If you read some of my earlier blog posts, you know that I automated the setup (onboarding) for workshops and hackathons. Thus far, running my Terraform scripts to deploy resources and privileges meant allowing access to them. Thanks to a (relatively) new IBM Cloud security feature called time-based restrictions, I can decouple the deployment process from when access is possible.
In this blog post, I am going to give a short introduction to time-based restrictions. Then, I’ll walk you through my use case and how I implemented it:
Overview: Time-based restrictions
Identity and Access Management (IAM) allows you to protect your IBM Cloud resources. You’ve probably learned to utilize access groups, trusted profiles, service and user identities and how to assign access. By adding time-based restrictions, you can scope these access policies further to a specific time and date range (once) or to recurring windows. The latter could be maintenance windows—for example, over the weekend or specific hours during the night. Typical examples for single events (once) are ad-hoc maintenance work for some hours or some scheduled longer tasks with a given start and end.
When creating a new policy, you can now optionally add conditions for when the access should be granted. In the IBM Cloud console’s browser UI, that optional step is offered (see the image below). I could have also utilized the CLI or API/SDK, but for my automated setup of workshop resources, I picked Terraform:
Scenario: Workshops
As discussed in my blog “Secure Onboarding for Your Workshops and Hackathons,” I sometimes need to run short-lived projects. For these projects, it is crucial to automate the onboarding and offboarding to always set up the workshop environment the same way. Participants should have access privileges related to their role. So far, I would deploy the resources using Terraform (including all privileges) and destroy resources and access after the event.
By adding time-based restrictions to the access policies, I am able to grant access in stages. Once again, I deploy everything with Terraform, including IAM privileges. However, the time-related conditions make sure that the policies are only active between the start and end times. They could be set to align with the workshop start and the official end (or some hours/days later). Without destroying the resources, access to them is automatically cut off after the workshop.
The following shows the sample conditions that I added to the shared Terraform code. You can find it all in the GitHub repository cloud-project-onboarding-terraform and the branch workshop_hackathon. The screenshot at the top of this blog post shows the same conditions in the IBM Cloud console.
rule_conditions { key = "{{environment.attributes.current_date_time}}" operator = "dateTimeGreaterThanOrEquals" value = ["2023-07-19T09:00:00+01:00"] } rule_conditions { key = "{{environment.attributes.current_date_time}}" operator = "dateTimeLessThanOrEquals" value = ["2023-07-26T09:00:00+01:00"] } rule_operator = "and" pattern = "time-based-conditions:once"
Conclusion
Time-based restrictions are a great addition to the existing IBM Cloud security features. They allow you to reduce assigned access to a single time, date ranges or recurring maintenance windows, thereby reducing the attack surface. For my use case of automated onboarding and offboarding, the time-based restrictions allow me to decouple resource and privilege deployment from activating access. This means I have more flexibility in when to perform administrative tasks.
Want to learn more? Here are my suggestions:
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (@data_henrik@mastodon.social) or LinkedIn.
More from Cloud
The IBM Center for Cloud Training’s “Summer of Certification” is certifying more learners, faster
2 min read – This summer, dive into training and certification with the IBM Center for Cloud Training (ICCT). Our “Summer of Certification” program offers a dramatically faster path to IBM Cloud certification in selected areas of study and a 50% discount on all exam fees. And as always, coursework is 100% free. Certification through ICCT is available to anyone—including IBM customers, business partners and employees—with benefits for both cloud professionals and the organizations they work for. According to one recent study, certified IT…
2 min read
Quickly access pipeline runs with new UI for IBM Cloud Continuous Delivery
4 min read – We are pleased to announce that IBM Cloud Continuous Delivery is introducing a new graphical user experience for Tekton pipelines. Based on user feedback, this new experience allows you to more quickly accomplish common tasks and identify parts of your pipeline that may need attention. The new interface provides an overview of your triggers and their recent run history, allowing you to more quickly identify runs of interest, patterns of failure, changes in duration and more. What are pipelines and…
4 min read
Automate SAP S/4HANA infrastructure deployment on IBM Power Virtual Server with deployable architectures
3 min read – When businesses need industry-leading performance scalability and reliability for their SAP ERP landscape, they turn to IBM® Power® for their compute infrastructure. I can pull a list of benchmarks that highlight why over 4,500 customers run SAP HANA on Power—highest SAP-certified memory scalability, leadership in SAPS performance benchmarks, ranked most reliable among SAP-certified infrastructure platforms, etc. IBM Power Virtual Server delivers that platform experience in a multi-tenant environment with access to IBM Cloud services. We are focused on accelerating the…
3 min read
Automate SAP deployments on IBM Cloud
3 min read – As a quick introduction, I began my SAP professional career in 1998 when I joined the SAP competency center of one of SAP’s global hardware partners. In that role, I worked with many customers and partners to properly build and enable “go-live” for SAP solutions designed to produce value for the business. Producing business value “Produce value for the business”— it’s such a simple phrase that maybe you glossed over it. But now I have brought your focus onto it,…
3 min read
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
- Source: https://www.ibm.com/blog/for-a-short-time-only-time-based-restrictions-for-enhanced-cloud-security/
- :is
- $UP
- 11
- 1998
- 20
- 2023
- 24
- 26
- 30
- 300
- 33
- 39
- 40
- 500
- 67
- 9
- a
- Able
- About
- above
- accelerating
- access
- access management
- accomplish
- According
- activating
- active
- add
- added
- adding
- addition
- administrative
- Advertising
- After
- again
- AIR
- align
- All
- allow
- Allowing
- allows
- alone
- also
- always
- am
- amidst
- among
- amp
- an
- analytics
- and
- Announce
- Apply
- ARE
- areas
- ARM
- arms
- article
- AS
- assigned
- At
- attack
- attention
- attributes
- author
- automate
- Automated
- automatically
- Automation
- available
- back
- based
- BE
- began
- below
- benchmarks
- benefits
- between
- Blog
- blogs
- both
- Branch
- brought
- browser
- build
- business
- businesses
- but
- by
- california
- called
- CAN
- carbon
- card
- Cards
- Career
- case
- CAT
- Center
- Certification
- Certified
- Changes
- check
- checking
- CIS
- class
- Cloud
- Cloud Security
- cloud services
- color
- Common
- Compute
- computer
- conditions
- Console
- Container
- continue
- continuous
- Corporate
- could
- Creating
- crucial
- CSS
- custom
- Customers
- Cut
- Date
- Default
- definitions
- delivers
- delivery
- deploy
- deployment
- deployments
- description
- designed
- destroy
- Developer
- Discount
- discussed
- distribution
- dramatically
- duration
- during
- emails
- enable
- end
- enhanced
- Enter
- Entrepreneur
- Environment
- ERP
- etc
- Ether (ETH)
- Event
- events
- everything
- exam
- example
- examples
- existing
- Exit
- experience
- Failure
- far
- faster
- Feature
- Features
- feedback
- Fees
- Find
- Flexibility
- flying
- Focus
- focused
- follow
- following
- fonts
- For
- Free
- from
- further
- generator
- GitHub
- Give
- given
- Global
- going
- grant
- granted
- great
- Grid
- Group’s
- Hackathons
- Hardware
- Have
- height
- heights
- here
- Highlight
- his
- history
- HOURS
- How
- How To
- However
- http
- HTTPS
- i
- I’LL
- IAM
- IBM
- IBM Cloud
- ICO
- ICON
- identify
- identities
- image
- implemented
- in
- Including
- index
- industry-leading
- Infrastructure
- interest
- Interface
- Internet
- into
- intrinsic
- introducing
- Introduction
- IT
- joined
- jpg
- July
- July 20
- Key
- Know
- landscape
- laptop
- large
- later
- Leadership
- LEARN
- learned
- List
- longer
- looking
- maintenance
- make
- management
- manager
- many
- Mastodon
- max-width
- May..
- maybe
- me
- means
- meant
- Memory
- min
- minutes
- Mobile
- more
- most
- my
- Navigation
- Need
- New
- new policy
- night
- nothing
- now
- of
- off
- offered
- offering
- Offers
- Office
- official
- on
- Onboarding
- once
- ONE
- online
- only
- operator
- optimized
- or
- organizations
- our
- out
- over
- overview
- page
- Park
- participants
- partners
- parts
- path
- Pattern
- patterns
- perform
- performance
- PHP
- picked
- pipeline
- planning
- platform
- Platforms
- plato
- Plato Data Intelligence
- PlatoData
- please
- pleased
- plugin
- policies
- policy
- position
- possible
- Post
- power
- privilege
- privileges
- probably
- process
- produce
- producing
- professional
- professionals
- Profiles
- Program
- projects
- properly
- protect
- provides
- Questions
- Quick
- quickly
- raises
- range
- ranked
- reach
- Read
- Reading
- ready
- recent
- recurring
- reduce
- reducing
- related
- relatively
- reliability
- reliable
- repository
- resource
- Resources
- responsive
- restriction
- restrictions
- road
- robots
- Role
- Run
- running
- runs
- same
- sap
- Scalability
- scheduled
- scope
- Screen
- scripts
- searching
- security
- see
- selected
- seo
- service
- Services
- set
- setup
- shared
- Short
- should
- Shows
- Simple
- single
- site
- Sitting
- smart
- So
- so Far
- Solutions
- some
- specific
- Sponsored
- stages
- start
- State
- Step
- Study
- such
- Suit
- summer
- Sun
- sure
- surf
- Surface
- Take
- tasks
- Terraform
- thanks
- that
- The
- their
- Them
- theme
- then
- thereby
- These
- they
- this
- Through
- Thus
- TIE
- time
- times
- Title
- to
- top
- Training
- Trees
- trusted
- TURN
- type
- typical
- ui
- URL
- use
- use case
- User
- User Experience
- using
- utilize
- utilized
- value
- View
- Virtual
- W
- Warehouse
- Way..
- we
- weekend
- What
- when
- while
- why
- windows
- with
- without
- woman
- WordPress
- Work
- worked
- working
- workshop
- Workshops
- would
- written
- XML
- you
- young
- Your
- zephyrnet