Cloud
Cybersecurity
Security
July 24, 2023 By Henrik Loeser 3 min read

If you read some of my earlier blog posts, you know that I automated the setup (onboarding) for workshops and hackathons. Thus far, running my Terraform scripts to deploy resources and privileges meant allowing access to them. Thanks to a (relatively) new IBM Cloud security feature called time-based restrictions, I can decouple the deployment process from when access is possible.

In this blog post, I am going to give a short introduction to time-based restrictions. Then, I’ll walk you through my use case and how I implemented it:

Restrict IBM Cloud resource access to a specific date range.

Overview: Time-based restrictions

Identity and Access Management (IAM) allows you to protect your IBM Cloud resources. You’ve probably learned to utilize access groups, trusted profiles, service and user identities and how to assign access. By adding time-based restrictions, you can scope these access policies further to a specific time and date range (once) or to recurring windows. The latter could be maintenance windows—for example, over the weekend or specific hours during the night. Typical examples for single events (once) are ad-hoc maintenance work for some hours or some scheduled longer tasks with a given start and end.

When creating a new policy, you can now optionally add conditions for when the access should be granted. In the IBM Cloud console’s browser UI, that optional step is offered (see the image below). I could have also utilized the CLI or API/SDK, but for my automated setup of workshop resources, I picked Terraform:

Add a time-based restriction to an access policy.

Scenario: Workshops

As discussed in my blog “Secure Onboarding for Your Workshops and Hackathons,” I sometimes need to run short-lived projects. For these projects, it is crucial to automate the onboarding and offboarding to always set up the workshop environment the same way. Participants should have access privileges related to their role. So far, I would deploy the resources using Terraform (including all privileges) and destroy resources and access after the event.

By adding time-based restrictions to the access policies, I am able to grant access in stages. Once again, I deploy everything with Terraform, including IAM privileges. However, the time-related conditions make sure that the policies are only active between the start and end times. They could be set to align with the workshop start and the official end (or some hours/days later). Without destroying the resources, access to them is automatically cut off after the workshop.

The following shows the sample conditions that I added to the shared Terraform code. You can find it all in the GitHub repository cloud-project-onboarding-terraform and the branch workshop_hackathon. The screenshot at the top of this blog post shows the same conditions in the IBM Cloud console.

 rule_conditions {
    key = "{{environment.attributes.current_date_time}}"
    operator = "dateTimeGreaterThanOrEquals"
    value = ["2023-07-19T09:00:00+01:00"]
  }
  rule_conditions {
    key = "{{environment.attributes.current_date_time}}"
    operator = "dateTimeLessThanOrEquals"
    value = ["2023-07-26T09:00:00+01:00"]
  }
  rule_operator = "and"
  pattern = "time-based-conditions:once"

Conclusion

Time-based restrictions are a great addition to the existing IBM Cloud security features. They allow you to reduce assigned access to a single time, date ranges or recurring maintenance windows, thereby reducing the attack surface. For my use case of automated onboarding and offboarding, the time-based restrictions allow me to decouple resource and privilege deployment from activating access. This means I have more flexibility in when to perform administrative tasks.

Want to learn more? Here are my suggestions:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (@data_henrik@mastodon.social) or LinkedIn.

Was this article helpful?
YesNo

Tags

Henrik Loeser
Technical Offering Manager / Developer Advocate

More from Cloud
May 8, 2024

Helping enterprises across regulated industries leverage hybrid cloud and AI

3 min read - At IBM Cloud, we are committed to helping enterprises across industries leverage hybrid cloud and AI technologies to help them drive innovation. For true transformation to begin, we believe it is key to understand the unique challenges organizations are facing—whether it is keeping data secured, addressing data sovereignty requirements or speeding time to market to satisfy consumers. For those in even the most highly regulated industries, we have seen these challenges continue to grow as they navigate changing regulations. We…

May 8, 2024

Migration Acceleration Program for IBM Cloud

2 min read - The cloud has emerged as a transformative technology platform, offering flexibility, scalability and cost-effectiveness. Enterprise cloud migration strategies seek to be business-driven with an integrated technology, operational and financial adoption plan. Knowing where you are, where you are going, and how you get there is critical to sustainable success. Building an end-to-end plan with confidence can be a daunting undertaking, and enterprise leaders find it challenging to design and execute a cloud migration plan. To address these challenges, we continue…

May 8, 2024

How Wasabi and IBM help clients deliver on data-driven innovation

2 min read - Last year, Wasabi Technologies and IBM Cloud® joined forces to drive data innovation across hybrid cloud environments, positioning enterprises to run applications across any environment—on premises, in the cloud or at the edge—and enabling users to cost efficiently access and use key business data and analytics in real time. As we head into the second half of 2024, IBM Cloud and Wasabi continue to build new ways to expand their relationship. This growing relationship has the potential to reshape how…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters