Managing access for CIS
Access to IBM Cloud® Internet Services service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the (CIS) service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions that a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels. Some access includes the following options:
- Access across all instances of the service in your account
- Access to an individual service instance in your account
After you define the scope of the access policy, you assign a role, which determines the user's level of access.
If you are configuring a VPC with CIS, you can prevent DDoS attacks by allowing traffic only through CIS (allowlist) in your VPC. Set your Network ACL and Security groups to allowlist CIS traffic.
Review the following table that outlines what actions each role allows within the (CIS) service. The platform and service roles for CIS are listed under "Internet Services". If you're using the CLI or API to assign access, use internet-svcs
for the service name.
Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service and create or delete instances.
For more information about IAM roles, see IBM Cloud IAM roles.
Platform management role | Description of actions |
---|---|
Manager | Create and delete instances, domains, and configurations. |
Reader | View information about instances and domains. |
Service Configuration Reader | Read services configuration for Governance management. |
Writer | Change existing configurations. |
For information about assigning user roles in the console, see Managing access to resources.