Cloud
Security
July 27, 2022 By Henrik Loeser 3 min read

Use context-based restrictions in IBM Cloud to define and enforce access restrictions based on properties from where the access request originated.

Last year, IBM Cloud introduced context-based restrictions (CBRs). Context-based restrictions provide the ability to define and enforce access restrictions based on the network location (“context”) of access requests. Contexts are defined by the type of endpoint or a network zone (or a combination of those). A rule links a context to a resource. When the rule is enabled, only requests that match the context are allowed to proceed to other authorization checks. Because CBRs complement Identity and Access Management (IAM) policies, they are an important building block towards a zero trust architecture. Even if your credentials are leaked or IAM policies misconfigured, CBRs still enforce access and may scope allowed requests to your compute resources or corporate networks.

In this blog post, I am going to discuss such a scenario. I wanted only my code deployed to IBM Cloud Code Engine to access the files in my IBM Cloud Object Storage (COS) bucket and to block traffic from on-prem and other environments. I deployed the CBR network zone (context) and the rule using Terraform. In the following, I am providing more details on the test scenario and showing how I deployed the CBR access control. You can find the details and related code on GitHub in my repository context-based-restrictions:

Access to your cloud storage buckets

For my test of enforcing access control with context-based restrictions, I set up a new storage bucket cbrbucket in my S3-compatible instance of Cloud Object Storage (COS). After uploading a few files, I locally ran the Python script from the mentioned GitHub repository to first list all available buckets on that COS instance, then the items in the bucket cbrbucket. It succeeded and showed 10 buckets and 2 files. 

Then, I containerized the Python script and turned it into a Code Engine job. Once ready and configured, I submitted a Code Engine jobrun. The following screenshot shows the entries from Log Analysis. The output is similar to that from running it locally:

Output from the Python script as a log in Log Analysis.

Network zones and rules for access restrictions

With the test scripting in place, the next step is to define the context-based restriction (CBR) network zone and rule for my scenario. Because I love automation, I created a Terraform script. It reads in the metadata for my COS instance and some account information, then sets up the CBR network zone followed by the rule. The network zone specifies all traffic originating from the Code Engine service, regardless of the endpoint type. The rule is defined as enabled and ties the previously created network zone to my COS instance and the bucket cbrbucket. Thus, only traffic coming from Code Engine is allowed to access the bucket.

When creating CBR network zones and rules, it is important to know that the changes are eventually consistent. So if you run tests immediately after deploying CBR changes, they might not be in place worldwide.

After I created the network zone and rule for Code Engine and the COS bucket and they became active, I submitted a new Code Engine jobrun. The result was similar to the screenshot above — access was still possible. However, running the Python script locally resulted in an access error like the one shown below:

With context-based restrictions in place, my on-prem access is denied.

Later, I added my own IP address to the network zone and re-ran my local test. This time, it succeeded as expected. Similarly, you could add your corporate network (gateway) or other trusted networks to network zones.

Conclusion

Context-based restrictions help to create an extra layer of security checks for your cloud-based solution. By defining the right network zones and implementing access rules for your deployed services, context-based restrictions enable you on your journey towards a zero trust architecture. To get started, I recommend the following resources:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Was this article helpful?
YesNo
Henrik Loeser
Technical Offering Manager / Developer Advocate

More from Cloud
July 16, 2024

How a US bank modernized its mainframe applications with IBM Consulting and Microsoft Azure

9 min read - As organizations strive to stay ahead of the curve in today's fast-paced digital landscape, mainframe application modernization has emerged as a critical component of any digital transformation strategy. In this blog, we'll discuss the example of a US bank which embarked on a journey to modernize its mainframe applications. This strategic project has helped it to transform into a more modern, flexible and agile business. In looking at the ways in which it approached the problem, you’ll gain insights into…

July 16, 2024

The power of the mainframe and cloud-native applications 

4 min read - Mainframe modernization refers to the process of transforming legacy mainframe systems, applications and infrastructure to align with modern technology and business standards. This process unlocks the power of mainframe systems, enabling organizations to use their existing investments in mainframe technology and capitalize on the benefits of modernization. By modernizing mainframe systems, organizations can improve agility, increase efficiency, reduce costs, and enhance customer experience.  Mainframe modernization empowers organizations to harness the latest technologies and tools, such as cloud computing, artificial intelligence,…

July 16, 2024

Modernize your mainframe applications with Azure

4 min read - Mainframes continue to play a vital role in many businesses' core operations. According to new research from IBM's Institute for Business Value, a significant 7 out of 10 IT executives believe that mainframe-based applications are crucial to their business and technology strategies. However, the rapid pace of digital transformation is forcing companies to modernize across their IT landscape, and as the pace of innovation continuously accelerates, organizations must react and adapt to these changes or risk being left behind. Mainframe…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters