Control: 4.3 Ensure network access to IBM Cloud Databases service is set to be exposed on “Private end points only
Description
All Cloud Databases deployments offer integration with IBM Cloud Service Endpoints. It gives you the ability to enable connections to your deployments from the public internet and over the IBM Cloud Private network.
Service Endpoints are available in all IBM Cloud Multi-Zone Regions and some Single-Zone Regions. If your deployments are in Osl01, you aren't able to use private endpoints. Deployments in all other regions are able to use Service Endpoints.
Public endpoints provide a connection to your deployment on the public network. At provision time, a public endpoint is the default option for all deployments. Your environment needs to have internet access to connect to a deployment.
A deployment with a service endpoint on the private network gets an endpoint that is not accessible from the public internet. All traffic is routed to hardware dedicated to Cloud Databases deployments and remains on the IBM Cloud Private network. All traffic to and from this endpoint is free and unmetered as long as the traffic remains in IBM Cloud. Once your environment has access to the IBM Cloud Private network, an internet connection is not required to connect to your deployment.
Remediation
From the Console:
- Log on to your IBM Cloud account
- Go to the Menu icon > Resource List to access your list of account resources
- Click the Database service you are interested in to open the service dashboard. 130 | P a g e
- Ensure you are on the Manage page in the left pane.
- Click the Settings tab in the middle of the page and scroll down to Service endpoints
- Select Private endpoint toggle to be turned on and Public endpoint to be turned off.
- Click Update Endpoints.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_4_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_4_3 --share
SQL
This control uses a named query:
manual_control