Create and manage source-based access control policies
Source-based access control policies control access to KakaoCloud service hosts from specific source IP CIDR ranges.
You can manage policies at the organization level and allow service host access only from approved sources.
Source-based access control policies can be created and managed in the IAM console.
Before you begin
Check the following before using source-based access control policies.
- Organization Admin or IAM Organization Admin permissions are required.
- Check the service host information to which access control will be applied.
- Prepare the source IP CIDR information to allow.
- When policies are enabled, service access may be restricted from sources that are not allowed.
Source-based access control policies are applied at the organization level.
Source-based access control modes
Source-based access control operates at the organization level, and you can manage how access control policies are applied by mode.
Source-based access control supports the following three modes.
| Mode | Description |
|---|---|
| Disabled | Allows all requests regardless of policy settings. |
| Validation | Records only request results in Cloud Trail without actually applying policies. |
| Enforcement | Blocks requests that do not match the policies. |
Changes to the source-based access control mode are applied immediately across the entire organization.
Disabled mode
In Disabled mode, source-based access control policies are not applied.
- All requests are allowed.
- Policy validation and blocking are not performed.
- You can use this mode before testing policies.
Validation mode
In Validation mode, policies are not applied for actual blocking, and request results are recorded in Cloud Trail.
- Actual requests are not blocked.
- You can check in advance which requests would be blocked if policies were applied.
- You can validate policy impact before applying policies to the production environment.
Use Validation mode to check how source-based access control policies work without affecting actual services.
Enforcement mode
In Enforcement mode, source-based access control policies are applied to actual requests.
- Requests that are not allowed by policies are blocked.
- This mode can affect host access across the entire organization.
- We recommend thoroughly testing policies in Validation mode before enabling Enforcement mode.
In Enforcement mode, at least one policy must allow IAM host access from the IP address of the currently signed-in user.
If policies are not configured correctly, console access may be restricted.
In Validation or Enforcement mode, at least one active source-based access control policy is required.
If there are no active policies, you cannot change the mode to Validation or Enforcement.
Change source-based access control mode
You can change the source-based access control mode in the IAM console.
- Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
- Click the [Change source-based access control mode] button in the upper-right corner.
- In the Change source-based access control mode pop-up, review the guidance for each mode.
- Select the desired mode, and then click the [Save] button.
Create source-based access control policy
Source-based access control policies are created based on source information and target hosts.
Accounts linked with an external IdP may be restricted from being registered as KakaoCloud users.
- Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
- Click the [Create source-based access control policy] button.
- On the Create source-based access control policy page, enter the required information, and then click the [Create] button.
| Field | Description |
|---|---|
| Name | Name that identifies the policy |
| Apply status | Whether the policy is applied (Applied or Excluded) |
| Source | IP CIDR range to allow |
| Host access scope | Select the host access scope All hosts: Allow access to the currently provided target host list and all hosts added in the future Selected hosts: Allow access by selecting desired hosts from the target host list |
| Target host list | List of hosts to which source-based access control policies can be applied |
Only IPv4 CIDR format is supported for CIDR input.
Examples:
- 10.0.0.1/32
- 10.0.0.0/24
Policy propagation time
When you create, modify, or delete a source-based access control policy, or change a policy status, it can take time for changes to be reflected on each service host.
Depending on each service's API structure or cache policy, requests may temporarily be allowed or blocked based on existing policies immediately after a policy change. Changes are fully reflected after a certain amount of time.
It can take up to about 5 minutes for policy changes to be fully reflected.
Access restrictions and permission checks
In environments where source-based access control policies are applied, service access may be restricted depending on user permissions or source-based access control policies.
When access is restricted, the console may display messages such as You do not have permission to view. when you view, create, or modify resources.
Currently, console and API calls do not distinguish between the following situations.
- IAM permissions are required.
- The request is blocked by a source-based access control policy.
Therefore, when service access is restricted, check both the user's permissions and whether the source is allowed by source-based access control policies.
Project-level resource access restrictions
If access to project-level resources is restricted, contact the following administrators.
| Check item | Contact |
|---|---|
| Project permission check | Project Admin or IAM Project Admin |
| Source-based access control policy check | Organization Admin or IAM Organization Admin |
Organization-level resource access restrictions
If access to organization-level resources is restricted, contact the following administrators.
| Check item | Contact |
|---|---|
| Organization permission check | Organization Admin or IAM Organization Admin |
| Source-based access control policy check | Organization Admin or IAM Organization Admin |
Manage source-based access control policies
View source-based access control policies
You can view the currently registered source-based access control policies.
-
Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
-
On the source-based access control policy page, check the list of currently registered policies.
Category Description Name Policy name entered when creating or modifying a source-based access control policy ID Unique identifier of the source-based access control policy Source Source IP CIDR information to allow access from Host access scope Host access scope
All hosts: Allow access to the currently provided target host list and all hosts added in the future
Selected hosts: Allow access by selecting desired hosts from the target host listNumber of targets Number of target hosts to which the source-based access control policy applies Apply status Whether the policy is applied (Applied or Excluded) Created at Time when the source-based access control policy was created [⋮] button Change information, edit, duplicate, or delete an individual source-based access control policy
View source-based access control policy details
You can view detailed information for a source-based access control policy.
-
Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
-
From the source-based access control policy list, select the policy whose details you want to view.
-
On the source-based access control policy details page, check the information.
Category Description Details Basic information such as source-based access control policy name, ID, source, host access scope, apply status, and creation time Targets List of source-based access control targets
Access environment:PublicorPrivate
Host type:OpenAPIorDefault
Service: Name of the called service
Host: Host information for which access is controlled
Change source-based access control policy information
You can change the name and apply status of a source-based access control policy you created.
- Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
- On the source-based access control policy page, select the policy whose information you want to change.
- From the list or source-based access control policy details page, click the [Change information] button.
- Review the source-based access control policy information change guidance, and then click the [Continue] button.
- In the source-based access control policy information change pop-up, change the information, and then click the [Save] button.
Edit source-based access control policy targets
You can edit the targets of a source-based access control policy you created.
- Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
- On the source-based access control policy page, select the policy whose targets you want to edit.
- From the list or source-based access control policy details page, click the [Edit targets] button.
- In the edit targets pop-up, edit the source, host access scope, and target hosts, and then click the [Edit] button.
After editing a source-based access control policy, accessible targets may change. Check the service impact before editing.
Duplicate source-based access control policy
You can create a new source-based access control policy based on an existing policy.
-
Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
-
On the source-based access control policy page, select the policy to duplicate.
-
From the list or source-based access control policy details page, click the [Duplicate] button.
-
In the source-based access control policy duplication pop-up, review the information, and then click the [Duplicate] button.
-
In the create source-based access control policy pop-up, enter the information, and then click the [Create] button.
Field Description Name Name that identifies the policy Apply status Whether the policy is applied (Applied or Excluded) Source IP CIDR range to allow Host access scope Select the host access scope
All hosts: Allow access to the currently provided target host list and all hosts added in the future
Selected hosts: Allow access by selecting desired hosts from the target host listTarget host list List of hosts to which source-based access control policies can be applied
Delete source-based access control policy
You can delete policies that are no longer used.
Deleted source-based access control policies cannot be recovered. Use caution when deleting policies.
- Go to KakaoCloud Console > Management > IAM > Source-Based Access Control Policy.
- On the source-based access control policy page, select the policy to delete.
- From the list or source-based access control policy details page, click the [Delete] button.
- Review the source-based access control policy deletion guidance, and then click the [Continue] button.
- In the source-based access control policy deletion pop-up, enter
Permanently delete, and then click the [Delete] button.
Supported target host types
Source-based access control supports the following host types.
| Host type | Description |
|---|---|
| Default | Method of forwarding requests directly to a service-specific host |
| OpenAPI | Method of forwarding requests to a service through the common OpenAPI gateway |
Cloud Trail integration
In Validation mode, policy application results are recorded as Cloud Trail events.
You can check the following information through Cloud Trail events.
- Request source IP
- Request target endpoint
- Whether the policy allowed the request
- Policy application result
- Request user information
Related events can be viewed in the Cloud Trail service.
Policy creation considerations
- Policies with the same source and target combination cannot be created more than once.
- When source-based access control policy mode is enabled, access from sources that are not allowed is blocked.