July 24, 2023 By Henrik Loeser 3 min read

If you read some of my earlier blog posts, you know that I automated the setup (onboarding) for workshops and hackathons. Thus far, running my Terraform scripts to deploy resources and privileges meant allowing access to them. Thanks to a (relatively) new IBM Cloud security feature called time-based restrictions, I can decouple the deployment process from when access is possible.

In this blog post, I am going to give a short introduction to time-based restrictions. Then, I’ll walk you through my use case and how I implemented it:

Restrict IBM Cloud resource access to a specific date range.

Overview: Time-based restrictions

Identity and Access Management (IAM) allows you to protect your IBM Cloud resources. You’ve probably learned to utilize access groups, trusted profiles, service and user identities and how to assign access. By adding time-based restrictions, you can scope these access policies further to a specific time and date range (once) or to recurring windows. The latter could be maintenance windows—for example, over the weekend or specific hours during the night. Typical examples for single events (once) are ad-hoc maintenance work for some hours or some scheduled longer tasks with a given start and end.

When creating a new policy, you can now optionally add conditions for when the access should be granted. In the IBM Cloud console’s browser UI, that optional step is offered (see the image below). I could have also utilized the CLI or API/SDK, but for my automated setup of workshop resources, I picked Terraform:

Add a time-based restriction to an access policy.

Scenario: Workshops

As discussed in my blog “Secure Onboarding for Your Workshops and Hackathons,” I sometimes need to run short-lived projects. For these projects, it is crucial to automate the onboarding and offboarding to always set up the workshop environment the same way. Participants should have access privileges related to their role. So far, I would deploy the resources using Terraform (including all privileges) and destroy resources and access after the event.

By adding time-based restrictions to the access policies, I am able to grant access in stages. Once again, I deploy everything with Terraform, including IAM privileges. However, the time-related conditions make sure that the policies are only active between the start and end times. They could be set to align with the workshop start and the official end (or some hours/days later). Without destroying the resources, access to them is automatically cut off after the workshop.

The following shows the sample conditions that I added to the shared Terraform code. You can find it all in the GitHub repository cloud-project-onboarding-terraform and the branch workshop_hackathon. The screenshot at the top of this blog post shows the same conditions in the IBM Cloud console.

 rule_conditions {
    key = "{{environment.attributes.current_date_time}}"
    operator = "dateTimeGreaterThanOrEquals"
    value = ["2023-07-19T09:00:00+01:00"]
  }
  rule_conditions {
    key = "{{environment.attributes.current_date_time}}"
    operator = "dateTimeLessThanOrEquals"
    value = ["2023-07-26T09:00:00+01:00"]
  }
  rule_operator = "and"
  pattern = "time-based-conditions:once"

Conclusion

Time-based restrictions are a great addition to the existing IBM Cloud security features. They allow you to reduce assigned access to a single time, date ranges or recurring maintenance windows, thereby reducing the attack surface. For my use case of automated onboarding and offboarding, the time-based restrictions allow me to decouple resource and privilege deployment from activating access. This means I have more flexibility in when to perform administrative tasks.

Want to learn more? Here are my suggestions:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (@data_henrik@mastodon.social) or LinkedIn.

Was this article helpful?
YesNo

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters