical where a user can access projects and resources from?
For example, all users in the Workspace should only be able to access GCP resources from Australia. User A decides to go on holiday to USA but will do some remote work. Their access should be blocked to select Workspace and GCP resources unless over ruled (ie. User A enabled access from USA).
This is something I've seen possible in Azure AD, does GCP/Workspace have a similar functionality?
Use Context-Aware Access to create granular access control policies for Google Workspace. Not all versions of Google Workspace enable this feature. This does not affect access to Google Cloud Platform.
If you are using Identity-Aware Proxy to control access to your resources in Google Cloud, then you can extend Identity-Aware Proxy with Context-Aware Proxy. However, this does not limit access to the Google Cloud GUI or other Google owned resources - only the ones you configure IAP authorization.
Setting up context-aware access with Identity-Aware Proxy
Context-Aware Access can also be integrated with VPC Service Control perimeter ingress rules to allow access based on network origin (IP and VPC).
Context-aware access with ingress rules
Summary:
Integrate Context-Aware Access with resources you create that support Identity-Aware Proxy.
Use VPC Service Controls to control access to Google Cloud resources that support VPCs (Cloud Storage, BigQuery, etc).
If your goal is to limit access to the Google Cloud Console GUI, I am not aware of one. Use Two-Step Verification to control user access from new locations.
AWS makes this possible with private link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
I want to do this with gcs
I have a static html site I want to host on a gcs bucket
BUT I want this to be hosted inside a vpc and use GCP VPC firewall rules to control access
Cloud Storage is hosted outside your VPC. You can't set firewall rules to access it.
However, to serve static files on internet, you can put your files on Cloud Storage, create a Global HTTPS load balancer and define your bucket as backend.
You can also serve your static file through App Engine and use the App Engine firewall feature to achieve something similar to your requirements.
I'm afraid that this is not currently a possibility. There is an ongoing Feature Request that you might find useful, as there are other customers trying to achieve your exact setup.
Access control in Google Cloud Storage is based on IAM permissions and ACLs, and they are not IP based in a way where you could make use of VPC Firewall Rules.
Nonetheless, I believe that the approach that currently will be most suitable to achieve the desired behavior will be to use VPC Service Controls, where you could define a service perimeter around storage.googleapis.com (notice that you won't be able to define the perimeter to an individual bucket, but to the whole service, meaning all the buckets within that project) and take advantage of this feature. Although, notice that it has certain limitations.
Strict VPC Firewall rules won't apply within this setup, but you could define access levels to allow access to your buckets from outside the perimeter. Such levels are based on different conditions, such as IP address or user and service accounts. However, you cannot block the access to certain ports as you could with VPC Firewall rules.
I have a Google Storage bucket that I want to make accessible (anonymous, read-only) to a specific set of internet IP's (whitelist)
I can expose the bucket with a load balancer, but I have not been able to find a way to apply any firewall/IP rules to it.
A Cloud Armor policy can only be applied to backend services not backend buckets.
And the GCP firewall rules only apply to virtual instances.
There isn't any option to do this specific ask as of yet. GCS buckets are mainly controlled through ACLs. However, with Cloud Armor in Beta, this would be a perfect time for a feature request to include backend buckets as targets.
I would like to restrict access to objects stored in an Amazon S3 bucket.
I would like to allow all the users on our LAN (they may or may not have amazon credentials since the entire infrastructure is not on AWS). I have seen some discussion around IP address filtering and VPC endpoint. Can someone please help me here? I am not sure if I can use VPC endpoint since all users on our lan are not in Amazon VPC.
Is this possible?
Thanks
Most likely your corporate LAN uses static IP addresses. You can create S3 policies to allow access (or deny) based upon IP addresses. Here is a good AWS article on this:
Restricting Access to Specific IP Addresses
VPC Endpoints are for VPC to AWS Services connectivity (basically using Amazon's private Internet instead of the public Internet. VPC Endpoints won't help you with Corporate connectivity (except if you are using Direct Connect).
Here is how I would solve it,
Configure
Configure Users from a corporate directory who use identity federation with SAML.
Create Groups
Apply Policies to Group
This will give fine-grained control and less maintenance overhead.
This will help you not only to control S3 but any future workloads you migrate to AWS and permissions to those resources as well.
IP based filtering are prone to security risk and with high maintenance in the long run and not scalable.
EDIT:
Adding more documentation to do the above,
Integrating ADFS with AWS IAM:
https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/
IAM Groups:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html
I want to restrict bucket access to certain IPs. I know how to create a bucket policy from Restricting Access to Specific IP Addresses.
My question: Can this work with CloudFront? How? Can I allow only certain IPs to access CloudFront?
Web Application Firewall is your friend.
http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html
Create your rule with your IP Addresses and rest "WAF" will take care.
You need to apply this to the required CloudFront Distribution.
You can restrict your bucket policies to CloudFront and restrict to your required IP's through CloudFront.
I have created the custom rule to whitelist IPs and restrict the application with CloudFront distribution with following steps.
Steps:
Go to AWS WAF.
Create following IP match conditions under IP Addresses.
staging-appname-whitelist-ips
Create following rules under Rules.
staging-appname-ui-stack-whitelisted-ips
with condition (similar for production one)
Finally create following Web ACLs:
staging-appname-acl
Please select the correct CloudFront Distribution, above created Rule and IP Address group.
*.
AWS Resource here.
Hope it helps!