gcp firewall settings for individual storage browser

Question

I want to create firewall rules particular to a storage browser in Google Cloud platform. I see that we have an option to create firewall rules but, How can we have that rules to specific storage browser and not to all other storage browser buckets?

Answer 1

Your inquiry is a known Feature Request that has not been implemented yet on Cloud Storage. It has been requested and ongoing, in order to allow IP Whitelisting in Bucket Policy, just like AWS does it with S3 buckets. You can “star” the FR, so that it gets more visibility and also add your email to the “CC” list so that you can get the updates.

As a workaround, you may request access to use VPC Service Controls. According to official documentation, with VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.

Cloud Storage is included in the Supported products of these Google-managed services and here you can find its limitations.

You can use access levels to grant controlled access to protected Google Cloud Platform (GCP) resources in service perimeters from outside a perimeter.

Access levels define various attributes that are used to filter requests made to certain resources. Access levels can consider various criteria, such as IP address and user identity. Additionally, they are created and managed using Access Context Manager.

This example describes how to create an access level condition that allows access only from a specified range of IP addresses.

However, it needs to be considered that VPC Service controls create a “borders” around the project specifying a “virtual area”, where Access Context Manager rules can be applied. The ACM rule specifying an IP address will allow that IP address to access all Cloud Storage Objects and all other protected resources owned by that project, which is not the expected result. As stated here, you cannot apply an IP address rule to an object, only to all objects in a project.

Furthermore, here you can find a useful link for the Best Practices concerning Security and Access Control on Cloud Storage buckets. Here, you can find tips on “sharing your files” while hosting a static website.

In conclusion, another option is Firebase Hosting instead of Cloud Storage, as stated here. Firebase Hosting is a Google hosting service which provides static web content to the user in a secure, fast, free and easy way.

Answer 2

You do not have to create firewall rules to buckets. What you need is to set the permisions on the buckets Using Cloud IAM with buckets.

Open the Cloud Storage browser in the Google Cloud Platform Console.

Click the drop-down menu associated with the bucket to which you want to grant a member a role.

The drop-down menu appears as three vertical dots to the far right of the bucket's row.

Choose Edit bucket permissions.

In the Add members field, enter one or more identities that need access to your bucket.

Add member dialog.

Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

Click Add.

You can add as members individual users, groups, domains, or even the public as a whole. Members are assigned roles, which grant members the ability to perform actions in Cloud Storage as well as GCP more generally.

You can make a Cloud Storage bucket accessible only by a certain service account link.

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs link.

You can not apply firewall rules to single buckets.

Firewall rules are defined at the network level, and only apply to the network where they are created.