Control: 2.1.3 Ensure network access for Cloud Object Storage is set to be exposed only on Private end-points
Description
IBM Cloud Object Storage bucket firewall restricts all access to data unless the request originates from a list of allowed IP addresses.
Remediation
From Console
Follow the steps outlined to add an IP to the list of Authorized IPs in bucket firewall policies
- Start by selecting Storage to view your resource list.
- Next, select the service instance with your bucket from within the Storage menu. This takes you to the Object Storage Console.
- Select the bucket that you want to limit access to authorized IP addresses.
- Select Access policies from the navigation menu.
- Select the Authorized IPs tab.
- Click on Add and specify a list of IP addresses in CIDR notation, for example 192.168.0.0/16, fe80:021b::0/64. Addresses can follow either IPv4 or IPv6 standards.
- Click Add.
- The firewall will not be enforced until the address is saved in the console. Click Save all to enforce the firewall.
Note that all objects in this bucket are only accessible from those IP addresses.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_2_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_2_1_3 --share
SQL
This control uses a named query:
manual_control