Protecting DNS Services resources with context-based restrictions
You can protect DNS Services resources with context-based restrictions by using the UI, CLI, or API. Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to IBM Cloud DNS Services resources can be controlled with context-based restrictions and identity and access management (IAM) policies.
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
A user must have the Administrator role on the DNS Services service to create, update, or delete rules. And a user must have either the Editor or Administrator role on the Context-based restrictions service
to create, update, or delete network zones. A user with the Viewer role on the Context-based restrictions service can only add network zones to a rule.
Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions service, not DNS Services. For more information, see Monitoring context-based restrictions.
To get started protecting your DNS Services resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.
Creating network zones
Create network zones by using the CLI or API.
A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:
- IP addresses, which include individual addresses, ranges, or subnets
- VPCs
Creating network zones from the CLI
-
To create network zones from the CLI, install the CBR CLI plug-in.
-
Use the
cbr-zone-createcommand to add network locations and VPCs to network zones. For more information, see the CBR CLI reference.The following example command adds an individual IP, range, subnet, and a VPC to a network zone.
ibmcloud cbr zone-create --name example-zone --description "this is an example of zone" --addresses 169.23.56.234,169.23.22.0-169.23.22.255,192.0.2.0/24 --vpc crn:v1:bluemix:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r134-d98a1702-b39a-449a-86d4-ef8dbacf281e
Creating network zones with the API
You can create network zones by using the create-zone command. For more information, see the API docs.
The addresses attribute specifies individual IP addresses, ranges, subnets, and VPCs where requests originating from are permitted.
{
"name": "example-zone",
"description": "this is an example of zone",
"account_id": "12ab34cd56ef78ab90cd12ef34ab56cd",
"addresses": [
{
"type": "ipAddress",
"value": "169.23.56.234"
},
{
"type": "ipRange",
"value": "169.23.22.0-169.23.22.255"
},
{
"type": "subnet",
"value": "192.0.2.0/24"
},
{
"type": "vpc",
"value": "crn:v1:bluemix:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r134-d98a1702-b39a-449a-86d4-ef8dbacf281e"
}
]
}
{
"id": "65810ac762004f22ac19f8f8edf70a34",
"crn": "crn:v1:bluemix:public:context-based-restrictions:global:a/12ab34cd56ef78ab90cd12ef34ab56cd::zone:65810ac762004f22ac19f8f8edf70a34",
"name": "example-zone",
"description": "this is an example of zone",
"account_id": "12ab34cd56ef78ab90cd12ef34ab56cd",
"addresses": [
{
"type": "ipAddress",
"value": "169.23.56.234"
},
{
"type": "ipRange",
"value": "169.23.22.0-169.23.22.255"
},
{
"type": "subnet",
"value": "192.0.2.0/24"
},
{
"type": "vpc",
"value": "crn:v1:bluemix:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r134-d98a1702-b39a-449a-86d4-ef8dbacf281e"
}
],
"address_count": 4,
"excluded_count": 0,
"href": "https://cbr.cloud.ibm.com/v1/zones/65810ac762004f22ac19f8f8edf70a34",
"created_at": "2020-11-23T02:01:59Z",
"created_by_id": "IBMid-120000P1JM",
"last_modified_at": "2022-09-26T02:01:59Z",
"last_modified_by_id": "IBMid-120000P1JM"
}
Limitations
Context-based restrictions protect only the actions associated with the DNS Services API. Actions associated with the following platform APIs are not protected by context-based restrictions. Reference the API docs for the specific action IDs.
- Resource Instance APIs
- Resource Keys APIs
- Resource Bindings APIs
- Resource Aliases APIs
- IAM Policy APIs
- Global Search APIs
- Global Tagging Attach and Detach APIs
- Context-based Restriction Rule APIs
DNS Services CBR Limitations
- The CBR rules created on DNS Services don't apply to platform actions such as Global Search and Tagging, resource instance creation and deletion on DNS Services instances. You can still view DNS Services instances on IBM Cloud Resource Explorer.
- When you create a rule, it might take up to 10 minutes to become enforced.
Creating rules
Context-based restrictions for DNS Services can be scoped to a service instance or resource group by using resource attributes. Create rules by using the CLI or API.
You can select a service instance by entering the ID. Alternatively, you can use the * wildcard to select all applicable service instances. You can also specify which resource group the rule is applied to in the command.
Creating rules from the CLI
- To create rules from the CLI, install the CBR CLI plug-in.
- Use the
ibmcloud cbr rule-createcommand to create CBR rules. For more information, see the CBR CLI reference.
The examples in this section are enforcement rules. You can make them report-only by adding --enforcement-mode report.
The following example CLI command creates a context-based restriction rule for a DNS Services instance in the current account:
ibmcloud cbr rule-create --zone-id 65810ac762004f22ac19f8f8edf70a34 --description "example CBR rule" --service-name dns-svcs --service-instance 3bd0bc3c-232c-4886-a0c4-72aa26ec0d38
Creating rules with the API
Review the following example requests to create rules. For more information about the v1/rules API, see the API docs.
When you create a rule with context attribute to restrict requests to private endpoint, it is not possible to restrict access to an overlay IP for an individual VPC virtual server instance or bare-metal server. You must specify the VPC zone's underlay IP addresses, which are also known as Cloud Service Endpoint IPs.
The following example payload creates a rule that protects the DNS Services instance and allows access only from the specified network zone via a private endpoint.
{
"contexts": [
{
"attributes": [
{
"name": "endpointType",
"value": "private"
},
{
"name": "networkZoneId",
"value": "65810ac762004f22ac19f8f8edf70a34"
}
]
}
],
"resources": [
{
"attributes": [
{
"name": "serviceName",
"value": "dns-svcs"
},
{
"name": "serviceInstance",
"operator": "stringEquals",
"value": "3bd0bc3c-232c-4886-a0c4-72aa26ec0d38"
}
]
}
]
}
Monitoring context-based restrictions in DNS Services
The context-based restriction service generates audit logs every time a context-based rule is enforced. For more information, see Monitoring context-based restrictions.
Activity tracker events that are generated by the context-based restriction service contain a CorrelationId field. You can search the value of this field to find the audit events that are generated by DNS Services.