| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-10-10 |
context-based restrictions for VPC Infrastructure Services |
vpc |
{{site.data.keyword.attribute-definition-list}}
{: #cbr}
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for {{site.data.keyword.cloud}} resources based on the context of access requests. Access to VPC Infrastructure Services can be controlled with context-based restrictions and identity and access management (IAM) policies. {: shortdesc}
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
A user must have the Administrator role on the VPC Infrastructure Services to create, update, or delete rules that target VPC Infrastructure Services. A user must have either the Editor or Administrator role on the context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the context-based restrictions service can add network zones to a rule only. {: note}
The context-based restriction service generates audit logs every time a context-based policy is enforced. For more information, see Monitoring context-based restrictions.
To get started protecting your VPC Infrastructure Services with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.
{: #cbr-overview}
VPC Infrastructure Services is a composite service made up of a number of child services. Context-based restrictions can be created for {{site.data.keyword.vpc_short}} or any of its child services; for example, subnets, virtual server instances, and Block Storage volumes.
See the rule creation section for details on how you can create rules with the required attributes for each service.
{: #network-zone}
A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:
- IP addresses, which include individual addresses, ranges, or subnets
- VPCs
- Service references, which allow access from other IBM Cloud® services
{: #service-references}
A service reference, defined as part of a network zone, allows the given service to talk to the restricted resources or APIs that are targeted by a particular context-based restriction policy. The following table includes service references that need to be included when using context-based restrictions in the context of VPC Infrastructure Services. You can also look at the service-to-service IAM authorizations in your account when deciding which service references to add in your network zone. You can find service-to-service authorization in your account by navigating to Manage -> Access (IAM) and selecting the Authorizations tab.
| Service with context-based restrictions | Impacted service | Service reference(s) required in the network zone |
|---|---|---|
| Cloud Object storage | * Image service \n * Flow logs | VPC Infrastructure Services (is) |
| Key Protect | * Snapshot \n * Block Storage volume \n * File Storage \n * Image service | Cloud Block Storage (server-protect) |
| Hyper Protect Crypto service | * Snapshot \n * Block Storage volume \n * File Storage \n * Image service | Cloud Block Storage (server-protect) |
| Virtual Server Instances | * Auto scale | VPC Infrastructure Services (is) |
| Various VPC Infrastructure Services - Block Storage Volume, Security Groups, Subnets | * IBM Kubernetes Service | IBM Kubernetes Service (containers-kubernetes) |
| Secrets Manager | * Client-to-site VPN \n * Load balancers | VPC Infrastructure Services (is) |
| {: caption="Service references needed for context-based restrictions" caption-side="bottom"} |
{: #network-zone-api} {: api}
You can create network zones by using the create-zone command. For more information, see the
API docs.
The serviceRef attribute for VPC Infrastructure Services is is and Cloud Block Storage is
server-protect.
{: tip}
{
"name": "Example zone 1",
"description": "",
"addresses": [
{
"type": "serviceRef",
"ref": {
"service_name": "is"
}
}
]
}{: codeblock}
{
"name": "Example zone 1",
"description": "",
"addresses": [
{
"type": "serviceRef",
"ref": {
"service_name": "server-protect"
}
}
]
}{: codeblock}
{: #network-zone-cli} {: cli}
-
To create network zones from the CLI, install the CBR CLI plug-in.
-
Use the
cbr-zone-createcommand to add network locations, VPCs, and service references to network zones. For more information, see the CBR CLI reference.To find a list of available service reference targets, run the
ibmcloud cbr service-ref-targetscommand. Theservice_namefor VPC Infrastructure Services isisand Cloud Block Storage isserver-protect. {: tip}The following example command adds the
isservice, referred to as VPC Infrastructure Services in {{site.data.keyword.cloud}} console, to a network zone.ibmcloud cbr zone-create --name example-zone-1 --description "Example zone 1" --service-ref service_name=is{: pre}
The following example command adds the
server-protectservice, referred to as Cloud Block Storage in {{site.data.keyword.cloud}} console, to a network zone.ibmcloud cbr zone-create --name example-zone-1 --description "Example zone 1" --service-ref service_name=server-protect{: pre}
{: #create-network-zone-console} {: ui}
- Determine which resources you want to add to your allowlist.
- Check the service references section to see if you need to add any service reference to your network zone.
- Follow these steps to create context-based restrictions in the console.
{: #cbr-rules}
Within VPC Infrastructure Services each child service needs certain attributes in a context-based rule.
When you use the API, Terraform or the {{site.data.keyword.cloud_notm}} Command Line Interface (CLI) to create, update, or delete {{site.data.keyword.cloud_notm}} context-based restrictions, you can specify the target VPC Infrastructure resource by using resource attributes.
See VPC resource attributes for the resource attributes that correspond with individual VPC resources. {: tip}
You can select a resource by entering the ID of the object. Alternatively, you can use the * wildcard
to select all applicable resources. For example, the attribute vpcId:* sets the
context-based restrictions to apply to all VPCs in the account. You can also specify which resource
group the policy is applied to in the command.
{: #rules-api} {: api}
Review the following example requests to create rules. For more information about the v1/rules
API, see the API docs.
After you create a rule, it might take up to 10 minutes before you can update that rule. {: note}
The following example payload creates a rule that protects the Virtual Server Instances and allows access only from the specified network zone via a private endpoint.
{
"contexts": [
{
"attributes": [
{
"name": "endpointType",
"value": "private"
},
{
"name": "networkZoneId",
"value": "45ec64065b7c2bf84b3edec803335111"
}
]
}
],
"resources": [
{
"attributes": [
{
"name": "resourceGroupId",
"value": "1171749e3a8545069d04e6fca1ded18f"
},
{
"name": "serviceName",
"value": "is"
},
{
"name": "instanceId",
"value": "*"
}
]
}
]
}{: codeblock}
{: #rules-cli} {: cli}
- To create rules from the CLI, install the CBR CLI plug-in.
- Use the
ibmcloud cbr rule-createcommand to create CBR rules. For more information, see the CBR CLI reference.
The examples in this section are enforcement rules. You can make them report-only by adding --enforcement-mode report.
The following example CLI command creates a context-based restriction rule for all of the virtual server instances in the current account:
ibmcloud cbr rule-create --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for VSIs" --service-name is --resource-attributes "instanceId=*"{: pre}
The following example CLI command creates a context-based restriction rule for a specific block storage volume in the current account:
ibmcloud cbr rule-create --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for volume" --service-name is --resource-attributes "volumeId=UUID_OF_THE_VOLUME"{: pre}
The following example CLI command creates a context-based restriction rule for all of the virtual server instances in the current account and restricts access to private endpoints:
ibmcloud cbr rule-create --context-attributes 'endpointType=private' --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for VSIs" --service-name is --resource-attributes "instanceId=*"{: pre}
The following example CLI command creates a context-based restriction rule for all the virtual server instances in the resource group and restricts access to private endpoints:
ibmcloud cbr rule-create --context-attributes 'endpointType=private' --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for VSIs" --service-name is --resource-attributes "instanceId=*" --resource-group-id 1171749e3a8545069d04e6fca1ded18f{: pre}
{: #rules-ui} {: ui}
-
Go to Manage > Context-based restrictions in the {{site.data.keyword.cloud}} console.
-
Select Rules and click Create.
-
Select VPC Infrastructure Services and click Next.
-
Scope the rule to All resources or Specific resources. For more information, see Protecting VPC Infrasturcture Services resources. Click Continue.
-
Define the allowed endpoint types.
- Keep the toggle set to No to allow all endpoint types.
- Set the toggle to Yes to allow only specific endpoint types, then choose from the list.
-
Select a network zone or zones that you have already created, or create a new network zone by clicking Create.
Contexts define the location from which your resources can be accessed, effectively linking your network zone to your rule. {: tip}
-
Click Add to add your configuration to the summary. Click Next.
-
Name your rule and select how you want to enforce it. Then click Create.
{: #cbr-vpc-monitoring}
The context-based restriction service generates audit logs every time a context-based policy is enforced. For more information, see Monitoring context-based restrictions.
{: #cbr-vpc-troubleshooting}
{: #cbr-vpc-tbs-403-unauth}
When a request is denied because of improper access permissions or the request originates outside of the network zone that is defined in context-based restrictions rule, the error response has a format that is similar to the following examples.
{: #cbr-vpc-tbs-403-unauth-cli} {: cli}
Error code: not_authorized and
Error message: the provided token is not authorized
Trace ID: b266a31c-b359-4ecb-8b81-a27c1b2cdb7b
{: screen}
{: #cbr-vpc-tbs-403-unauth-ui}
reference_id b266a31c-b359-4ecb-8b81-a27c1b2cdb7b
code not_authorized
message the provided token is not authorized
{: screen}
{: #cbr-vpc-tbs-403-unauth-api} {: api}
"code":"not_authorized",
"message":"the provided token is not authorized to list floating-ips in this account"
"trace":"b266a31c-b359-4ecb-8b81-a27c1b2cdb7b"
{: screen}
{: #cbr-vpc-locate-events-AT}
You can use the value of of Trace ID or Reference ID to search in your Activity Tracker instance
for the events that are generated by the context-based restrictions service. The requestData.environment section shows the source IP address
of the call and other information that you can use to verify why the authorization was denied. The requestData.action and requestData.resource fields can be used determine which underlying resource was denied access.
The following is an example context-based restriction event. Some fields have been removed to improve readability.
{
"level": "critical",
"action": "context-based-restrictions.policy.eval",
"message": "Context based restriction rendered a deny",
"severity": "critical",
"correlationId": "TXID-b266a31c-b359-4ecb-8b81-a27c1b2cdb7b-df2f912c-80a1-422c-8b17-6092651fea00",
"requestData": {
"action": "is.vpc.vpc.create",
"reqOrder": 0,
"environment": {
"attributes": {
"ipAddress": "192.168.0.1",
"networkType": "public"
}
},
"resource": {
"attributes": {
"accountId": "67db3d7ff3f34220b40e2d81480754c9",
"resource": "NEWRESOURCE",
"vpcId": "NEWRESOURCE",
"resourceGroupId": "d272ce832535498e9142b557ff8638ed",
"region": "au-syd",
"serviceName": "is",
"resourceType": "vpc"
}
},
"subject": {
"attributes": {
"scope": "ibm openid",
"token.account.bss": "67db3d7ff3f34220b40e2d81480754c9",
"id": "IBMid-550009FB7N"
}
}
},
"responseData": {
"decision": "Deny",
"isEnforced": true
}
}{: codeblock}
You can then use the same Trace ID or Reference ID to look at the specific VPC Infrastructure service event in your Activity Tracker instance.
{
"action": "is.vpc.vpc.create",
"outcome": "failure",
"message": "Virtual Private Cloud: create vpc -failure",
"severity": "critical",
"dataEvent": false,
"logSourceCRN": "crn:v1:bluemix:public:is:au-syd:a/67db3d7ff3f34220b40e2d81480754c9::vpc:",
"saveServiceCopy": true,
"initiator": {
"id": "IBMid-ABCDEFGH",
"typeURI": "service/security/account/user",
"name": "[email protected]",
"authnName": "test",
"authnId": "IBMid-ABCDEFGH",
"host": {
"address": "192.168.0.1",
"addressType": "IPv4"
},
"credential": {
"type": "token"
}
},
"target": {
"id": "crn:v1:bluemix:public:is:au-syd:a/67db3d7ff3f34220b40e2d81480754c9::vpc:",
"typeURI": "is.vpc/vpc",
"name": "",
"resourceGroupId": "crn:v1:bluemix:public:resource-controller::a/67db3d7ff3f34220b40e2d81480754c9::resource-group:d272ce832535498e9142b557ff8638ed"
},
"reason": {
"reasonCode": 403,
"reasonType": "Forbidden",
"reasonForFailure": "Your access token is invalid or does not have the necessary permissions to perform this task"
},
"requestData": {
"generation": "2",
"requestId": "b266a31c-b359-4ecb-8b81-a27c1b2cdb7b"
},
"responseData": {
"responseURI": "/v1/vpcs/"
}
}{: codeblock}
You can also search events by using a resource identifier. A resource ID is a UUID and is the last identifier in a CRN. For example:
crn:v1:bluemix:public:is:au-syd:a/67db3d7ff3f34220b40e2d81480754c9::vpc:<resourceID>
{: screen}
Requests for provisioning resources do not contain a resource ID.
If you do not find a context-based restriction event in Activity Tracker, it's possible access was denied due to IAM access policies. For more information, see VPC IAM getting started guide.
{: #cbr-c2s-vpn-data-plane}
If a user enables a User ID and passcode when configuring client authentication for a client-to-site VPN, and creates context-based rules on VPC resources, the client connection to the VPN is impacted by context-based restrictions. If the VPN client remote IP is not in the Network Zone, the connection to the VPN server returns an Auth Failed error.
After the VPN client connects to the VPN server, the requests to the VPE endpoint or Cloud Service Endpoint (CSE) are controlled with context-based restrictions. Also, the requests' source IP is the VPC Cloud service endpoint source addresses. Make sure that the VPC CSE source addresses are in the CBR Network Zone; otherwise, the request is denied.
{: #cbr-limitations}
- Context-based restrictions protect only the actions associated with the VPC Infrastructure Services APIs or the
isplugin, through the IBM CLI. The SDK and Terraform options are also supported. Actions associated with the following platform APIs are not protected by context-based restrictions:- Resource Instance List APIs
- Resource Instance Delete resource API
- Global Search APIs
- Global Tagging Attach and Detach APIs
- When you create a rule, it might take up to 10 minutes to become enforced.
- Due to a limitation that is currently being addressed, context-based restrictions must not be in place for Secrets Manager APIs if you are using the Load balancer for VPC service, as it results in failing to attach the certificates to the listener associated with the load balancer.