Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-ibm-compliance
Overview
1Dashboards
67Benchmarks
20Queries
0Variables
GitHub

Control: 1.16 Ensure IAM does not allow public access to Cloud Object Storage

Description

IBM Cloud features the capability for users with specific access roles to create access policies that allow all users (authenticated and non-authenticated) to access resources in the account. This “all users” access in turn ends up in public (including non-authenticated) access to resources. Determine if this capability is required by your organization and disable if not required.

Remediation

From Console

To disable the Public Access Group:

  1. Log in to IBM Cloud
  2. From the Menu bar, click Manage > Access (IAM).
  3. Click Settings > Public Access.
  4. Disable Public Access to disable the Public Access Group.

To keep the Public Access Group enabled and verify that no access policies for COS exist:

  1. Log in to IBM Cloud
  2. From the Menu bar, click Manage > Access (IAM).
  3. Click Settings.
  4. In the public access section of IAM Settings, observe the Public access group setting.
  5. If the Public access group setting is disabled, IAM is not providing public access to COS.
  6. If the Public access group setting is enabled, proceed to the Access groups page by clicking Access Groups.
  7. From the list of Access Groups, select Public Access by clicking on the Access Group name.
  8. Ensure that there are no access policies present for COS in the list of access policies.
  9. To delete an access policy, click on the action menu icon for the access policy and click Remove.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_1_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_1_16 --share

SQL

This control uses a named query:

with account_public_access as (
  select
    name,
    id,
    account_id,
    count(*) as public_access_grp_no
  from
    ibm_iam_access_group
  where name = 'Public Access'
  group by name,id,account_id
)
select
  id as resource,
  case
    when name is null then 'ok'
    else 'alarm'
  end as status,
  case
    when name is null then 'No public access group configured in account.'
    else name || ' group configured in account.'
  end as reason,
  account_id
from
  account_public_access;

Tags

category = Compliance
cis = true
cis_item_id = 1.16
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v1.0.0
plugin = ibm
service = IBM/IAM