v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/ibm_compliance
Overview
1Dashboards
67Controls
20Queries
0Variables
GitHub

Control: 2.1.4 Ensure Cloud Object Storage bucket access is restricted by using IAM and S3 access control

Description

Access controls on the Cloud Object Storage buckets are governed via IBM Identity and Access Management (IAM). However, some permissions can also be granted (or restricted) via S3 access controls.

Remediation

From Console

To create a new bucket-level policy:

  1. Navigate to the Access IAM console from the Manage menu.
  2. Select Users from the left navigation menu.
  3. Select a user.
  4. Select the Access Policies tab to view the user's existing policies, assign a new policy, or edit an existing policy.
  5. Click Assign access to create a new policy.
  6. Choose Assign access to resources.
  7. First, select Cloud Object Storage from the services menu.
  8. Then, select the appropriate service instance. Enter bucket in the Resource type field and the bucket name in the Resource ID field.
  9. Select the wanted service access role. Selecting the lozenge with the number of actions show the actions available to the role.
  10. Click Assign

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_1_4 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 2.1.4
cis_level = 1
cis_section_id = 2.1
cis_type = manual
cis_version = v1.0.0
plugin = ibm
service = IBM/Storage