This document outlines the process for using context-based restrictions to protect your Hyper Protect Crypto Services resources. Use this document to prepare your resources for context-based restrictions. Hyper Protect Crypto Services doesn't offer scoping rules to the control plane in this current phase of implementation.
Protecting Hyper Protect Crypto Services resources with context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to Hyper Protect Crypto Services resources can be controlled with context-based restrictions and Identity and Access Management (IAM) policies.
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
A user must have the Administrator role on the Hyper Protect Crypto Services instances to create, update, or delete rules. A user must also have either the Editor or Administrator role on the context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the context-based restrictions service can add network zones to a rule.
Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions service, not Hyper Protect Crypto Services. Hyper Protect Crypto Services supports audit events only for customer interactions with context-based restrictions-protected platform endpoint calls. Hyper Protect Crypto Services does not support audit events when you enable context-based restrictions rules on the control plane API for your instances. For more information, see Monitoring context-based restrictions.
To start protecting your Hyper Protect Crypto Services resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.
How Hyper Protect Crypto Services integrates with context-based restrictions
You can create context-based restrictions for the Hyper Protect Crypto Services instances and specific resources.
Protecting Hyper Protect Crypto Services resources
You can create context-based restrictions rules to protect specific instances.
- Instance
- Protects a specific instance. If you include an instance in your context-based restrictions rule, resources in the network zones that you associate with the rule can interact only with resources in that instance. If you use the CLI, you
can specify the
--service-instanceoption to protect instances in a specific resource group. If you use the UI, you can specify the Service instance in the resource attributes.
Creating network zones
A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:
- IP addresses, which include individual addresses, ranges, or subnets.
- VPCs
Creating network zones in the UI
-
Go to Manage > Context-based restrictions in the IBM Cloud® console.
-
Select Network zones.
-
Click Create.
-
Name your network zone and provide a description.
-
Enter your Allowed IP addresses. You can enter a single IP address, a range of IP addresses, or a single CIDR.
The Denied IP addresses field is optional and should include only exceptions that are contained within the IP ranges you provide in the allowed IP addresses field.
-
Choose your Allowed VPCs, selecting as many as you like.
-
Reference a service: You can select Hyper Protect Crypto Services as a source service for context-based restrictions, but not as a target service. For example, you can provision a Hyper Protect Crypto Services deployment using BYOK from IBM® Key Protect for IBM Cloud®. In this example, Hyper Protect Crypto Services is the source formation and IBM® Key Protect for IBM Cloud® is the target formation. Then, you would create a network zone with a Hyper Protect Crypto Services service reference and create a rule associated with the network zone that targets IBM® Key Protect for IBM Cloud®. To add a Hyper Protect Crypto Services service reference, for Service Type, IAM services is autoselected. In the Service dropdown, select a specific Hyper Protect Crypto Services service. If the zone you create is associated with a rule targeting Hyper Protect Crypto Services, then a service reference is not allowed.
Creating network zones in the CLI
To create network zones in the CLI, install the context-based restrictions CLI plug-in. Use the cbr-zone-create command to add resources to network zones. For more information, see
the context-based restrictions CLI reference.
Create a zone by using a command like:
ibmcloud cbr zone-create --addresses=1.1.1.1,5.5.5.5 --name=<NAME>
Update a zone by using a command like:
ibmcloud cbr zone-update <ZONE-ID> --addresses=1.2.3.4 --name=<NAME>
Updating requires the ZONE-ID, not the zone name. Use the following command to list your zones and retrieve the relevant ZONE-ID:
ibmcloud cbr zones
The zone-update command is an overwrite. Include all of the fields that are required as if you are creating the rule from scratch. If you omit any required fields, the rule overwrites those missing fields as empty, and the rule
might fail because some of those fields are required, regardless of whether they are changing the rule.
Delete a zone by using a command like:
ibmcloud cbr zone-delete <ZONE-ID>
Creating rules
Rules restrict access to specific cloud resources based on resource attributes and contexts.
Hyper Protect Crypto Services does not support IPv6 addresses. If an IPv6 address is included, it will be ignored.
Creating rules in the UI
-
Go to Manage > Context-based restrictions in the IBM Cloud® console.
-
Select Rules.
-
Click Create.
-
Select Hyper Protect Crypto Services.
-
Click Next.
-
Scope the rule to Specific resources. For more information, see Protecting Hyper Protect Crypto Services resources.
-
Click Continue.
-
Define the allowed endpoint types.
- Keep the toggle set to No to allow all endpoint types.
- Set the toggle to Yes to allow only specific endpoint types, then choose from the list.
-
Select a network zone or zones that you have already created, or create a new network zone by clicking Create.
Contexts define from where your resources can be accessed, effectively linking your network zone to your rule.
-
Click Add to add your configuration to the summary.
-
Click Next.
-
Name your rule.
-
Select how you want to enforce the rule.
Report-only is not available for Hyper Protect Crypto Services.
Creating rules in the CLI
To create rules in the CLI, install the context-based restrictions CLI plug-in.
To create a rule in the CLI, you need the appropriate Hyper Protect Crypto Services service_name:
Hyper Protect Crypto Services
Create a rule by using a command like:
ibmcloud cbr rule-create --enforcement-mode enabled --context-attributes "networkZoneId=<ZONE-ID>" --resource-group-id <RESOURCE_GROUP_ID> --service-name <SERVICE-NAME> --service-instance <SERVICE-INSTANCE> --description <DESCRIPTION>
Hyper Protect Crypto Services does not currently support Control plane as an option.
Report-only is not available for Hyper Protect Crypto Services.
Update a rule by using a command like:
ibmcloud cbr rule-update <RULE-ID> --enforcement-mode disabled --context-attributes="networkZoneId=<ZONE-ID>" --resource-group-id <RESOURCE_GROUP_ID> --service-name <SERVICE_NAME> --description <DESCRIPTION>
The rule-update command is an overwrite. Include all of the fields that are required as if you are creating the rule from scratch. If you omit any required fields, the rule overwrites those missing fields as empty, and the rule
might fail because some of those fields are required, regardless of whether they are changing the rule.
Updating requires the RULE-ID, not the rule name. Use the following command to list your rules and retrieve the relevant RULE-ID:
ibmcloud cbr rules
Delete a rule by using a command like:
ibmcloud cbr rule-delete <RULE-ID>
Use ibmcloud cbr <command> — help for a full list of options and parameters. For example, ibmcloud cbr rule-create — help outputs parameters for rule creation.
Creating rules in Terraform
To create rules using Terraform, see IBM Cloud Provider in the Terraform Registry.
To create a rule, you need the appropriate Hyper Protect Crypto Services service_name:
Hyper Protect Crypto Services
The ibm_cbr_rule provides a resource for cbr_rule and allows a cbr_rule to be created, updated, and deleted.
Create a rule by using a command like:
resource "ibm_cbr_rule" "cbr_rule" {
contexts {
attributes {
name = "networkZoneId"
value = "559052eb8f43302824e7ae490c0281eb"
}
attributes {
name = "endpointType"
value = "private"
}
}
description = "this is an example of a rule with one context one zone"
enforcement_mode = "enabled"
resources {
attributes {
name = "accountId"
value = "12ab34cd56ef78ab90cd12ef34ab56cd"
}
attributes {
name = "serviceName"
value = "network-policy-enabled"
}
tags {
name = "tag_name"
value = "tag_value"
}
}
}
You can import the ibm_cbr_rule resource by using id, the globally unique ID of the rule.
terraform import ibm_cbr_rule.cbr_rule
Verifying your rule
To verify that your rule is applied, go to the IBM Cloud® Dashboard and select the relevant instance from your Resource List. Within Recent Tasks, you see your rule's status.
The task of creating or modifying a rule goes into your instance's task queue. Depending on workload, it might take some time for your rule enforcement to complete.