Auditing events for IAM
As a security officer, auditor, or manager, you can use the IBM Cloud Activity Tracker service to track how users and applications interact with the IBM Cloud® Identity and Access Management (IAM) service in IBM Cloud.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
IAM enables you to securely authenticate users for both platform services and control access to resources consistently across IBM Cloud. Learn more.
The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in IBM Cloud. To get started monitoring your user's actions, see IBM Cloud Activity Tracker. An initiator can be a user, a service, or an application.
Access groups events
Account events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-groups.account-settings.read |
An event is generated when an initiator views the account settings for the access groups service. |
iam-groups.account-settings.update |
An event is generated when an initiator updates their account settings for the access groups service. |
Access groups events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-groups.group.create |
An event is generated when an initiator creates an access group. |
iam-groups.group.read |
An event is generated when an initiator views an access group. |
iam-groups.group.update |
An event is generated when an initiator updates a group name or a description. |
iam-groups.group.delete |
An event is generated when an initiator deletes an access group. |
iam-groups.groups.list |
An event is generated when an initiator views the access groups. |
Members events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-groups.federated-member.add |
An event is generated when an initiator logs in to the account and gains federated membership to an access group. |
iam-groups.member.add |
An event is generated when an initiator adds a member to an access group. |
iam-groups.member.delete |
An event is generated when an initiator removes a member from an access group. |
iam-groups.member.read |
An event is generated when an initiator views a member's membership. |
iam-groups.members.list |
An event is generated when an initiator views the members for an access group. |
Rules events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-groups.rule.read |
An event is generated when an initiator views a rule in an access group. |
iam-groups.rule.create |
An event is generated when an initiator adds a rule to an access group. |
iam-groups.rule.update |
An event is generated when an initiator modifies the rule name. |
iam-groups.rule.delete |
An event is generated when an initiator deletes a rule from an access group. |
iam-groups.rules.list |
An event is generated when an initiator views the rules for an access group. |
Trusted profiles events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-identity.account-profile.create |
An event is generated when an initiator creates a trusted profile. |
iam-identity.account-profile.update |
An event is generated when an initiator updates a trusted profile. |
iam-identity.account-profile.delete |
An event is generated when an initiator deletes a trusted profile. |
Policy events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-am.policy.create |
An event is generated when an initiator adds a policy to a user or access group. |
iam-am.policy.update |
An event is generated when an initiator modifies permissions to a policy of a user or access group. |
iam-am.policy.delete |
An event is generated when an initiator deletes a policy that is assigned to a user or access group. |
Service ID events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-identity.account-serviceid.create |
An event is generated when an initiator creates a service ID. |
iam-identity.account-serviceid.update |
An event is generated when an initiator renames a service ID or modifies its description. |
iam-identity.account-serviceid.delete |
An event is generated when an initiator deletes a service ID. |
API key events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-identity.user-apikey.create |
An event is generated when an initiator creates an API key. |
iam-identity.user-apikey.update |
An event is generated when an initiator renames an API key or modifies its description. |
iam-identity.user-apikey.delete |
An event is generated when an initiator deletes an API key. |
iam-identity.serviceid-apikey.create |
An event is generated when an initiator creates an API key for a service ID. |
iam-identity.serviceid-apikey.delete |
An event is generated when an initiator deletes an API key for a service ID. |
iam-identity.serviceid-apikey.update |
An event is generated when an initiator renames an API key for a service ID or modifies its description. |
Login and logout events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-identity.user-apikey.login |
An event is generated when a user logs in to the IBM Cloud by using an API key. |
iam-identity.serviceid-apikey.login |
An event is generated when an initiator logs in to the IBM Cloud by using an API key that is associated with a service ID. |
iam-identity.user-identitycookie.login |
This is an event that is generated when an initiator requests an identity cookie to run an action. |
iam-identity.user-refreshtoken.login |
This is an event that is generated when the initiator logs in to IBM Cloud, or when an initiator that is already logged in requests a new refresh token to run an action. |
iam-identity.user-passcode.login iam-identity.trustedprofile-apikey.login |
This is an event that is generated when the initiator logs in to IBM Cloud by applying a trusted profile, or when an initiator that is already logged in by applying a trusted profile requests a new refresh token to run an action. |
iam-identity.user.logout |
This is an event that is generated when the initiator logs out of the IBM Cloud. |
Enterprise IAM events
Policy tempalte events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-access-management.policy-template.create |
An event is generated when a user creates an enterprise-managed IAM policy template. |
iam-access-management.policy-template.update |
An event is generated when a user updates an enterprise-managed IAM policy template. |
iam-access-management.policy-template.delete |
An event is generated when a user deletes an enterprise-managed IAM policy template. |
iam-access-management.policy-template.read |
An event is generated when a user reads an enterprise-managed IAM policy template. |
iam-access-management.policy-assignment.create |
An event is generated when a user assigns an enterprise-managed IAM policy template to child accounts. |
iam-access-management.policy-assignment.update |
An event is generated when a user updates an enterprise-managed IAM policy template assignment. |
iam-access-management.policy-assignment.delete |
An event is generated when a user deletes an enterprise-managed IAM policy template assignment. |
iam-access-management.policy-assignment.read |
An event is generated when a user reads an enterprise-managed IAM policy template assignment. |
Access group tempalte events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-groups.groups-template.create |
An event is generated when a user creates an enterprise-managed IAM access group template. |
iam-groups.groups-template.delete |
An event is generated when a user deletes an enterprise-managed IAM access group template. |
iam-groups.groups-template.update |
An event is generated when a user updates an enterprise-managed IAM access group template. |
iam-groups.groups-template.read |
An event is generated when a user reads an enterprise-managed IAM access group template. |
iam-groups.groups-template.assign |
An event is generated when a user assigns an enterprise-managed IAM access group template to child accounts. |
iam-groups.groups-template.remove |
An event is generated when a user removes an enterprise-managed IAM access group template assignment. |
iam-groups.groups-template.assignment-read |
An event is generated when a user reads an enterprise-managed IAM access group template assignment. |
iam-groups.groups-template.assignment-update |
An event is generated when a user updates an enterprise-managed IAM access group template assignment. |
Trusted profile tempalte events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-identity.profile-template.create |
An event is generated when a user creates an enterprise-managed IAM trusted profile template. |
iam-identity.profile-template.delete |
An event is generated when a user deletes an enterprise-managed IAM trusted profile template. |
iam-identity.profile-template.update |
An event is generated when a user updates an enterprise-managed IAM trusted profile template. |
iam-identity.profile-template.read |
An event is generated when a user reads an enterprise-managed IAM trusted profile template. |
iam-identity.profile-template.assign |
An event is generated when a user assigns an enterprise-managed IAM trusted profile template to child accounts. |
iam-identity.profile-template.remove |
An event is generated when a user removes an enterprise-managed IAM trusted profile template assignment. |
iam-identity.profile-template.assignment-read |
An event is generated when a user reads an enterprise-managed IAM trusted profile template assignment. |
iam-identity.profile-template.assignment-update |
An event is generated when a user updates an enterprise-managed IAM trusted profile template assignment. |
Settings tempalte events
The following table lists the actions that generate an event:
Action | Description |
---|---|
iam-identity.account-settings-template.create |
An event is generated when a user creates an enterprise-managed IAM settings template. |
iam-identity.account-settings-template.delete |
An event is generated when a user deletes an enterprise-managed IAM settings template. |
iam-identity.account-settings-template.update |
An event is generated when a user updates an enterprise-managed IAM settings template. |
iam-identity.account-settings-template.read |
An event is generated when a user reads an enterprise-managed IAM settings template. |
iam-identity.account-settings-template.assign |
An event is generated when a user assigns an enterprise-managed IAM settings template to child accounts. |
iam-identity.account-settings-template.remove |
An event is generated when a user removes an enterprise-managed IAM settings template assignment. |
iam-identity.account-settings-template.assignment-read |
An event is generated when a user reads an enterprise-managed IAM settings template assignment. |
iam-identity.account-settings-template.assignment-update |
An event is generated when a user updates an enterprise-managed IAM settings template assignment. |
Viewing events
Events are available in the Frankfurt (eu-de) region.
To view these events, you must provision an instance of the IBM Cloud Activity Tracker service in the Frankfurt (eu-de) region. Then, you must open the IBM Cloud Activity Tracker UI.
Analyzing events
Login events
In the IBM Cloud, an administrator, or a user that has the correct access in your account, has different options to manage a user's login settings. For example, an administrator can order external authentication options, enable a one-time passcode to be used during login, enable the use of security questions at login, or set a password expiration time period. For more information, see Types of multifactor authentication.
- A user can log in by using a user ID and password.
- A federated user that uses a corporate or enterprise single sign-on ID can log in to IBM Cloud from the command-line interface (CLI) by using either a one-time passcode or an API key. For more information, see Logging in with a federated ID.
- A user can log in by using an API key.
- A federated user that uses a corporate or enterprise single sign-on ID can log in to IBM Cloud by applying a trusted profile.
The following fields include extra information:
- The
initiator.name
includes information about the user that logs in to the account. - The
X-Global-Transaction-Id
includes an ID that you can use when you open a support ticket if you need to get more information.
Log in from the IBM Cloud UI
When a user logs in from the IBM Cloud UI, you get an event in the account with action iam-identity.user-refreshtoken.login
.
The following field includes extra information:
- In requestData, the
client_id
field is set to HOP55v1CCT. This value indicates a UI request.
Log in with a federated ID from the IBM Cloud CLI by using a one-time passcode or an API key
When a user logs in from the IBM Cloud CLI by using a one-time passcode, you get an event in the account with action iam-identity.user-refreshtoken.login
.
When a user logs in from the IBM Cloud CLI by using an API key, you get an event in the account with action iam-identity.user-apikey.login
.
The following field includes extra information:
- In requestData, the
client_id
field is set to bx. This value indicates a CLI request.
Log in with a federated ID by using trusted profiles
When a user logs in with a federated ID by using trusted profiles, you get an event in the account with action iam-identity.trustedprofile-apikey.login
.
Failed log in actions
When a user logs in to the IBM Cloud, the user ID (IBMid) and credentiasls are validated first. At this point, the user has not selected an account. Notice that a user can belong to multiple accounts.
After the user ID is authenticated successfully in the IBM Cloud, the user can choose an account. It is at this point in the process that an account is associated to the log in request, and an event with action iam-identity.user-refreshtoken.login
,
or iam-identity.user-apikey.login
is generated in your account.
In Activity Tracker, you can see events that are associated to your account. Failed log in actions do not generate an event that you can monitor in your account.
Logout events
When a user logs out of the IBM Cloud, the iam-identity.user.logout
event is generated.
Update an account service ID
A service ID identifies a service or application similar to how a user ID identifies a user. Learn more.
When an action to update a service ID is requested, you get an event in the account with action iam-identity.account-serviceid.update
.
The following fields include extra information:
- The
initiator.name
field includes information about who has requested to update the service ID. - The
target.name
field includes information about the service ID that is changed. - The
initiator.host.agent
field indicates if the request comes from the UI or the CLI. When the field is set to Not Set, the request originates in the UI. When the field is set to IBM Cloud CLI, the request originates at the command line.
Lock and unlock a service ID
The following field includes extra information:
- In requestData, the
lock
field is set to true when the service ID is locked, and to false when it is unlocked.
Add or modify a description
When a request to change a description generates an event, the following fields include information that can help you determine this action:
- In requestData, the
lock
field is set to false. - In requestData, the
prev_instance_name
field and theinstance_name
field are set to the same value.
Change the name of a service ID
The following fields include extra information:
- In requestData, the
lock
field is set to false. - In requestData, the
instance_name
field includes the new name of the API key. - In requestData, the
prev_instance_name
field includes the name of the API key before it was changed.
Limits events
There are limitations on the number of service IDs, API keys, trusted profiles, and policies allowed in an account. An event is generated when your account reaches 90% of the of the limit for service IDs, API keys, trusted profiles, and policies.
The following is an example message when an account is approaching the maximum number of service IDs:
Warning: You have reached 90% of the maximum number of allowed Service IDs in account 10t2tyv8d1f88940dfc56af370b1f109. Your current count is 1800 and the limit is 2000. Reduce the number of Service IDs before you hit the limit to ensure that you are not blocked from creating new Service IDs.
Apply the following search query to view all limits events:
the maximum number of allowed
Start by removing inactive identities if they are no longer needed. For more information, see Identifying inactive identities.
Update a user API key or a service ID API key
When an action to update an API key is requested, you get an event in the account with one of the following actions:
- To update a user API key, the action is
iam-identity.user-apikey.update
. - To update a service ID API key, the action is
iam-identity.account-serviceid.update
.
The following fields include extra information:
- The
initiator.name
field includes information about who has requested to update the API key. - The
target.name
field includes information about the API key that is changed. - The
initiator.host.agent
field indicates if the request comes from the UI or the CLI. When the field is set to Not Set, the request originates in the UI. When the field is set to IBM Cloud CLI, the request originates at the command line.
Lock and unlock a service ID
The following field includes extra information:
- In requestData, the
lock
field is set to true when the API key is locked, and to false when it is unlocked.
Add or modify a description
When a request to change a description generates an event, the following fields include information that can help you determine this action:
- In requestData, the
lock
field is set to false. - In requestData, the
prev_instance_name
field and theinstance_name
field are set to the same value.
Change the name of a service ID
The following fields include extra information:
- In requestData, the
lock
field is set to false. - In requestData, the
instance_name
field includes the new name of the API key. - In requestData, the
prev_instance_name
field includes the name of the API key before it was changed.
Analyzing events that fail
Resource is locked. Request to update Service ID or API key fails
When a service ID or an API key are locked, you cannot change any of its attributes. The event that is generated has an outcome
of failure.
Depending on the resource type, you can get any of the following messages:
- Service ID: The message that you get says IAM Identity Service: update account-serviceid ServiceIDName -failure where ServiceIDName is the name of the service ID.
- User API key: The message that you get says IAM Identity Service: update user-apikey APIkeyName -failure where APIkeyName is the name of the API key.
- Account API key: The message that you get says IAM Identity Service: update account-apikey APIkeyName -failure where APIkeyName is the name of the API key.
In the event, the lock
field in requestData is set to true. This is the reason why this action fails. To successfully change an attribute of a service ID, the lock
field must be set to false.
Notice that the field severity
is set to critical. Someone is trying to modify a service ID that is locked in the account.