certificate_with_auto_renew_enablediam_access_group_with_public_accessiam_account_owner_no_api_keyiam_restrict_api_key_service_id_creationiam_support_center_access_group_configurediam_user_api_key_age_90iam_user_member_of_only_access_groupiam_user_mfa_enabled_alliam_user_with_valid_emailiam_user_with_valid_phoneinternet_service_ddos_protection_activeinternet_service_tls_higher_version_enabledinternet_service_waf_enabledmanual_controlobject_storage_bucket_with_cmkobject_storage_bucket_with_key_protect_enabledvpc_network_acl_restrict_ingress_rdp_allvpc_network_acl_restrict_ingress_ssh_allvpc_security_group_restrict_ingress_rdp_allvpc_security_group_restrict_ingress_ssh_all
Query: manual_control
Usage
powerpipe query ibm_compliance.query.manual_controlSteampipe Tables
SQL
select guid as resource, 'info' as status, 'Manual verification required.' as reason, guidfrom ibm_account;
Controls
The query is being used by the following controls:
- 1.1 Monitor account owner for frequent, unexpected, or unauthorized logins
- 1.14 Minimize the number of users with admin privileges in the account
- 1.15 Minimize the number of Service IDs with admin privileges in the account
- 1.17 Ensure Inactive User Accounts are Suspend
- 1.18 Enable audit logging for IBM Cloud Identity and Access Management
- 1.19 Ensure Identity Federation is set up with a Corporate IDP
- 1.2 Ensure API keys unused for 180 days are detected and optionally disabled
- 1.6 Ensure compliance with IBM Cloud password requirements
- 2.1.2 Ensure network access for Cloud Object Storage is restricted to specific IP range
- 2.1.3 Ensure network access for Cloud Object Storage is set to be exposed only on Private end-points
- 2.1.4 Ensure Cloud Object Storage bucket access is restricted by using IAM and S3 access control
- 2.2.1.1 Ensure Block Storage is encrypted with customer managed keys
- 2.2.1.2 Ensure Block Storage is encrypted with BYOK
- 2.2.1.3 Ensure Block Storage is encrypted with KYOK
- 2.2.2 Ensure 'OS disk' are encrypted with Customer managed keys
- 2.2.3 Ensure 'Data disks' are encrypted with customer managed keys
- 2.2.4 Ensure 'Unattached disks' are encrypted with customer managed keys
- 3.1 Ensure auditing is configured in the IBM Cloud account
- 3.2 Ensure that archiving is enabled for audit events
- 3.3 Ensure that events are collected and processed to identify anomalies or abnormal events
- 3.4 Ensure alerts are defined on custom views to notify of unauthorized requests, critical account actions, and high-impact operations in your account
- 3.5 Ensure the account owner can login only from a list of authorized countries/IP ranges
- 3.6 Ensure Activity Tracker data is encrypted at rest
- 3.7 Ensure Activity Tracker trails are integrated with LogDNA Logs
- 4.1 Ensure IBM Cloud Databases disk encryption is enabled with customer managed keys
- 4.2 Ensure IBM Cloud Databases are only accessible via HTTPS or TLS Connections
- 4.3 Ensure network access to IBM Cloud Databases service is set to be exposed on “Private end points only
- 4.4 Ensure IBM Cloud Databases disk encryption is set to On
- 5.1 Ensure Cloudant encryption is set to On
- 5.2 Ensure IBM Cloudant encryption is enabled with customer managed keys
- 5.3 Ensure IBM Cloudant is only accessible via HTTPS or TLS Connections
- 6.2.2 Ensure the default security group of every VPC restricts all traffic
- 7.1.1.1 Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK)
- 7.1.1.2 Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK)
- 7.1.2 Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress
- 7.1.3 Ensure IBM Cloud Kubernetes Service worker nodes are updated to the latest image to ensure patching of vulnerabilities
- 7.1.4 Ensure that clusters are accessible only by using private endpoints
- 7.1.5 Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled
- 7.1.6 Ensure IBM Cloud Kubernetes Service clusters have the monitoring service enabled
- 7.1.7 Ensure IBM Cloud Kubernetes Service clusters have the logging service enabled
- 7.2.1 Block deployments of vulnerable images to Kubernetes clusters
- 8.1.1 Ensure IBM Key Protect has automated rotation for customer managed keys enabled
- 8.1.2 Ensure the IBM Key Protect service has high availability
- 9.1 Ensure alerts are enabled for vulnerabilities discovered in container images in Container Registry