Restrict access to your IBM Cloud resources using context-based restrictions

By using these features, organizations can ensure that only authorized users can access their cloud resources and that they comply with various security and regulatory requirements.

IBM Cloud context-based restrictions (CBRs) help to ensure that only authorized users can access sensitive resources. They grant access based on the user’s role, location or other contextual factors. This helps to protect customer data and minimize the risk of unauthorized access or breaches. See the IBM Cloud documentation to learn more about how context-based restrictions work. 

Here are some specific scenarios where IBM Cloud context-based restrictions can be used:

• Role-based access control (RBAC): With RBAC in IBM Cloud, the organization can grant different levels of access and permissions to users based on their roles and responsibilities. For example, developers might have access to development resources, while operations personnel might have access to production resources. RBAC can help ensure that only authorized personnel have access to the resources they need to do their jobs.
• IP address allowlisting: An organization wants to restrict access to its cloud resources to specific IP addresses. With IP address allowlisting in IBM Cloud, the organization can specify which IP addresses are allowed to access its resources. For example, the organization might allowlist the IP addresses of its headquarters and branch offices, while blocking access from other locations.
• Geolocation restrictions: An organization needs to comply with local data privacy regulations that require data to be stored within a specific region. With geolocation restrictions, the organization can restrict access to resources in a specific region to users located within that region. This can help ensure that sensitive data is protected and only accessible to authorized personnel within the specified region.
• Resource-based access control (ReBAC): An organization wants to restrict access to its most sensitive data and resources. With ReBAC, access can be granted to specific resources based on the user’s role and permissions. For example, the organization might restrict access to its financial data to only authorized personnel with specific roles and permissions. Also, IBM Cloud can audit access to these resources to ensure that only authorized users are accessing them.

Here are a few use cases for context-based restrictions:

• Regulatory compliance: Many industries—including finance, healthcare and government—have strict regulatory requirements around data protection and access control. IBM Cloud’s context-based restrictions can help organizations comply with these regulations by ensuring that only authorized personnel have access to sensitive data. For example, an organization in the healthcare industry might use geolocation restrictions to ensure that patient data is only accessible to healthcare professionals within a specific region.
• Application development and testing: In application development and testing environments, context-based restrictions can help ensure that developers and testers have access to the resources they need without exposing sensitive data or resources to unauthorized users.
• Disaster recovery and business continuity: In disaster recovery and business continuity scenarios, IBM Cloud’s context-based restrictions can help ensure that critical resources and data are protected and available to authorized personnel. IBM Cloud can use geolocation restrictions to ensure that backup and recovery resources are only accessible from authorized locations.

1. Enforce a rule

Context-based restriction rules can be enforced upon creation and updated at any time. Rule enforcement can be of 3 types:

• Enabled: Enforces the rule and restricts access to services based on the rule definition.
• Disabled: No restrictions are applied to the resources. 
• Report-only: Allows you to monitor how the rule affects you without enforcing it. All access attempts are logged in the activity tracker. It is recommended to enable a rule in Report-only mode for 30 days before enforcing the rule. Some of the services do not support this mode (example, IBM Cloud Databases resources).

Rules created in report-only mode can be listed using the CLI with the following command:

ic cbr rules --enforcement-mode report

2. Scope a rule

You can narrow the scope of the rule to specific APIs as part of the restrictions to achieve fine-grained security in your system. Only some services support the ability to scope a rule by API. To know the API scopes for specific services, first, get to know the list of services supported by using the CLI:

For example, you can use the CLI to view the possible scopes of the IBM Cloud Kubernetes Service:

To create rules with a restricted scope, use the API-types attribute:

Also, you can allow different IP addresses for public and private endpoints of a service. 

5. Create specific geolocation-based restrictions

Access to a service can be restricted in specific locations to impose data residency requirements: 

6. Monitor the rules

To monitor the rules behavior in enabled or report-only mode, refer to Monitoring context-based restrictions.

IBM Cloud’s context-based restrictions can help organizations ensure that their cloud resources are protected, compliant and accessible only to authorized personnel. By using these features, organizations can mitigate security risks, enhance compliance and improve operational efficiency.

• IBM Cloud documentation on context-based restrictions
• Context-based restrictions APIs
• Monitoring context-based restrictions
• Solution tutorial: Enhance cloud security by applying context-based restrictions