Restricting access by context-based restrictions
Context-based restrictions (CBR) provides a way for administrators to limit access to IBM Cloud® Activity Tracker Event Routing destination resources or the IBM Cloud Activity Tracker Event Routing public API. For general context-based restrictions instructions, see Creating context-based restrictions.
Any audit events generated come from the context-based restrictions service, and not IBM Cloud Activity Tracker Event Routing. For more information, see Monitoring context-based restrictions.
Using context-based restrictions to protect destination resources
As an administrator, you can limit access to IBM Cloud Object Storage, IBM Cloud Logs, and IBM® Event Streams for IBM Cloud® destination resources. A properly configured CBR rule restricts all access to resources unless the request originates from IBM Cloud Activity Tracker Event Routing or approved locations.
Make sure you also have a service to service policy defined between IBM Cloud Activity Tracker Event Routing and your destination resources.
To configure context-based restrictions, do the following:
-
Define a network zone that references IBM Cloud Activity Tracker Event Routing from the service drop-down list. The Locations option is optional. If you do not specify a location, all IBM Cloud Activity Tracker Event Routing service locations are included. Here is an example to create a zone by using the CLI CBR plug-in:
ibmcloud cbr zone-create --name "Atracker-Zone-All-Regions" --description "Activity Tracker Event Routing For All regions" --service-ref service_name=atracker ... OK id 1111b52afc14facafe797e34292b1001 crn crn:v1:bluemix:public:context-based-restrictions:global:a/<account-id>::zone:1111b52afc14facafe797e34292b1001 address_count 1 excluded_count 0 name Atracker-Zone-All-Regions account_id <account-id> description Activity Tracker Event Routing For All regions addresses 1 Service Reference excluded No addresses href https://cbr.cloud.ibm.com/v1/zones/1111b52afc14facafe797e34292b1001 -
Define one or more network zones that you might want to access resources from the UI, CLI or any other clients.
-
Create a CBR rule that can be scoped to the resource instance, or resource, you want the rule to protect, and select the network zones you defined in the previous steps. Here are 2 examples to define rules to protect 1 IBM Cloud Object Storage bucket and 1 IBM Cloud Logs instance:
ibmcloud cbr rule-create --description "Allow Atracker-Zone-All-Regions and Client-GreenZone to access the Log instance" --service-name logs --service-instance 44445555-a4f1-4f8a-a954-75f083c7e001 --zone-id "222220d595a54f650157aa5e2b26d002,1111b52afc14facafe797e34292b1001" --enforcement-mode "enabled" ... OK id 666673cf9f5ec11f591bd62987358001 crn crn:v1:bluemix:public:context-based-restrictions:global:a/<account-id>::rule:666673cf9f5ec11f591bd62987358001 description Allow Atracker-Zone-All-Regions and Client-GreenZone to access the Log instance enforcement_mode enabled operations 1 API Type contexts 1 Context resources serviceInstance 44445555-a4f1-4f8a-a954-75f083c7e001 serviceName logs href https://cbr.cloud.ibm.com/v1/rules/666673cf9f5ec11f591bd62987358001ibmcloud cbr rule-create --description "Allow Atracker-Zone-All-Regions and Client-GreenZone to access the COS bucket" --resource-attributes "serviceName=cloud-object-storage,serviceInstance=66667777-dae3-4300-afde-7d5a70e88a83,resource=my-cos-bucket" --zone-id "222220d595a54f650157aa5e2b26d002,1111b52afc14facafe797e34292b1001" --enforcement-mode "enabled" ... OK id 777773cf9f5ec11f591bd62987357001 crn crn:v1:bluemix:public:context-based-restrictions:global:a/<account-id>::rule:777773cf9f5ec11f591bd62987357001 description Allow Atracker-Zone-All-Regions and Client-GreenZone to access the COS bucket enforcement_mode enabled operations 1 API Type contexts 1 Context resources resource my-cos-bucket serviceInstance 66667777-dae3-4300-afde-7d5a70e88a83 serviceName cloud-object-storage href https://cbr.cloud.ibm.com/v1/rules/777773cf9f5ec11f591bd62987357001 -
Create or validate the target that points to the destination resources. If your CBR rule is configured properly, a test event will be able to write to the destination and the target will be created or validated. If not, you will receive an access forbidden error instead. For example:
ibmcloud at target validate --target <target-uuid> OK Target Name: <target-name> ID: <target-uuid> CRN: crn:v1:bluemix:public:atracker:<region>:a/<account-id>::target:<target-uuid> Region: <region> Type: cloud_logs Cloud Logs Target CRN: crn:v1:bluemix:public:logs:<region>:a/<account-id>:44445555-a4f1-4f8a-a954-75f083c7e001:: Write Status: success
Using context-based restrictions to protect the public API
As an account owner, you can limit access to the IBM Cloud Activity Tracker Event Routing API from your account. A properly configured CBR rule restricts all access to the IBM Cloud Activity Tracker Event Routing API from your account unless the request originates from the approved nework locations.
To configure context-based restrictions to protect the API, do the following:
-
Define one or more network zones that might call the IBM Cloud Activity Tracker Event Routing API from the UI, CLI or any other clients. You can define network zones from the IBM Cloud UI or CLI. The following is an example of how to create a zone by using the CLI CBR plug-in:
% ibmcloud cbr zone-create --name "Atracker-Api-client-zone" --description "Network zone for ATracker CLI, UI or any other clients" --addresses 169.70.115.5,169.60.137.153 ... OK id 86e1776051c9b23a0b3c038b412eb08e crn crn:v1:bluemix:public:context-based-restrictions:global:a/<account-id>::zone:86e1776051c9b23a0b3c038b412eb08e address_count 2 excluded_count 0 name Atracker-Api-client-zone account_id <account-id> description Network zone for ATracker CLI, UI or any other clients addresses 2 IP Addresses excluded No addresses href https://cbr.cloud.ibm.com/v1/zones/86e1776051c9b23a0b3c038b412eb08e ...... -
Create a CBR rule to protect the IBM Cloud Activity Tracker Event Routing API for your account using the network zones created in the previous step. You can create CBR rules from the IBM Cloud UI or CLI. The following is an example of how to create such a rule by using CLI CBR plug-in:
% ibmcloud cbr rule-create --description "Allow Atracker-Api-client-zone to call ATracker API" --service-name atracker --zone-id 86e1776051c9b23a0b3c038b412eb08e --enforcement-mode enabled ... OK id 5ee673cf9f5ec11f591bd6298741dbf1 crn crn:v1:bluemix:public:context-based-restrictions:global:a/<account-id>::rule:5ee673cf9f5ec11f591bd6298741dbf1 description Allow Atracker-Api-client-zone to call ATracker API enforcement_mode enabled operations 1 API Type contexts 1 Context resources serviceName atracker href https://cbr.cloud.ibm.com/v1/rules/5ee673cf9f5ec11f591bd6298741dbf1 ...... -
Verify that you have access to IBM Cloud Activity Tracker Event Routing API. If your CBR rule is configured properly, your IBM Cloud Activity Tracker Event Routing API call will be successful. If not, you will receive an access forbidden error instead.
% ibmcloud at target get --target 04c6e42c-9c61-4c5e-83ec-73a00f1655b7 OK Target Name: my_target_name ID: 04c6e42c-9c61-4c5e-83ec-73a00f1655b7 CRN: crn:v1:bluemix:public:atracker:us-south:a/<account_id>::target:04c6e42c-9c61-4c5e-83ec-73a00f1655b7 ......
Invoking public and private endpoints
IBM Cloud Activity Tracker Event Routing API supports both public endpoints and private endpoints. Depending on where the API requests come from and the endpoint type, the addresses used in CBR zone definition could be different. The following table provides some example request origins and corresponding addresses used in the CBR zone definition.
| Request Origin | Endpoint Type | Addresses in zone definition |
|---|---|---|
| Delivery Pipeline | public and private | Toolchain service reference |
| cluster on classic | public | cluster public primary subnet |
| cluster on classic | private | cluster private primary subnet |
| cluster on VPC | public | VPC public gateways |
| cluster on VPC | private | VPC Cloud Service Endpoint source addresses or VPC CRN |