IBM Cloud Docs
Understanding security with Schematics

Understanding security with Schematics

Use the powerful tools of IBM Cloud® Schematics to build and spin up your IBM Cloud environment, automate cloud resource operations, install software, and run multitiered apps on your cloud resources. The IBM Cloud Schematics also ensures that your data stays secure and protected.

Schematics is integrated with the Security and Compliance Center to help you manage security and compliance for your organization.

With the Security and Compliance Center, you can:

  • Monitor for controls and goals that pertain to IBM Cloud Schematics.
  • Define rules for IBM Cloud Schematics that can help to standardize resource configuration.

Secure access control

The list of feature in the table states Schematics has a multitude of built-in security features for you to control access to data.

Schematics security features
Feature Description
Authentication Schematics is accessed by using the API endpoint. The user gets authenticated for every request that it receives. Schematics supports IAM access controls. For more information, see Authentication.
Authorization Use IAM roles to control access to Schematics. For more information, see the Managing user access.
At-rest encryption All data that is stored in Schematics instance is encrypted using envelope encryption with 971838 GCM 256. By default, Schematics manages the encryption keys in its own Key Protect instances for all environments. If you require bring-your-own-key (BYOK) encryption for encryption-at-rest, BYOK is enabled by using your encryption key that is stored in an IBM Cloud Key Protect instance in your account. For more information, see KMS integration for BYOK or KYOK.
In-flight encryption All access to Schematics is encrypted by using HTTPs.
Public Endpoints All Schematics instances are provided with external endpoints that are publicly accessible.
Private Endpoints Allows clients to connect to a Schematics instance through the internal IBM Cloud network to avoid upstream application traffic from going over the public network and incurring bandwidth charges. For more information, see Service Endpoint, and also see enabling Service Endpoints for your IBM Cloud account.
IP allows lists You can allow the list of the Schematics IP addresses in their firewall. For more information, see Opening wanted IP addresses for IBM Cloud® Schematics in your firewall.