Today, we are announcing a new cloud security capability called context-based restrictions.
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of the access request, such as network attributes.
These restrictions work with traditional IAM policies (which are based on identity) to provide an extra layer of protection. Since both IAM access and context-based restrictions define access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials.
How do context-based restrictions work?
An account administrator manages context-based restrictions via rules. A context-based restrictions rule associates an IBM Cloud resource with one or more contexts, where each context describes a set of conditions that an access request must satisfy in order for that access to be permitted.
Today, a context can describe conditions based on any combination of the following:
- The client IP from which the request originated.
- The service endpoint type on which the request was received (e.g., public vs private).
Note that the concept of contexts is defined to be extensible and allows for future support of additional conditions.
Start using context-based restrictions
Strengthen your security strategy by applying context-based restrictions to your resources. To learn how to restrict account management service requests to the contexts you define, complete this tutorial.
Today, you can create context-based restrictions for the following services:
- IAM Users
- IAM Groups
- IAM Access Policy Management
- IAM Custom roles
Support for additional services will be added in the future.
You can create context-based restrictions with your method of choice:
- In the IBM Cloud console.
- By using REST API calls. For more information, see the Context-based restrictions API.