Context-based restrictions (CBRs) give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud resources based on the context of the access request (e.g., network attributes). In an IBM Cloud account, both Identity and Access Management (IAM) policies and CBRs enforce access, so context-based restrictions can offer protection even in the face of compromised or mismanaged credentials or privileges.
To get you started with CBRs, we just published a new tutorial, “Enhance cloud security by applying context-based restrictions.” It helps you learn about CBRs to protect your cloud resources. The tutorial leverages our existing tutorial “Apply end-to-end security to a cloud application” and its sample code, and it also adds an extra layer of security. The diagram below shows the solution architecture of the existing security tutorial. The additional boxes with dashed, blue lines around some components denote CBRs implemented as context rules.
In this blog post, I’ll briefly introduce context-based restrictions. Then I’ll show you how to learn more and be able to implement, test and monitor CBRs with the help of our new tutorial:
Context rules governing access to services of the sample solution.
IBM Cloud introduced context-based restrictions (CBRs) in late 2021. These restrictions work with traditional IAM policies to provide an extra layer of protection. This is because IAM policies are based on identity (e.g., user, service ID or trusted profile) while CBRs are based on the context of request (e.g., network addresses, originating services or accessed endpoint types).
A CBR rule governs access to a resource identified by its service name and type as well as by additional attributes. They can include the region, resource group and other service-specific properties. The attributes in a rule are mostly optional so that you could govern, for example, all IBM Key Protect for IBM Cloud instances together or target just a specific key ring in an identified Key Protect instance.
The context for a restriction is made up of network zones and service endpoints. You might want to define zones based on specific IP addresses or ranges or by configuring traffic originating from one or more VPCs or cloud services. With that, access to the sample Key Protect instance might only be allowed from, for example, a specific IBM Cloud Object Storage instance, a well-known range of IP addresses and only via the private endpoint.
Network zones can be used for the definition of multiple rules. Rules have an enforcement mode that is one of disabled, report-only or enabled.
You can use our recently published tutorial, “Enhance cloud security by applying context-based restrictions,” to meet the following objectives:
The tutorial walks you through the creation of CBR network zones and context rules with both the IBM Cloud console and Terraform code. The latter helps to establish security rules in an automated way. Once the rules are in place, next are testing and monitoring that they will work (reporting mode) or actually work (enforced mode).
To test, access resources covered by CBR rules via different origins and paths. Using the IBM Cloud Activity Tracker, you can see log entries for matching rules that are in report mode. Each log record has details on the context and the rule-based decision. That is, the log shows the request origin, involved network zones, the targeted service and if the rule would have rendered a “Deny” or “Permit.”
Once rules are enforced, after testing for at least a month, only denied access is reported. An Activitity Tracker log record for such an event is shown in the following screenshot. The tutorial provides guidance on how to find the relevant log records:
Log entry in IBM Cloud Activity Tracker showing denied access.
Context-based restrictions help to enhance cloud security. They add an extra layer of protection to your cloud resources and complement the existing Identity and Access Management policies. With our new IBM Cloud solution tutorial, you learn how to create network zones and context rules, how test and monitor them. Here are the resources to get you started:
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik (link resides outside ibm.com)), Mastodon (@data_henrik@mastodon.social (link resides outside ibm.com)) or LinkedIn (link resides outside ibm.com).