In today’s cloud-native world, strong network security is essential. While Identity and Access Management (IAM) offers robust control over who can access what, adding network-level restrictions can significantly enhance your security posture. Google Cloud Storage (GCS) recently launched Bucket IP filtering that helps you manage access to your data with network-level protections
What is GCS Bucket IP filtering?
Bucket IP filtering is a network security control that can restrict access to buckets based on the source IP address of the incoming request. It enables administrators to allow access to buckets based on the client’s IP address, enforcing policies at the network layer as an extra shield beyond permissions. This feature offers fine-grained access control based on IPv4 or IPv6 address ranges or the Google Cloud Virtual Private Cloud (VPC) networks. You can configure a list of allowed IP ranges at the bucket level, and all incoming requests are restricted to these configured IP ranges and VPCs.
Use cases
1. Enhanced security for sensitive data
Scenario: A financial services company stores highly sensitive customer transaction data and internal audit logs in a Google Cloud Storage bucket. This data must only be accessible from the company’s internal network to prevent unauthorized access and comply with industry regulations like PCI DSS.
Solution: The company can implement a bucket IP filter that whitelists only the static private IP addresses of their known machines. This ensures that even if an employee’s credentials are compromised, an attacker outside the allowed IP range cannot access the bucket.
2. Restricting access to internal applications
Scenario: A software development company uses a Cloud Storage bucket to host artifacts, build files, and private APIs for their internal applications. They want to ensure that only their specific servers and CI/CD pipelines can download these files.
Solution: By configuring an IP filter on the bucket, the company can limit access to the known IP addresses of their build servers and production environments. This prevents external systems or users from directly accessing the application’s components, securing their development and deployment pipeline.
3. Secure content delivery for partners
Scenario: A large enterprise shares confidential marketing materials and proprietary research with a select group of external partners. Instead of creating individual access controls for each user, they want a simpler, more robust way to manage access.
Solution: The enterprise can grant each partner a static IP address and use the IP filtering feature to allow access to the shared bucket exclusively from those addresses. This creates a secure, network-level perimeter for data sharing, reducing the risk of unauthorized distribution.
4. Preventing data exfiltration
Scenario: A enterprise stores classified documents in a Cloud Storage bucket. Their primary security concern is data exfiltration, where an insider might try to move data to an external, unapproved location.
Solution: The agency can configure an IP filter to allow access to the bucket only from specific, hardened endpoints within their secure network. This makes it impossible for the bucket’s contents to be accessed or downloaded from an unapproved personal device, public network, or any other external location.
5. Managing hybrid Cloud environments
Scenario: A company is migrating its data from an on-premises data center to Google Cloud. During this transition, they need to ensure that data transfer tools and services running in their on-premises environment can communicate securely with their Cloud Storage buckets.
Solution: IP filtering can be used to explicitly allow the public IP addresses of the company’s on-premises servers to access the buckets. This provides a clear and secure channel for data migration and synchronization, ensuring data integrity and confidentiality throughout the hybrid cloud journey.
Complementing other security measures
While powerful, Bucket IP filtering should be used as part of a comprehensive security strategy. It complements other features like IAM and VPC Service Controls (VPC SC).
VPC Service Controls can establish a perimeter for your trusted network, and GCS IP Filtering can then further narrow access, allowing only specific IP addresses within that perimeter to access your data. This creates a multi-layered defence.
Bucket IP filtering does not replace identity-based authentication and permission checks provided by IAM.
Authors:
Nimish Aggarwal, Engineering Manager
Karthik Gangidi, Product Manager