Soracom Access Management (SAM) permissions can be configured to allow or deny access based on IP addresses, both in SAM User permission statements and Switch User trust policy statements. IP addresses are specified using the sourceIp variable and the ipAddress function.

With this update, the sourceIp variable and the ipAddress function now support IPv6 addresses. This means that, in addition to IPv4 addresses, you can now also manage access using IPv6 addresses when configuring SAM User permissions and Switch User trust policies.

Important Considerations When Denying Access by IPv4 Address

Please note that if you have configured a rule to deny access based on an IPv4 address such as in the permission statement example below, the deny rule will only be enforced for IPv4 addresses and a user will be able to bypass the rule by accessing using an IPv6 address.

{
  "statements": [
    {
      "effect": "allow",
      "api": [
        "Sim:*",
        "Group:*"
      ]
    },
    {
      "effect": "deny",
      "api": [
        "Sim:*",
        "Group:*"
      ],
      "condition": "ipAddress('xxx.xxx.xxx.xxx/24')"
    }
  ]
}

In general, we do not recommend denying access based on IPv4 or IPv6 addresses, since a user can easily change their IP addresses and bypass restrictions.

Instead, we recommend configuring access to explicitly allow specific IP addresses or IP address ranges that you own or control, as shown in the following example:

{
  "statements": [
    {
      "effect": "allow",
      "api": [
        "Sim:*",
        "Group:*"
      ],
      "condition": "ipAddress('yyy.yyy.yyy.yyy/24')"
    }
  ]
}

If you have any questions, please feel free to contact Soracom Support.