IBM Cloud Docs
Context-based restrictions

This document outlines the process for using context-based restrictions to protect your Cloud Databases resources. Use this document to prepare your resources for context-based restrictions. Cloud Databases doesn't offer scoping rules to the control plane in this current phase of implementation.

Context-based restrictions

Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to Cloud Databases resources can be controlled with context-based restrictions and Identity and Access Management (IAM) policies.

These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.

A user must have the Administrator role on the Cloud Databases service to create, update, or delete rules. A user must also have either the Editor or Administrator role on the context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the context-based restrictions service can add network zones to a rule.

Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions service, not Cloud Databases. Cloud Databases supports audit events only for customer interactions with context-based restrictions-protected platform endpoint calls. Cloud Databases does not support audit events when you enable context-based restrictions rules on the control plane API for your instances. For more information, see Monitoring context-based restrictions.

To start protecting your Cloud Databases resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.

How Cloud Databases integrates with context-based restrictions

You can create context-based restrictions for the Cloud Databases service, specific resources, and specific APIs.

Protecting Cloud Databases resources

You can create context-based restrictions rules to protect specific regions, resource groups, and instances.

Region
Protects Cloud Databases resources in a specific region. If you include a region in your context-based restrictions rule, resources in the network zones that you associate with the rule can interact with resources only in that region. If you use the CLI, you can specify the --region option to protect resources in a specific region. If you use the UI, you can specify Region in the resource attributes.
Resource groups
Protects a specific resource group. If you include a resource group in your context-based restrictions rule, resources in the network zones that you associate with the rule can interact only with resources in that resource group. Scoping a rule to a specific resource group is available only for rules that protect the cluster API type. If you use the CLI, you can specify the --resource-group-id option to protect resources in a specific resource group. If you use the UI, you can specify the Resource group in the resource attributes.
Instance
Protects a specific instance. If you include an instance in your context-based restrictions rule, resources in the network zones that you associate with the rule can interact only with resources in that instance. Scoping a rule to a specific instance is available only for rules that protect the cluster API type. If you use the CLI, you can specify the --service-instance option to protect instances in a specific resource group. If you use the UI, you can specify the Service instance in the resource attributes.

Using the Command Line Interface (CLI)

You can create and manage context-based restrictions with the IBM Cloud CLI by installing the context-based restrictions CLI plug-in.

Creating network zones

A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:

  • IP addresses, which include individual addresses, ranges, or subnets.
  • VPCs.

Creating network zones in the UI

  1. Go to Manage > Context-based restrictions in the IBM Cloud® console.

  2. Select Network zones.

  3. Click Create.

  4. Name your network zone and provide a description.

  5. Enter your Allowed IP addresses. You can enter a single IP address, a range of IP addresses, or a single CIDR.

    The Denied IP addresses field is optional and should include only exceptions that are contained within the IP ranges you provide in the allowed IP addresses field.

  6. Choose your Allowed VPCs, selecting as many as you like.

  7. Reference a service: You can select Cloud Databases as a source service for context-based restrictions, but not as a target service. For example, you can provision a Cloud Databases instance using BYOK from IBM® Key Protect for IBM Cloud®. In this example, Cloud Databases is the source formation and IBM® Key Protect for IBM Cloud® is the target formation. Then, you would create a network zone with a Cloud Databases service reference and create a rule associated with the network zone that targets IBM® Key Protect for IBM Cloud®. To add a Cloud Databases service reference, for Service Type, IAM services is autoselected. In the Service dropdown, select a specific Cloud Databases service. If the zone you create is associated with a rule targeting Cloud Databases, then a service reference is not allowed.

Service references function only from Key Protect service to Cloud Databases.

Create network zones in the CLI

To create network zones in the CLI, use the cbr-zone-create command to add resources to network zones. For more information, see the context-based restrictions CLI reference.

Create a zone by using a command like:

ibmcloud cbr zone-create --addresses=1.1.1.1,5.5.5.5 --name=<NAME>

Creating network zones in Terraform

To create zones in Terraform, follow the instructions in the IBM Cloud Terraform provider documentation.

Example Terraform script to create a CBR zone:

resource "ibm_cbr_zone" "cbr_zone" {
  account_id = "12ab34cd56ef78ab90cd12ef34ab56cd"
  addresses {
    type = "ipAddress"
    value = "169.23.56.234"
  }
  addresses {
    type = "ipRange"
    value = "169.23.22.0-169.23.22.255"
  }
  excluded {
    type  = "ipAddress"
    value = "169.23.22.10"
  }
  excluded {
    type  = "ipAddress"
    value = "169.23.22.11"
  }
  description = "this is an example of zone"
  excluded {
        type = "ipAddress"
        value = "value"
  }
  name = "an example of zone"
}

Update network zones in the CLI

Update a zone by using a command like:

ibmcloud cbr zone-update <ZONE-ID> --addresses=1.2.3.4 --name=<NAME>

Updating requires the ZONE-ID, not the zone name. Use the following command to list your zones and retrieve the relevant ZONE-ID:

ibmcloud cbr zones

The zone-update command is an overwrite. Include all of the fields that are required as if you are creating the rule from scratch. If you omit any required fields, the rule overwrites those missing fields as empty, and the rule might fail because some of those fields are required, regardless of whether they are changing the rule.

Delete network zones in the CLI

Delete a zone by using a command like:

ibmcloud cbr zone-delete <ZONE-ID>

Creating rules

Rules restrict access to specific cloud resources based on resource attributes and contexts. A created rule can accept up to 2,000 IP/CIDR values for private endpoints and up to 2,000 IP/CIDR values for public endpoints. This limit is specfic to Cloud Databases. Other IBM Cloud® service limits may vary.

Cloud Databases does not support IPv6 addresses. If an IPv6 address is included, it will be ignored.

Full closure of access to non-allowlisted endpoints: To provide a more robust security framework, we have implemented a significant change in access control for public and private endpoints. Going forward, access to both public and private endpoints that are not explicitly allowlisted will be fully closed. This restriction ensures only authorized access to your endpoints, minimizing the risk of unauthorized access.

Creating rules in the UI

  1. Go to Manage > Context-based restrictions in the IBM Cloud® console.

  2. Select Rules.

  3. Click Create.

  4. Under Service, select the service you want to target with your rule.

  5. Under APIs, select Data plane. Currently any other selection results in an error.

    Cloud Databases does not currently support Control plane as an option.

  6. Under Resources, scope the rule to All resources or Specific resources. For more information, see Protecting Cloud Databases resources.

  7. Click Continue.

  8. Define the allowed endpoint types.

    • Keep the toggle set to No to allow all endpoint types.
    • Set the toggle to Yes to allow only specific endpoint types, then choose from the list.
  9. Select a network zone or zones that you have already created, or create a new network zone by clicking Create.

    Contexts define from where your resources can be accessed, effectively linking your network zone to your rule.

  10. Click Add to add your configuration to the summary.

  11. Click Next.

  12. Name your rule.

  13. Select how you want to enforce the rule.

    Report-only is not available for Cloud Databases.

Create rules in the CLI

To create a rule in the CLI, you need the appropriate Cloud Databases service_name:

  • databases-for-postgresql
  • databases-for-mongodb
  • databases-for-redis
  • databases-for-elasticsearch
  • database-for-mysql
  • messages-for-rabbitmq
  • databases-for-enterprisedb
  • databases-for-etcd

All the other parameters that follow are explained in the CBR plugin reference guide.

Example command for creating a CBR Rule:

ibmcloud cbr rule-create --enforcement-mode enabled --context-attributes "networkZoneId=<ZONE-ID>" --resource-group-id <RESOURCE_GROUP_ID> --service-name <SERVICE-NAME> --service-instance <SERVICE-INSTANCE> --api-types crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane --description <DESCRIPTION>

The only api-type option currently supported by Cloud Databases is Data plane.

Report-only is not available for Cloud Databases.

Update rules in the CLI

Example command for updating a CBR rule:

ibmcloud cbr rule-update <RULE-ID> --enforcement-mode disabled --context-attributes="networkZoneId=<ZONE-ID>" --resource-group-id   <RESOURCE_GROUP_ID> --service-name <SERVICE_NAME> --api-types crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane --description    <DESCRIPTION>

The rule-update command is an overwrite. Include all of the fields that are required as if you are creating the rule from scratch. If you omit any required fields, the rule overwrites those missing fields as empty, and the rule might fail because some of those fields are required, regardless of whether they are changing the rule.

Updating requires the RULE-ID, not the rule name. Use the following command to list your rules and retrieve the relevant RULE-ID:

ibmcloud cbr rules

Delete rules in the CLI

Delete a rule by using a command like:

ibmcloud cbr rule-delete <RULE-ID>

Use ibmcloud cbr <command> — help for a full list of options and parameters. For example, ibmcloud cbr rule-create — help outputs parameters for rule creation.

Creating rules in Terraform

To create rules in Terraform, follow the instructions in the IBM Cloud Terraform provider documentation.

To create a rule, you need the appropriate Cloud Databases service_name:

  • databases-for-postgresql
  • databases-for-mongodb
  • databases-for-redis
  • databases-for-elasticsearch
  • database-for-mysql
  • messages-for-rabbitmq
  • databases-for-enterprisedb
  • databases-for-etcd

Create a rule by using a command like:

resource "ibm_cbr_rule" "cbr_rule" {
  contexts {
        attributes {
            name = "networkZoneId"
            value = "559052eb8f43302824e7ae490c0281eb"
        }
        attributes {
               name = "endpointType"
               value = "private"
    }
  }
  description = "this is an example of a rule with one context one zone"
  enforcement_mode = "enabled"
  operations {
        api_types {
            api_type_id = "api_type_id"
        }
  }
  resources {
        attributes {
            name = "accountId"
            value = "12ab34cd56ef78ab90cd12ef34ab56cd"
        }
        attributes {
              name = "serviceName"
              value = "network-policy-enabled"
        }
        tags {
              name     = "tag_name"
              value    = "tag_value"
        }
  }
}

Verifying your rule

To verify that your rule is applied, go to the IBM Cloud® Dashboard and select the relevant instance from your Resource List. Within Recent Tasks, you see your rule's status.

The task of creating or modifying a rule goes into your instance's task queue. Depending on workload, it might take some time for your rule enforcement to complete.