IBM Cloud Docs
Managing compliance information for your deployable architecture

Managing compliance information for your deployable architecture

By using the ibm_cloud.json manifest file, you can include claims that your deployable architecture meets specific compliance requirements. After you onboard and publish your deployable architecture to the catalog, users can view which controls or Security and Compliance Center predefined profiles your product adheres to. You verify the compliance information before you onboard your deployable architecture.

Here's an example from the VSI on VPC landing zone's catalog page where the Standard variation meets the IBM Cloud Framework for Financial Services v1.6.0 profile:

Deployable architecture compliance claim on the catalog details page
Deployable architecture compliance

The process to make a compliance claim for your deployable architecture includes steps that must be completed before and during the onboarding process to a catalog:

  1. Choose a Security and Compliance Center profile and set up an attachment to scan your resources
  2. Add compliance information to your ibm_cloud.json manifest file
  3. Add your scan results to your deployable architecture when you onboard

Choosing a profile and scanning your resources

Before you onboard your deployable architecture to a catalog, verify compliance with a profile in Security and Compliance Center. To claim compliance, you scan the resources that the deployable architecture creates.

  1. Create all of the resources in your account that your deployable architecture creates.

    Organize the resources in a single resource group to make it easier to run a Security and Compliance Center scan against only those resources in your account.

  2. In the IBM Cloud console, click the Menu icon Menu icon > Security and Compliance > Profiles.

  3. Select the profile name that represents the controls that are most relevant to your solution. For example, the IBM Cloud Framework for Financial Services profile is a set of controls that are built specifically for and with the financial services industry. For a list of profiles, see Available predefined profiles.

  4. Select the profile from the list, and copy the profile name that displays at the beginning of the page and the version number. Save this information locally because you need these values for updating the ibm_cloud.json manifest file.

    Profile name and version in Security and Compliance Center
    Profile name and version

  5. Click Attachments > Create.

  6. Enter a name for the attachment, and click Next

  7. Verify that the profile is the one that you want to use, and click Next.

  8. Select the scope. If you organized all resources into a single resource group, set the scope to that resource group.

  9. Select Every 30 days as the Schedule frequency, and click Next.

    A scan starts when you finish creating the attachment. To keep you from being charged for scans later, return to this setting and change it to None after you're finished onboarding your deployable architecture.

  10. Review your attachment details, and click Save.

    You see a status bar that indicates that a scan is in progress. If you need to start a one-off scan, use the Overflow menu Overflow menu icon to select Start scan.

When the scan is complete, you can use the Overflow menu Overflow menu icon to select View scan results to ensure that the scan on your deployable architecture resources passed the compliance checks as expected. For more information, see Scanning your resources and Viewing results.

Updating the compliance information in the manifest

After you identify the Security and Compliance profile name and version from the previous steps, you must add that information to the ibm_cloud.json catalog manifest file in your source repo.

  1. If one does not exist, create a catalog manifest file at the root of your repo. For an example catalog manifest file, see the terraform-ibm-landing-zone repo.

  2. Open the ibm_catalog.json file.

  3. Find or add the flavors.compliance field for the variation (flavor) that you want to update.

  4. Set authority to scc-v3.

  5. Find or add a profiles[] array:

    1. Set profile_name to the profile display name you saved in the previous steps.
    2. Set profile_version to the version you noted in the previous steps.

    For example:

       "authority": "scc-v3",
     "profiles": [
       {
         "profile_name": "IBM Cloud for Financial Services",
         "profile_version": "1.3.0"
       }
     ]

  6. Save the file.

Adding a Security and Compliance Center scan during onboarding

When you onboard your deployable architecture in the console, you add your scan results so that users can see the compliance claims when they evaluate your product in the catalog.

  1. On the Manage compliance page, click Add scan.
  2. Select the Security and Compliance Center instance that you used to complete your scan in the previous steps.
  3. Select the profile.
  4. Select your scan.
  5. Click Apply scan.

Now that your scan results are added, you can complete onboarding and choose to share the deployable architecture to other accounts or enterprises, or publish to the IBM Cloud catalog.

Cleaning up your resources

To add compliance claims to your deployable architecture, you had to create the resources in your account and a Security and Compliance Center instance. To reduce future costs, you can delete all of the resources that you created during this process that you no longer need. You can keep your Security and Compliance Center instance, but set your attachment scan schedule to None until you're ready to rerun a scan.