January 30, 2023 By Henrik Loeser 4 min read

Check out our new tutorial to learn how to enhance security for your IBM Cloud environment by utilizing context-based restrictions.

Context-based restrictions (CBRs) give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud resources based on the context of the access request (e.g., network attributes). In an IBM Cloud account, both Identity and Access Management (IAM) policies and CBRs enforce access, so context-based restrictions can offer protection even in the face of compromised or mismanaged credentials or privileges.

To get you started with CBRs, we just published a new tutorial, “Enhance cloud security by applying context-based restrictions.” It helps you learn about CBRs to protect your cloud resources. The tutorial leverages our existing tutorial “Apply end-to-end security to a cloud application” and its sample code, and it also adds an extra layer of security. The diagram below shows the solution architecture of the existing security tutorial. The additional boxes with dashed, blue lines around some components denote CBRs implemented as context rules.

In this blog post, I’ll briefly introduce context-based restrictions. Then I’ll show you how to learn more and be able to implement, test and monitor CBRs with the help of our new tutorial:

Context rules governing access to services of the sample solution.

Overview: Context-based restrictions

IBM Cloud introduced context-based restrictions (CBRs) in late 2021. These restrictions work with traditional IAM policies to provide an extra layer of protection. This is because IAM policies are based on identity (e.g., user, service ID or trusted profile) while CBRs are based on the context of request (e.g., network addresses, originating services or accessed endpoint types).

A CBR rule governs access to a resource identified by its service name and type as well as by additional attributes. They can include the region, resource group and other service-specific properties. The attributes in a rule are mostly optional so that you could govern, for example, all IBM Key Protect for IBM Cloud instances together or target just a specific key ring in an identified Key Protect instance.

The context for a restriction is made up of network zones and service endpoints. You might want to define zones based on specific IP addresses or ranges or by configuring traffic originating from one or more VPCs or cloud services. With that, access to the sample Key Protect instance might only be allowed from, for example, a specific IBM Cloud Object Storage instance, a well-known range of IP addresses and only via the private endpoint.

Network zones can be used for the definition of multiple rules. Rules have an enforcement mode that is one of disabled, report-only or enabled.

New tutorial and sample code

You can use our recently published tutorial, “Enhance cloud security by applying context-based restrictions,” to meet the following objectives:

  • Learn about context-based restrictions to protect your cloud resources.
  • Define network zones to identify traffic sources for allowed and denied access.
  • Create rules that define context for access to your cloud resources.
  • Learn how to test and monitor context rules.

The tutorial walks you through the creation of CBR network zones and context rules with both the IBM Cloud console and Terraform code. The latter helps to establish security rules in an automated way. Once the rules are in place, next are testing and monitoring that they will work (reporting mode) or actually work (enforced mode).

To test, access resources covered by CBR rules via different origins and paths. Using the IBM Cloud Activity Tracker, you can see log entries for matching rules that are in report mode. Each log record has details on the context and the rule-based decision. That is, the log shows the request origin, involved network zones, the targeted service and if the rule would have rendered a “Deny” or “Permit.”

Once rules are enforced, after testing for at least a month, only denied access is reported. An Activitity Tracker log record for such an event is shown in the following screenshot. The tutorial provides guidance on how to find the relevant log records:

Log entry in IBM Cloud Activity Tracker showing denied access.


Context-based restrictions help to enhance cloud security. They add an extra layer of protection to your cloud resources and complement the existing Identity and Access Management policies. With our new IBM Cloud solution tutorial, you learn how to create network zones and context rules, how test and monitor them. Here are the resources to get you started:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (@data_henrik@mastodon.social) or LinkedIn.

Was this article helpful?

More from Cloud

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters