Protecting Virtual Private Cloud (VPC) Infrastructure Services with context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to VPC Infrastructure Services can be controlled with context-based restrictions and identity and access management (IAM) policies.
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
A user must have the Administrator role on the VPC Infrastructure Services to create, update, or delete rules that target VPC Infrastructure Services. A user must have either the Editor or Administrator role on the context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the context-based restrictions service can add network zones to a rule only.
The context-based restriction service generates audit logs every time a context-based policy is enforced. For more information, see Monitoring context-based restrictions.
To get started protecting your VPC Infrastructure Services with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.
How VPC Infrastructure Services integrates with context-based restrictions
VPC Infrastructure Services is a composite service made up of a number of child services. Context-based restrictions can be created for IBM Cloud VPC or any of its child services; for example, subnets, virtual server instances, and Block Storage volumes.
See the rule creation section for details on how you can create rules with the required attributes for each service.
Creating network zones
A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:
- IP addresses, which include individual addresses, ranges, or subnets
- VPCs
- Service references, which allow access from other IBM Cloud® services
Service references
A service reference, defined as part of a network zone, allows the given service to talk to the restricted resources or APIs that are targeted by a particular context-based restriction policy. The following table includes service references that need to be included when using context-based restrictions in the context of VPC Infrastructure Services. You can also look at the service-to-service IAM authorizations in your account when deciding which service references to add in your network zone. You can find service-to-service authorization in your account by navigating to Manage -> Access (IAM) and selecting the Authorizations tab.
Service with context-based restrictions | Impacted service | Service reference(s) required in the network zone |
---|---|---|
Cloud Object storage | VPC Infrastructure Services (is ) |
|
Key Protect | Cloud Block Storage (server-protect ) |
|
Hyper Protect Crypto service | Cloud Block Storage (server-protect ) |
|
Virtual Server Instances | VPC Infrastructure Services (is ) |
|
Various VPC Infrastructure Services - Block Storage Volume, Security Groups, Subnets | IBM Kubernetes Service (containers-kubernetes ) |
|
Secrets Manager | VPC Infrastructure Services (is ) |
Creating network zones by using the API
You can create network zones by using the create-zone
command. For more information, see the
API docs.
The serviceRef
attribute for VPC Infrastructure Services is is
and Cloud Block Storage is
server-protect
.
{
"name": "Example zone 1",
"description": "",
"addresses": [
{
"type": "serviceRef",
"ref": {
"service_name": "is"
}
}
]
}
{
"name": "Example zone 1",
"description": "",
"addresses": [
{
"type": "serviceRef",
"ref": {
"service_name": "server-protect"
}
}
]
}
Creating network zones by using the CLI
-
To create network zones from the CLI, install the CBR CLI plug-in.
-
Use the
cbr-zone-create
command to add network locations, VPCs, and service references to network zones. For more information, see the CBR CLI reference.To find a list of available service reference targets, run the
ibmcloud cbr service-ref-targets
command. Theservice_name
for VPC Infrastructure Services isis
and Cloud Block Storage isserver-protect
.The following example command adds the
is
service, referred to as VPC Infrastructure Services in IBM Cloud® console, to a network zone.ibmcloud cbr zone-create --name example-zone-1 --description "Example zone 1" --service-ref service_name=is
The following example command adds the
server-protect
service, referred to as Cloud Block Storage in IBM Cloud® console, to a network zone.ibmcloud cbr zone-create --name example-zone-1 --description "Example zone 1" --service-ref service_name=server-protect
Creating network zones from the console
- Determine which resources you want to add to your allowlist.
- Check the service references section to see if you need to add any service reference to your network zone.
- Follow these steps to create context-based restrictions in the console.
Creating rules
Within VPC Infrastructure Services each child service needs certain attributes in a context-based rule.
When you use the API, Terraform or the IBM Cloud Command Line Interface (CLI) to create, update, or delete IBM Cloud context-based restrictions, you can specify the target VPC Infrastructure resource by using resource attributes.
See VPC resource attributes for the resource attributes that correspond with individual VPC resources.
You can select a resource by entering the ID of the object. Alternatively, you can use the *
wildcard to select all applicable resources. For example, the attribute vpcId:*
sets the context-based restrictions to apply
to all VPCs in the account. You can also specify which resource group the policy is applied to in the command.
Creating rules by using the API
Review the following example requests to create rules. For more information about the v1/rules
API, see the API docs.
After you create a rule, it might take up to 10 minutes before you can update that rule.
The following example payload creates a rule that protects the Virtual Server Instances and allows access only from the specified network zone via a private endpoint.
{
"contexts": [
{
"attributes": [
{
"name": "endpointType",
"value": "private"
},
{
"name": "networkZoneId",
"value": "45ec64065b7c2bf84b3edec803335111"
}
]
}
],
"resources": [
{
"attributes": [
{
"name": "resourceGroupId",
"value": "1171749e3a8545069d04e6fca1ded18f"
},
{
"name": "serviceName",
"value": "is"
},
{
"name": "instanceId",
"value": "*"
}
]
}
]
}
Creating rules by using the CLI
- To create rules from the CLI, install the CBR CLI plug-in.
- Use the
ibmcloud cbr rule-create
command to create CBR rules. For more information, see the CBR CLI reference.
The examples in this section are enforcement rules. You can make them report-only by adding --enforcement-mode report
.
The following example CLI command creates a context-based restriction rule for all of the virtual server instances in the current account:
ibmcloud cbr rule-create --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for VSIs" --service-name is --resource-attributes "instanceId=*"
The following example CLI command creates a context-based restriction rule for a specific block storage volume in the current account:
ibmcloud cbr rule-create --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for volume" --service-name is --resource-attributes "volumeId=UUID_OF_THE_VOLUME"
The following example CLI command creates a context-based restriction rule for all of the virtual server instances in the current account and restricts access to private endpoints:
ibmcloud cbr rule-create --context-attributes 'endpointType=private' --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for VSIs" --service-name is --resource-attributes "instanceId=*"
The following example CLI command creates a context-based restriction rule for all the virtual server instances in the resource group and restricts access to private endpoints:
ibmcloud cbr rule-create --context-attributes 'endpointType=private' --zone-id a7eeb5dd8e6bdce670eba1afce18e37f --description "Test CBR for VSIs" --service-name is --resource-attributes "instanceId=*" --resource-group-id 1171749e3a8545069d04e6fca1ded18f
Creating rules in the UI
-
Go to Manage > Context-based restrictions in the IBM Cloud® console.
-
Select Rules and click Create.
-
Select VPC Infrastructure Services and click Next.
-
Scope the rule to All resources or Specific resources. For more information, see Protecting VPC Infrasturcture Services resources. Click Continue.
-
Define the allowed endpoint types.
- Keep the toggle set to No to allow all endpoint types.
- Set the toggle to Yes to allow only specific endpoint types, then choose from the list.
-
Select a network zone or zones that you have already created, or create a new network zone by clicking Create.
Contexts define the location from which your resources can be accessed, effectively linking your network zone to your rule.
-
Click Add to add your configuration to the summary. Click Next.
-
Name your rule and select how you want to enforce it. Then click Create.
Monitoring context-based restrictions in VPC Infrastructure Services
The context-based restriction service generates audit logs every time a context-based policy is enforced. For more information, see Monitoring context-based restrictions.
Troubleshooting failures due to context-based restrictions
User getting 403 Unauthorized
When a request is denied because of improper access permissions or the request originates outside of the network zone that is defined in context-based restrictions rule, the error response has a format that is similar to the following examples.
403 unauthorized error when using the CLI
Error code: not_authorized and
Error message: the provided token is not authorized
Trace ID: b266a31c-b359-4ecb-8b81-a27c1b2cdb7b
403 unauthorized error when using IBM Cloud console
reference_id b266a31c-b359-4ecb-8b81-a27c1b2cdb7b
code not_authorized
message the provided token is not authorized
403 unauthorized error when using the API
"code":"not_authorized",
"message":"the provided token is not authorized to list floating-ips in this account"
"trace":"b266a31c-b359-4ecb-8b81-a27c1b2cdb7b"
Locating context-based restriction events in Activity Tracker
You can use the value of of Trace ID
or Reference ID
to search in your Activity Tracker instance for the events that are generated by the context-based restrictions service. The requestData.environment
section shows the source IP address of the call and other information that you can use to verify why the authorization was denied. The requestData.action
and requestData.resource
fields can be used determine which
underlying resource was denied access.
The following is an example context-based restriction event. Some fields have been removed to improve readability.
{
"level": "critical",
"action": "context-based-restrictions.policy.eval",
"message": "Context based restriction rendered a deny",
"severity": "critical",
"correlationId": "TXID-b266a31c-b359-4ecb-8b81-a27c1b2cdb7b-df2f912c-80a1-422c-8b17-6092651fea00",
"requestData": {
"action": "is.vpc.vpc.create",
"reqOrder": 0,
"environment": {
"attributes": {
"ipAddress": "192.168.0.1",
"networkType": "public"
}
},
"resource": {
"attributes": {
"accountId": "67db3d7ff3f34220b40e2d81480754c9",
"resource": "NEWRESOURCE",
"vpcId": "NEWRESOURCE",
"resourceGroupId": "d272ce832535498e9142b557ff8638ed",
"region": "au-syd",
"serviceName": "is",
"resourceType": "vpc"
}
},
"subject": {
"attributes": {
"scope": "ibm openid",
"token.account.bss": "67db3d7ff3f34220b40e2d81480754c9",
"id": "IBMid-550009FB7N"
}
}
},
"responseData": {
"decision": "Deny",
"isEnforced": true
}
}
You can then use the same Trace ID or Reference ID to look at the specific VPC Infrastructure service event in your Activity Tracker instance.
{
"action": "is.vpc.vpc.create",
"outcome": "failure",
"message": "Virtual Private Cloud: create vpc -failure",
"severity": "critical",
"dataEvent": false,
"logSourceCRN": "crn:v1:bluemix:public:is:au-syd:a/67db3d7ff3f34220b40e2d81480754c9::vpc:",
"saveServiceCopy": true,
"initiator": {
"id": "IBMid-ABCDEFGH",
"typeURI": "service/security/account/user",
"name": "test@ibm.com",
"authnName": "test",
"authnId": "IBMid-ABCDEFGH",
"host": {
"address": "192.168.0.1",
"addressType": "IPv4"
},
"credential": {
"type": "token"
}
},
"target": {
"id": "crn:v1:bluemix:public:is:au-syd:a/67db3d7ff3f34220b40e2d81480754c9::vpc:",
"typeURI": "is.vpc/vpc",
"name": "",
"resourceGroupId": "crn:v1:bluemix:public:resource-controller::a/67db3d7ff3f34220b40e2d81480754c9::resource-group:d272ce832535498e9142b557ff8638ed"
},
"reason": {
"reasonCode": 403,
"reasonType": "Forbidden",
"reasonForFailure": "Your access token is invalid or does not have the necessary permissions to perform this task"
},
"requestData": {
"generation": "2",
"requestId": "b266a31c-b359-4ecb-8b81-a27c1b2cdb7b"
},
"responseData": {
"responseURI": "/v1/vpcs/"
}
}
You can also search events by using a resource identifier. A resource ID is a UUID and is the last identifier in a CRN. For example:
crn:v1:bluemix:public:is:au-syd:a/67db3d7ff3f34220b40e2d81480754c9::vpc:<resourceID>
Requests for provisioning resources do not contain a resource ID.
If you do not find a context-based restriction event in Activity Tracker, it's possible access was denied due to IAM access policies. For more information, see VPC IAM getting started guide.
Client-to-site VPN data plane impact with context-based restrictions
If a user enables a User ID and passcode when configuring client authentication for a client-to-site VPN, and creates context-based rules
on VPC resources, the client connection to the VPN is impacted by context-based restrictions. If the VPN client remote IP is not in the Network Zone, the connection to the VPN server returns an Auth Failed
error.
After the VPN client connects to the VPN server, the requests to the VPE endpoint or Cloud Service Endpoint (CSE) are controlled with context-based restrictions. Also, the requests' source IP is the VPC Cloud service endpoint source addresses. Make sure that the VPC CSE source addresses are in the CBR Network Zone; otherwise, the request is denied.
Limitations
- Context-based restrictions protect only the actions associated with the VPC Infrastructure Services APIs or the
is
plugin, through the IBM CLI. The SDK and Terraform options are also supported. Actions associated with the following platform APIs are not protected by context-based restrictions:- Resource Instance List APIs
- Resource Instance Delete resource API
- Global Search APIs
- Global Tagging Attach and Detach APIs
- When you create a rule, it might take up to 10 minutes to become enforced.
- Due to a limitation that is currently being addressed, context-based restrictions must not be in place for Secrets Manager APIs if you are using the Load balancer for VPC service, as it results in failing to attach the certificates to the listener associated with the load balancer.