IBM Cloud Docs
Protecting Security and Compliance Center resources with context-based restrictions

Protecting Security and Compliance Center resources with context-based restrictions

Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud resources based on the context of access requests. Access to Security and Compliance Center resources can be controlled with both context-based restrictions and identity and access management (IAM) policies.

These restrictions work with traditional IAM policies, which are based on identity, to provide an additional layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.

A user must have the Administrator role on the Security and Compliance Center service to create, update, or delete rules. A user must also have either the Editor or Administrator role on the Context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the Context-based restrictions service can add only network zones to a rule.

Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions service, not Security and Compliance Center. For more information, see Monitoring context-based restrictions.

To begin protecting your Security and Compliance Center resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.

How Security and Compliance Center integrates with context-based restrictions

Context-based restrictions that are set to Security and Compliance Center apply holistically to all components of Security and Compliance Center. By enabling context-based restrictions, you can restrict access to Security and Compliance Center’s user interface features and Security and Compliance Center’s public APIs.

To restrict access, you must create zones and rules. First, create a zone with the appropriate details for network or resource definitions. Then, create a rule, and attach that zone to the rule to restrict access. After you create or update a zone or a rule, it might take a few minutes for the change to take effect.

Limitations

After you create a rule, it might take up to 10 minutes for the rule to take effect.

Security and Compliance Center does not support granular adoption of context-based restrictions to specific resources. When you're creating a new rule, you must ensure that the restrictions are scoped to “All resources,” instead of “Specific resources.”

Security and Compliance Center makes service-to-service calls to Cloud Object Storage. To ensure your Security and Compliance Center features are functioning correctly, you must add Security and Compliance Center as a service reference in network zones for rules that target Cloud Object Storage. You must use the same process for rules that target Event Notifications.

Context-based restrictions are available only for the updated architecture.

Context-based restrictions protect only the actions associated with the Security and Compliance Center API. Actions that are associated with the following platform APIs are not protected by context-based restrictions. Reference the API docs for the specific action IDs.

Creating network zones

A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations with the following attributes:

  • IP addresses, which include individual addresses, ranges, or subnets.
  • VPCs
  • Service references, which allow access from other IBM Cloud services.

Make sure to add Security and Compliance Center to network zones for rules that target other IBM Cloud resources, or some operations in your workflow might fail.

Creating network zones in the console

To create network zones in the UI, complete the following steps.

  1. Determine the resources that you want add to your allowlist.
  2. Follow the steps to create network zones in the console. Add the Security and Compliance Center service to your network zones to allow Security and Compliance Center to access services and resources that are in your account.

Creating network zones by using the API

You can create network zones by using the create-zone command. For more information, see the API docs. You can add Security and Compliance Center to network zones as a service reference to allow Security and Compliance Center to access resources and services in your account that are the subject of a rule.

The serviceRef attribute for Security and Compliance Center is compliance.

Example payload to add Security and Compliance Center to a network zone.

{
  "name": "Example zone 1",
  "description": "",
  "addresses": [
    {
      "type": "serviceRef",
      "ref": {
        "service_name": "compliance",
        "account_id": "ACCOUNT-ID"
      }
  ]
}

Example payload to add multiple services, IP addresses, and VPCs to a network zone.

{
  {
  "name": "zone",
  "description": "",
  "addresses": [
    {
      "type": "ipAddress",
      "value": "192.168.0.0"
    },
    {
      "type": "vpc",
      "value": "crn:v1:bluemix:public:is:us-east:a/CRN"
    },
    {
      "type": "vpc",
      "value": "crn:v1:bluemix:public:is:us-south:a/CRN"
    },
    {
      "type": "serviceRef",
      "ref": {
        "service_name": "cloud-object-storage",
        "account_id": "ACCOUNT-ID"
    },
    {
      "type": "serviceRef",
      "ref": {
        "service_name": "codeengine",
        "account_id": "ACCOUNT-ID"
    },
    {
      "type": "serviceRef",
      "ref": {
        "service_name": "containers-kubernetes",
        "account_id": "ACCOUNT-ID"
    },
    {
      "type": "serviceRef",
      "ref": {
        "service_type": "platform_service",
        "account_id": "ACCOUNT-ID"
    },
    {
      "type": "serviceRef",
      "ref": {
        "service_name": "iam-groups",
        "account_id": "ACCOUNT-ID"
      }
    ],
    "excluded": []
  }
}

Creating network zones by using the CLI

You can use the cbr-zone-create command to add network locations, VPCs, and service references to network zones. For more information, see the CBR CLI reference. Add Security and Compliance Center to network zones as a service reference to allow Security and Compliance Center to access resources and services in your account that are the subject of a rule.

To find a list of available service refs, run the ibmcloud cbr service-ref-targets command. The service_name for SCC is compliance.

Example command to add the compliance service to a network zone.

ibmcloud cbr zone-create --name example-zone-1 --description "Example zone 1" --service-ref service_name=compliance

Example command to add a single IP address to a network zone.

ibmcloud cbr zone-create --addresses 129.41.86.7 --description "Allow only client IP" --name allow-client-ip

Creating rules

Define rules to protect access to resources in your account. The contexts that you define in your rules determine how the resources in your network zones (allowlists) can interact with the resources that are defined in the rule.

Review the limitations before you create rules.

Creating rules in the console

Complete the following steps to create rules for Security and Compliance Center.

  1. Review the network zones that you created for your account.
  2. Follow the steps to create rules in the console.

Creating rules by using the API

Review the following example to learn how to create rules for Security and Compliance Center by using the API. For more information, see the API docs.

This payload creates a rule that targets the Security and Compliance Center service and allows only private endpoints from the specified network zone to access the service.

{
  "description": "Example rule 1",
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT-ID"
        },
        {
          "name": "serviceName",
          "value": "compliance"
        }
      ]
    }
  ],
  "contexts": [
    {
      "attributes": [
        {
          "name": "networkZoneId",
          "value": "NETWORK-ZONE-ID"
        },
        {
          "name": "endpointType",
          "value": "private"
        }
      ]
    }
  ]
}

Creating rules by using the CLI

Review the following example to learn how to create rules for Security and Compliance Center by using the CLI. For more information, see the CBR CLI reference.

This command creates a rule that targets the Security and Compliance Center service and allows only private endpoints from the specified network zone to access the service.

ibmcloud cbr rule-create --description 'Example Rule Description' --service-name compliance --context-attributes endpointType=private --zone-id ZONE_ID --enforcement-mode report

For the enforcement-mode option, the CLI accepts the values enabled, disabled, and report. If no enforcement is specified, the rule is enabled by default.

Next steps

Follow the creation or modification of zones or rules with adequate testing to ensure access and availability.

Users who attempt to access your resources outside of the defined zones receive HTTP error 403 when the appropriate rules are not established.