turbot/ibm_compliance

Control: 2.1.2 Ensure network access for Cloud Object Storage is restricted to specific IP range

Description

IBM Cloud Object Storage bucket firewall restricts all access to data unless the request originates from a list of allowed IP addresses.

Remediation

From Console

Follow the steps outlined to add an IP to the list of Authorized IPs in bucket firewall policies

  1. Start by selecting Storage to view your resource list.
  2. Next, select the service instance with your bucket from within the Storage menu. This takes you to the Object Storage Console.
  3. Select the bucket that you want to limit access to authorized IP addresses.
  4. Select Access policies from the navigation menu.
  5. Select the Authorized IPs tab.
  6. Click on Add and specify a list of IP addresses in CIDR notation, for example 192.168.0.0/16, fe80:021b::0/64. Addresses can follow either IPv4 or IPv6 standards.
  7. Click Add.
  8. The firewall will not be enforced until the address is saved in the console. Click Save all to enforce the firewall.

Note that all objects in this bucket are only accessible from those IP addresses

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_1_2 --share

SQL

This control uses a named query:

manual_control

Tags