IBM Cloud Docs
Managing external identity interactions

Managing external identity interactions

By default, users with an IAM access policy on resources in an account can access those resources from any account, not just the one that owns the resource. A user's API key can be used to generate a token and access resources that the user has access to outside of the account where the API key was created. User API keys contain the identity's permissions across all accounts that they are a member of. You can require users to access resources in your account only when authenticated in your account or accounts that you specify.

You can monitor how limiting access to resources in your account affects users without enforcing it by using report-only mode. This way, you can identify gaps in your access policies and make sure that users have the access they need. For the best experience, turn on report-only mode for at least 30 days before you limit access to resources in your account.

If you want to know which identities in your account access a specific resource, see Auditing access to resources.

Anticipating the name and number of users who are impacted by limiting identity interactions can be difficult. To turn on report-only mode and observe the potential impact of limiting access to resources in your account, complete the following steps:

  1. Set up IBM Cloud Activity Tracker Event Routing to view IAM audit events. For more information, see Viewing activity tracking events for IAM

  2. In the IBM Cloud console, go to Manage > Access (IAM) > Settings > Resources.

  3. Click the Edit icon Edit icon.

  4. Select Report-only.

  5. Add accounts to the allowlist (Optional).

    1. Enter the account IDs for the accounts that you want to allow.
    2. Click Add.

    If you want users to generate API keys in only your account, don't add any accounts to the allowlist. An empty allowlist restricts all users from accessing resources in your account if they are using API keys that are created in other accounts.

  6. Click Save.

  7. Next, view your IBM Cloud Activity Tracker Event Routing reports.

After you monitor the results from report-only mode for at least 30 days, update the setting to Limited.

Viewing your reports

IBM Cloud Activity Tracker Event Routing events are generated when the restriction is set to Report-only or Limited. In Report-only mode, both permitted and requests that would be denied are reported. In in Limited mode, only denied requests are reported.

To view IBM Cloud Activity Tracker Event Routing events, you must configure an IBM Cloud Logs instance as the target. For more information, see Configuring an IBM Cloud Logs instance as a target.

  1. In the IBM Cloud console, go to Manage > Access (IAM) > Settings > Resources.
  2. Click Edit > Open IBM Cloud Activity Tracker Event Routing.
  3. Click Explore Logs to compose a query.
  4. Search the logs for the event action: iam-access-management.account-settings.eval
    • The field responseData.isEnforced:"false" indicates that the restriction is in Report-only state. Further filtering by event field:
      • responseData.decision:"Permit" shows all the requests that were evaluated and passed the restriction.
      • responseData.decision:"Deny" shows all the requests which would have been blocked if the state of the restriction were changed to Limited
    • The field responseData.isEnforced:"true" indicates that the restriction is in Limited state. Any results in this state indicate blocked requests and will only contain the event field: responseData.decision:"Deny"

You can add or remove accounts from the allowlist at any time to meet your security requirements. For a list of the actions that generate an event, see Activity tracking events for IAM.