| copyright | lastupdated | keywords | subcollection | content-type | account-plan | completion-time | ||
|---|---|---|---|---|---|---|---|---|
|
2021-11-05 |
network-level access, network security strategy |
account |
tutorial |
lite |
20m |
{:shortdesc: .shortdesc}
{:screen: .screen}
{:codeblock: .codeblock}
{:pre: .pre}
{:tip: .tip}
{:note: .note}
{:external: target="_blank" .external}
{:step: data-tutorial-type='step'}
{:video: .video}
{: #context-restrictions-tutorial} {: toc-content-type="tutorial"} {: toc-completion-time="20m"}
This tutorial walks you through how to use context-based restrictions as an extra layer of protection to your resources. By completing this tutorial, you learn how to create network zones and rules that define access restrictions to specific resources based on context in addition to IAM identity. {: shortdesc}
The tutorial uses a fictitious account owner named Xander. Xander has already set-up access for managers that need the administrator role on account management services by using IAM policies.
Xander trusts his team to manage their personal and service credentials properly, but he wants to make sure they are protected even if credentials are mismanaged. Because Xander knows the IP addresses that the team uses, Xander can restrict access to the policy management service based on the network location of the access requests. This way, policy creation is restricted to the IP addresses he defines. Since both IAM access and context-based restrictions must allow access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials.
{: #tutorial-networkzone-new} {: step}
First, create a new network zone for the team.
- In the {{site.data.keyword.cloud_notm}} console, click Manage > Context-based restrictions
- Go to Network zones and then click Create.
- Name the network zone
management-team-zone - Enter the IP addresses the team must use:
- Team members in Austin use the following IP addresses: 4.4.4.1-4.4.4.99
- An Austin team member in another building uses the following subnet: 204.17.5.0/24
- A remote team member uses the following IP address: 3.3.3.56
- Click Next.
- Review the details of the network zone.
- Click Create.
{: #tutorial-context-rules} {: step}
Now, Xander can use the network zone that he created in a rule.
- Go to Rules and click Create.
- Name the rule
Management team contextand click Continue. - To restrict access to the creation of IAM access management policies, select Account management and then select IAM AM Policy.
- Click Continue.
- Xander has specified public endpoints in his network zone, so he keeps the endpoint type toggle switch set to Yes, which allows requests from any endpoint type.
- Select the network zone
management-team-zone. - Click Add to include your context configuration in the rule.
- Then, click Create.
Xander is now restricting policy management requests to the IP addresses and endpoint type his management team uses. Since the management team has the right access policies, and they use allowed IP addresses, they are authenticated to execute policy management operations. All policy management requests that come from IP addresses and endpoint types that do not match the conext Xander defined are denied.
{: #tutorial-context-step-next}
You can also use network zones to restrict access at the account level. For more information, see Allowing specific IP addresses.