IBM Cloud Docs
Protecting IBM Log Analysis resources with context-based restrictions

Protecting IBM Log Analysis resources with context-based restrictions

Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to IBM Log Analysis resources can be controlled with context-based restrictions and identity and access management (IAM) policies.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.

A user must have the Administrator role on the IBM Log Analysis service to create, update, or delete rules. A user must also have either the Editor or Administrator role on the Context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the Context-based restrictions service can only add network zones to a rule.

Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions service, not IBM Log Analysis. For more information, see Monitoring context-based restrictions.

To get started protecting your IBM Log Analysis resources with context-based restrictions, see the tutorial for Leveraging context-based restrictions to secure your resources.

How IBM Log Analysis integrates with context-based restrictions

You can use context-based restrictions when configuring archving to IBM Cloud Object Storage and streaming to Event Streams.

By using context-based restrictions you restrict IBM Cloud Object Storage or Event Streams to receive data only from IBM Log Analysis.

Additional services and IP addresses can be configured in rules to send data to IBM Cloud Object Storage or Event Streams in addition to IBM Log Analysis.

You can also use context-based restricions to control access from services or specific IP addresses to IBM Log Analysis.

Restrictions

Consider the following when configuring context-based restrictions:

  • Any zones and rules configured for IBM Cloud Activity Tracker will also apply to IBM Log Analysis. Any zones and rules configured for IBM Log Analysis will also apply to IBM Cloud Activity Tracker.

  • Event Streams credentials created for IBM Log Analysis and IBM Cloud Activity Tracker can be shared by IBM Log Analysis and IBM Cloud Activity Tracker instances, but can not be shared with any other services.

  • Context-based rules only apply to the IAM token authorization when using the IBM Log Analysis API. Context-based rules do not apply to other API security schemes.

  • Context-based rules apply to all IBM Log Analysis APIs except ingestion.

Creating network zones

A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:

  • IP addresses, which include individual addresses, ranges, or subnets.
  • VPCs
  • Service references, which allow access from other IBM Cloud services.

Make sure to add IBM Log Analysis to network zones for rules that target other IBM Cloud resources, or some operations in your workflow might fail.

Service references

The IBM Log Analysis IAM service needs to be added to network zones as a service reference.

Creating network zones in the console

  1. In the IBM Cloud console click Manage > Context-based restrictions.

  2. Click Network zones.

  3. Click Create.

  4. Enter a name for your network zone and an optional description.

  5. Enter the allowed and denied IP addresses associated with the network zone.

  6. Select the VPCs allowed by the network zone.

  7. For Service type select IAM services.

  8. For Service select IBM Log Analysis.

  9. Click Add.

Creating network zones by using the API

You can create network zones by using the POST method. For more information, see the API docs. You can add IBM Log Analysis to network zones as a service reference to allow IBM Log Analysis to access resources and services in your account that are the subject of a rule.

The serviceRef attribute for IBM Log Analysis is logdna.

For example, create a zone for IBM Log Analysis:

curl -X POST --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "Content-Type: application/json" --data '{ "name": "MY_LOG_ANALYSIS_ZONE", "description": "This is my Log Analysis zone", "account_id": "{account_id}", "addresses": [  { "type": "serviceRef", "ref": { "account_id": "{account_id}", "service_name": "logdna" } } ] }' "https://cbr.cloud.ibm.com/v1/zones"

You can use PUT and DELETE to update and delete zones. You can use GET to list all defined zones or get additional information for a single zone. For more information about these methods, see the API docs.

Creating network zones by using the CLI

You can use the cbr-zone-create command to add network locations, VPCs, and service references to network zones. For more information, see the CBR CLI reference. Add IBM Log Analysis to network zones as a service reference to allow IBM Log Analysis to access resources and services in your account that are the subject of a rule.

To find a list of available service refs, run the ibmcloud cbr service-ref-targets command. The service-ref service_name for IBM Log Analysis is logdna.

For example, create a zone for IBM Log Analysis:

ibmcloud cbr zone-create --name MY_LOG_ANALYSIS_ZONE --description "This is my Log Analysis zone" --service-ref service_name=logdna

You can use zone-update and zone-delete to update and delete zones. You can use ibmcloud cbr zones to list all defined zones. For more information about these commands, see the CBR CLI reference.

Creating rules

Define restrictions to IBM Log Analysis resources by creating rules.

Creating rules in the console

  1. In the IBM Cloud console click Manage > Context-based restrictions.

  2. Click Rules.

  3. Click Create.

  4. For Service select one of the following:

    Cloud Object Storage if you are configuring a context-based restriction for archiving to a bucket.

    Event Streams if you are configuring a context-based restriction for streaming to Event Streams.

    IBM Log Analysis if you are configuring a context-based restriction to access IBM Log Analysis.

  5. Click Next.

  6. Select All resources or Specific resources as appropriate. If you are limiting resources, add the conditions defining the limit.

  7. Click Review.

  8. Click Continue.

  9. Select if you want to limit access by endpoint type.

  10. Select the Network zone you want associated to the rule. If you don't have a zone created, you can create one by clicking Create.

  11. Click Continue.

  12. Add an optional description for the rule.

  13. Select how you want the rule enforced:

    Enabled: The rule is enforced and denied access attempts are reported in IBM Cloud Activity Tracker.

    Disabled: The rule is not enforced. Restrictions are not applied.

    Report-only: Monitors how the rule affects users without enforcing it. All access attempts are reported in IBM Cloud Activity Tracker. Monitoring for 30 days before enforcing a rule will help you determine if there are any errors in your configuration.

  14. Click Create.

Creating rules by using the API

Review the following examples to learn how to create rules for IBM Log Analysis. For more information, see the API docs.

Create a rule allowing access between IBM Cloud Object Storage and the zone defined for IBM Log Analysis:

curl -X POST --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "Content-Type: application/json" --data '{ "description": "My rule between Log Analysis and Cloud Object Storage", "resources": [ { "attributes": [ { "name": "accountId", "value": "{account_id}" }, { "name": "serviceName", "value": "cloud-object-storage" } ] } ], "contexts": [ { "attributes": [ { "name": "networkZoneId", "value": "{zone_id}" } ] } ] }' "https://cbr.cloud.ibm.com/v1/rules"

Where the zone_id is the zone configured for IBM Log Analysis.

You can find a list of configured zones by running the GET /v1/zones method. To retrieve the zone ID, use the GET /v1/zones/{zone_id} method.

The following service names can be used when configuring rules to connect with IBM Log Analysis:

cloud-object-storage
IBM Cloud Object Storage
messagehub
Event Streams
logdna
IBM Log Analysis

Use enforcement_mode to determine how the rule is processed. For example, this rule between Event Streams and IBM Log Analysis is defined, but is disabled and will not be enforced.

curl -X POST --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "Content-Type: application/json" --data '{ "description": "My rule between Log Analysis and Event Streams", "resources": [ { "attributes": [ { "name": "accountId", "value": "{account_id}" }, { "name": "serviceName", "value": "messagehub" } ] } ], "contexts": [ { "attributes": [ { "name": "networkZoneId", "value": "{zone_id}" } ] } ], "enforcement_mode": "disabled" }' "https://cbr.cloud.ibm.com/v1/rules"

Enforcement modes that can be configured for a rule are:

Enabled
The rule is enforced and denied access attempts are reported in IBM Cloud Activity Tracker.
Disabled
The rule is not enforced. Restrictions are not applied.
Report
Monitors how the rule affects users without enforcing it. All access attempts are reported in IBM Cloud Activity Tracker. Monitoring for 30 days before enforcing a rule will help you determine if there are any errors in your configuration.

You can use PUT and DELETE to update and delete rules. You can use GET to list all defined rules or list detailed information about a single rule. For more information about these methods, see the CBR API docs.

Creating rules by using the CLI

Review the following examples to learn how to create rules for IBM Log Analysis. For more information, see the CBR CLI reference.

For example, create a rule allowing access between IBM Cloud Object Storage and the zone defined for IBM Log Analysis:

ibmcloud cbr rule-create --description "My rule between the Log Analysis zone and Cloud Object Storage" --service-name cloud-object-storage --zone-id 445bdf061e5eb36f53188d26760401aa

Where the zone-id is the zone configured for IBM Log Analysis.

You can find a list of configured zones by running the ibmcloud cbr zones command.

The following service names can be used when configuring rules to connect with IBM Log Analysis:

cloud-object-storage
IBM Cloud Object Storage
messagehub
Event Streams
logdna
IBM Log Analysis

You can also limit access between services. For example, limiting access to private endpoints only:

ibmcloud cbr rule-create --description "My rule between Log Analysis and Cloud Object Storage" --service-name cloud-object-storage --zone-id 445bdf061e5eb36f53188d26760401aa --context-attributes endpointType=private

Using enforcement-mode determines how the rule is processed. For example, this rule between Event Streams and IBM Log Analysis is defined, but is disabled and will not be enforced.

ibmcloud cbr rule-create --description "My rule between Log Analysis and Event Streams" --service-name messagehub --zone-id 445bdf061e5eb36f53188d26760401aa --enforcement-mode disabled

Enforcement modes that can be configured for a rule are:

Enabled
The rule is enforced and denied access attempts are reported in IBM Cloud Activity Tracker.
Disabled
The rule is not enforced. Restrictions are not applied.
Report
Monitors how the rule affects users without enforcing it. All access attempts are reported in IBM Cloud Activity Tracker. Monitoring for 30 days before enforcing a rule will help you determine if there are any errors in your configuration.

You can use rule-update and rule-delete to update and delete rules. You can use ibmcloud cbr rules to list all defined rules. For more information about these commands, see the CBR CLI reference.