Securing Object Storage Access for Data Science Team
Question
Your company uses the Oracle Cloud Infrastructure (OCI) Object Storage service to share large data sets with its data science team.
The data science team consists of 20 people who work from offices in Washington, D.C., and Tokyo.
While working in these offices, employees are assigned an IP address from the public IP range 129.146.31.0/27 Which two steps should you take to ensure that the Object Storage bucket used in this scenario was only accessible from these office locations? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.CE.
The correct answers are A and D.
A. Write an IAM policy that includes the conditional statement where request.networkSource.name = CorpNet
To restrict access to the Object Storage bucket only from specific IP addresses, you can create an IAM policy that includes a conditional statement. The conditional statement will restrict access to requests that originate from a network source with a specific name.
In this case, you can create a network source named CorpNet, and assign the CIDR block 129.146.31.0/27 to it. This CIDR block includes all the IP addresses that the data science team is using while working from offices in Washington, D.C., and Tokyo.
The IAM policy can include a statement like this:
sqlallow any-user to read objects in bucket my-bucket where request.networkSource.name = CorpNet This policy will allow any user to read objects from the bucket named my-bucket, but only if the request originates from a network source with the name CorpNet. Any requests that originate from other network sources will be denied access.
D. Create a Network Source named CorpNetwork with a CIDR block of 129.146.31.0/27
Another way to restrict access to the Object Storage bucket only from specific IP addresses is to create a Network Source in the OCI console.
To create a Network Source named CorpNet with a CIDR block of 129.146.31.0/27:
- Go to the OCI console and click on the navigation menu.
- Click on "Identity", and then click on "Network Sources".
- Click on "Create Network Source".
- Enter the name "CorpNet" in the "Name" field.
- Enter the CIDR block "129.146.31.0/27" in the "CIDR" field.
- Click on "Create".
After creating the Network Source, you can attach it to an IAM policy that allows access to the Object Storage bucket.
For example, you can create an IAM policy like this:
bashallow any-user to read objects in bucket my-bucket where request.networkSource.id = ocid1.networksource.oc1.iad.aaaaaaa... This policy will allow any user to read objects from the bucket named my-bucket, but only if the request originates from the Network Source with the ID ocid1.networksource.oc1.iad.aaaaaaa.... Any requests that originate from other network sources will be denied access.
Note: Options B, C, E, and F are incorrect.
B. Set the bucket visibility to public and only share the URL with the data science team via email
Setting the bucket visibility to public will allow anyone with the URL to access the contents of the bucket. This is not a secure way to restrict access to the data, and it also violates the principle of least privilege.
C. Create a pre-authenticated request for each data set and only share with the data science team via email
Creating a pre-authenticated request for each data set would be cumbersome and time-consuming, especially if the data sets are large and need to be shared frequently. It would also violate the principle of least privilege because the pre-authenticated request would give access to the entire bucket, rather than just the specific objects that the data science team needs.
E. Create a Network Source named CorpNetwork with a CIDR block of 129.146.0.0/16
Creating a Network Source with a CIDR block of 129.146.0.0/16 would allow access from any IP address within that range, not just the specific IP addresses used by the data science team. This would violate the principle of least privilege.
F. Write an IAM policy that includes the conditional statement where
