IBM Cloud Docs
Leveraging context-based restrictions to secure your resources

Leveraging context-based restrictions to secure your resources

This tutorial walks you through how to use context-based restrictions as another layer of protection to your resources. By completing this tutorial, you learn how to create network zones and rules that define access restrictions to specific resources based on context in addition to IAM identity. For more information, see What are context-based restrictions?

The tutorial uses a fictitious account owner named Xander. Xander previously set up access for managers that need the administrator role on account management services by using IAM policies.

Xander trusts his team to manage their personal and service credentials properly, but he wants to make sure they are protected even if credentials are mismanaged. Because Xander knows the IP addresses that the team uses, Xander can restrict access to the access management service based on the network location of the access requests. This way, access policy creation is restricted to the IP addresses he defines. Since both IAM access and context-based restrictions must allow access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials.

Before you begin

Set up Activity Tracker to monitor your enabled and report-only rules. For more information, see Monitoring context-based restrictions.

Create a network zone

First, create a new network zone for the team.

  1. In the IBM Cloud console, click Manage > Context-based restrictions
  2. Go to Network zones and then click Create.
  3. Name the network zone management-team-zone
  4. Enter the IP addresses the team must use:
    1. Team members in Austin use the following IP addresses: 4.4.4.1-4.4.4.99
    2. An Austin team member in another building uses the following subnet: 204.17.5.0/24
    3. A remote team member uses the following IP address: 3.3.3.56
  5. Click Next.
  6. Review the details of the network zone.
  7. Click Create.

Create a rule

Now, Xander can use the network zone that he created in a rule.

  1. Go to Rules and click Create.

  2. To restrict access to the creation of IAM policies, select the IAM Access Management Service.

  3. Click Continue.

  4. Xander has public endpoints in his network zone, so he keeps the endpoint type toggle switch set to No, which allows requests from any endpoint type.

  5. Select the network zone management-team-zone.

  6. Click Add to include your context configuration in the rule.

  7. Click Continue.

  8. Name the rule Management team

  9. Set the enforcement to Report only so that you can monitor the impact of the rule before you enable it. You can update the enforcement at any time after you create the rule. For more information, see Updating context-based restrictions.

  10. Click Continue.

  11. Then, click Create.

Xander is logging and monitoring policy management requests by using report-only mode. Since the management team has the correct access policies and use allowed IP addresses, they are authorized to execute policy management operations. All policy management requests that come from IP addresses that don't match the conext that Xander defined are denied when the rule is enabled.

Next steps

After 30 days of monitoring, update the rule to Enabled to begin enforcing your restrictions.

You can also use network zones to restrict access at the account level and user level. For more information, see Allowing specific IP addresses.

To create context-based restrictions programmatically, see the Context-based Restrictions API and the Context-based restrictions CLI plug-in.

For more information about implementing context-based restrictions in your security strategy, see the solution tutorial Enhance cloud security by applying context-based restrictions.