July 27, 2022 By Henrik Loeser 3 min read

Use context-based restrictions in IBM Cloud to define and enforce access restrictions based on properties from where the access request originated.

Last year, IBM Cloud introduced context-based restrictions (CBRs). Context-based restrictions provide the ability to define and enforce access restrictions based on the network location (“context”) of access requests. Contexts are defined by the type of endpoint or a network zone (or a combination of those). A rule links a context to a resource. When the rule is enabled, only requests that match the context are allowed to proceed to other authorization checks. Because CBRs complement Identity and Access Management (IAM) policies, they are an important building block towards a zero trust architecture. Even if your credentials are leaked or IAM policies misconfigured, CBRs still enforce access and may scope allowed requests to your compute resources or corporate networks.

In this blog post, I am going to discuss such a scenario. I wanted only my code deployed to IBM Cloud Code Engine to access the files in my IBM Cloud Object Storage (COS) bucket and to block traffic from on-prem and other environments. I deployed the CBR network zone (context) and the rule using Terraform. In the following, I am providing more details on the test scenario and showing how I deployed the CBR access control. You can find the details and related code on GitHub in my repository context-based-restrictions:

Access to your cloud storage buckets

For my test of enforcing access control with context-based restrictions, I set up a new storage bucket cbrbucket in my S3-compatible instance of Cloud Object Storage (COS). After uploading a few files, I locally ran the Python script from the mentioned GitHub repository to first list all available buckets on that COS instance, then the items in the bucket cbrbucket. It succeeded and showed 10 buckets and 2 files. 

Then, I containerized the Python script and turned it into a Code Engine job. Once ready and configured, I submitted a Code Engine jobrun. The following screenshot shows the entries from Log Analysis. The output is similar to that from running it locally:

Output from the Python script as a log in Log Analysis.

Network zones and rules for access restrictions

With the test scripting in place, the next step is to define the context-based restriction (CBR) network zone and rule for my scenario. Because I love automation, I created a Terraform script. It reads in the metadata for my COS instance and some account information, then sets up the CBR network zone followed by the rule. The network zone specifies all traffic originating from the Code Engine service, regardless of the endpoint type. The rule is defined as enabled and ties the previously created network zone to my COS instance and the bucket cbrbucket. Thus, only traffic coming from Code Engine is allowed to access the bucket.

When creating CBR network zones and rules, it is important to know that the changes are eventually consistent. So if you run tests immediately after deploying CBR changes, they might not be in place worldwide.

After I created the network zone and rule for Code Engine and the COS bucket and they became active, I submitted a new Code Engine jobrun. The result was similar to the screenshot above — access was still possible. However, running the Python script locally resulted in an access error like the one shown below:

With context-based restrictions in place, my on-prem access is denied.

Later, I added my own IP address to the network zone and re-ran my local test. This time, it succeeded as expected. Similarly, you could add your corporate network (gateway) or other trusted networks to network zones.

Conclusion

Context-based restrictions help to create an extra layer of security checks for your cloud-based solution. By defining the right network zones and implementing access rules for your deployed services, context-based restrictions enable you on your journey towards a zero trust architecture. To get started, I recommend the following resources:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Was this article helpful?
YesNo

More from Cloud

Fortressing the digital frontier: A comprehensive look at IBM Cloud network security services

6 min read - The cloud revolution has fundamentally transformed how businesses operate. Its superior scalability, agility and cost-effectiveness have made it the go-to platform for organizations of all sizes. However, this shift to the cloud has introduced a new landscape of ever-evolving security threats. Data breaches and cyberattacks continue to hit organizations, making robust cloud network security an absolute necessity. IBM®, a titan in the tech industry, recognizes this critical need, provides a comprehensive suite of tools and offers unmatched expertise to fortify…

How well do you know your hypervisor and firmware?

6 min read - IBM Cloud® Virtual Private Cloud (VPC) is designed for secured cloud computing, and several features of our platform planning, development and operations help ensure that design. However, because security in the cloud is typically a shared responsibility between the cloud service provider and the customer, it’s essential for you to fully understand the layers of security that your workloads run on here with us. That’s why here, we detail a few key security components of IBM Cloud VPC that aim…

New IBM study: How business leaders can harness the power of gen AI to drive sustainable IT transformation

3 min read - As organizations strive to balance productivity, innovation and environmental responsibility, the need for sustainable IT practices is even more pressing. A new global study from the IBM Institute for Business Value reveals that emerging technologies, particularly generative AI, can play a pivotal role in advancing sustainable IT initiatives. However, successful transformation of IT systems demands a strategic and enterprise-wide approach to sustainability. The power of generative AI in sustainable IT Generative AI is creating new opportunities to transform IT operations…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters