Protecting Workload Protection resources with context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to IBM Cloud® Security and Compliance Center Workload Protection resources can be controlled with context-based restrictions and identity and access management (IAM) policies.
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
A user must have the Administrator role on the Workload Protection service to create, update, or delete rules. A user must also have either the Editor or Administrator role on the Context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the Context-based restrictions service can only add network zones to a rule.
Any Workload Protection or audit log events generated come from the context-based restrictions service, not Workload Protection. For more information, see Monitoring context-based restrictions.
To get started protecting your Workload Protection resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.
To automate the creation and management of context-based restrictions for IBM Cloud® Security and Compliance Center Workload Protection, you can use the CBR module from Terraform IBM Modules. Context-based restrictions allow you to define network zones and rules that control access to your Workload Protection instance based on network location.
Restrictions
Consider the following when configuring context-based restrictions:
-
Context-based restrictions do not affect connectivity of Workload Protection agents since they do not use IBM Cloud® Identity and Access Management.
-
Private connections between agents and Workload Protection can be configured using private service endpoints.