Benchmark: 1 IAM
Overview
IAM enables you to securely authenticate users for platform services and control access to resources consistently across IBM Cloud. A set of IBM Cloud services is enabled to use IBM Cloud IAM for access control, and are organized into resource groups within your account so you can give users access quickly to more than one resource at a time. Each of these services is labeled as "IAM-enabled" in the catalog. You can use IAM access policies to assign users and service IDs access to resources within your account. And, you can group users and service IDs into an access group to easily give all members of the group the same level of access.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-ibm-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1 IAM.
Run this benchmark in your terminal:
powerpipe benchmark run ibm_compliance.benchmark.cis_v100_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run ibm_compliance.benchmark.cis_v100_1 --share
Controls
- 1.1 Monitor account owner for frequent, unexpected, or unauthorized logins
- 1.2 Ensure API keys unused for 180 days are detected and optionally disabled
- 1.3 Ensure API keys are rotated every 90 days
- 1.4 Restrict user API key creation and service ID creation in the account via IAM roles
- 1.5 Ensure no owner account API key exists
- 1.6 Ensure compliance with IBM Cloud password requirements
- 1.7 Ensure multi-factor authentication (MFA) is enabled for all users in account
- 1.8 Ensure multi-factor authentication (MFA) is enabled for the account owner
- 1.9 Ensure multi-factor authentication (MFA) is enabled at the account level
- 1.10 Ensure contact email is valid
- 1.11 Ensure contact phone number is valid
- 1.12 Ensure IAM users are members of access groups and IAM policies are assigned only to access groups
- 1.13 Ensure a support access group has been created to manage incidents with IBM Support
- 1.14 Minimize the number of users with admin privileges in the account
- 1.15 Minimize the number of Service IDs with admin privileges in the account
- 1.16 Ensure IAM does not allow public access to Cloud Object Storage
- 1.17 Ensure Inactive User Accounts are Suspend
- 1.18 Enable audit logging for IBM Cloud Identity and Access Management
- 1.19 Ensure Identity Federation is set up with a Corporate IDP