Control: 1.4 Restrict user API key creation and service ID creation in the account via IAM roles
Use IAM settings to restrict user API key creation and service ID (and related API key) creation in the account. Enable both settings to restrict all users in the account from creating user API keys and service IDs except those with an IAM policy that explicitly allows it.
From Console
- Log in to IBM Cloud.
- Click Manage -> Access (IAM).
- Click Settings.
- In the Account section of the Settings page, ensure that Restrict API key creation and Restrict service ID creation are enabled.
- Once enabled, only users with the correct IAM policies will be able to create user API keys and service IDs.
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_1_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_1_4 --share
This control uses a named query:
select account_id as resource, case when restrict_create_service_id = 'RESTRICTED' and restrict_create_platform_api_key = 'RESTRICTED' then 'ok' else 'alarm' end as status, case when restrict_create_service_id <> 'RESTRICTED' and restrict_create_platform_api_key <> 'RESTRICTED' then 'Both API key and service ID creation are not restricted.' when restrict_create_service_id <> 'RESTRICTED' and restrict_create_platform_api_key = 'RESTRICTED' then 'API key creation restricted, but service ID creation not restricted.' when restrict_create_service_id = 'RESTRICTED' and restrict_create_platform_api_key <> 'RESTRICTED' then 'Service ID creation restricted, but API key creation not restricted.' else 'Both API key and service ID creation are restricted.' end as reason, account_idfrom ibm_iam_account_settings;