IBM Cloud Docs
Targeting resources to evaluate

Targeting resources to evaluate

To run an evaluation by using IBM Cloud® Security and Compliance Center, you must target the specific resources that you want to scan by creating a scope. To learn more about subscopes and how they work, see How does Security and Compliance Center work.

Before you begin

Before you get started, be sure that you have the following prerequisites.

Creating a scope for IBM Cloud resources

You can create a scope by using the Security and Compliance Center UI.

  1. In the IBM Cloud console, go to the Resource list page and select your instance of Security and Compliance Center.

  2. In your instance of Security and Compliance Center, go to the Scopes page and click Create.

  3. Provide a name and a description of your scope. Then, click Next.

  4. Define your scope.

    1. Select a IBM Cloud as your environment.

    2. Select the types of resources that you want to evaluate. Options include IBM Cloud native services, and Kubernetes clusters or VMware workloads that run on IBM Cloud.

      To evaluate Kubernetes clusters or VMware workloads that run on IBM Cloud, an extra configuration is required. If you select either option, you must connect either the Workload Protection or Caveonix Cloud Platform integrations.

    3. Select the resources that you want to evaluate.

    4. Exclude any resources that you don't want to evaluate from your scope. For example, any accounts that are used only for testing.

    5. Click Next.

  5. Review your selections and click Create.

Next, you might want to segment your scope so that only certain members of your team are able to see the results for specific resources. Alternatively, you can start evaluating your resources by creating an attachment.

Including resources from another account

To scan resources in another IBM Cloud, you can use the Security and Compliance Center UI to add a target before creating your scope.

  1. Create a trusted profile that provides the following access.

    Required permissions for your trusted profile
    Service Role
    All Account Management services Viewer
    Service Configuration Reader
    Kubernetes Service Reader
    Viewer
    Administrator
    Service Configuration Reader
    All Identity and Access enabled services Reader
    Viewer
    Service Configuration Reader

    The Kubernetes Service access policy is required to run the Red Hat OpenShift Compliance Operator (OSCO) scan when an attachment is created.

  2. Add a target account.

    1. From the Security and Compliance Center navigation, click Settings.
    2. In the Targets section, click Add.
    3. Specify a unique name for your target account.
    4. Specify the ID of the account.
    5. Specify the ID of the trusted profile that you created in step 1.
    6. Click Add.

When you create a scope, the account that you added as a target is shown as an option.

Including SaaS services in your scope

Some resources require more access in order for Security and Compliance Center to view all of the configurations associated with it. To evaluate SaaS services, you must add the account in which they reside as a target account. Then, provide an IAM API key that has the required permissions for Security and Compliance Center to be able to perform the evaluation.

Currently, only Watson Machine Learning services require these steps. Additionally, the AI Security Guardrails 2.0 profile is the only profile that's configured for SaaS products.

  1. If you don't already have one, create an instance of Secrets Manager.

  2. In the IAM UI, make the following configurations.

    1. Go to Manage > Access (IAM) > Service IDs and create a service ID with the Viewer Role on your SaaS service.

    2. From the service ID, create an API key.

    3. Go to Manage > Access (IAM) > Authorizations and create an authorization between Security and Compliance Center and Secrets Manager with the following values.

      • Source: The account ID of the account that contains the Security and Compliance Center instance that you want to use to evaluate.
      • Service: Security and Compliance Center.
      • Resources: The API key that you created in Step 2.
      • Target: Secrets Manager.
      • Resources: The instance ID.
      • Role: SecretsReader.

    4. Create a trusted profile that provides the following access.

      Required permissions for your trusted profile
      Service Role
      All Account Management services Viewer
      Service Configuration Reader
      Kubernetes Service Reader
      Viewer
      Administrator
      Service Configuration Reader
      All Identity and Access enabled services Reader
      Viewer
      Service Configuration Reader

  3. In your instance of Secrets Manager, create an arbitrary or IAM credentials secret to store the API key that you previously created.

    If you are using an arbitrary secret, save the API key as the secret value. If you choose to use an IAM credentials secret, use the service ID that is associated with the API key that you created.

    The secret must remain unlocked for Security and Compliance Center to be able to access and read it.

  4. Create a Target.

    1. From the Security and Compliance Center navigation, click Settings.
    2. In the Targets section, click Add.
    3. Specify a unique name for your target account.
    4. Specify the ID of the account.
    5. Specify the ID of the trusted profile that you created in step 1.
    6. Click Add.

  5. Assign credentials for your target account.

    1. In the Settings > Targets section, expand the row of your target account.

    2. Click Assign credentials.

    3. On the Select credentials tab, make the following selections. Then, click Next.

      1. Select the instance of Secrets Manager that you want to work with.
      2. Select the secret group that the secret is part of.
      3. Select the type of secret that you created.
      4. Select your secret.

      Alternatively, you can use the Locate by CRN tab to find your secret.

    4. Select the services that you want to evaluate and click Add icon (+) to add them. Then, click Assign.

By completing these steps, you've added the required credentials and your SaaS services will be an option when you create a scope. To start evaluating your resources, you must create an attachment after creating your scope.

Creating a scope for resources that do not run on IBM Cloud

You can create a scope that contains resouces in other environments by using the Security and Compliance Center UI.

  1. In the IBM Cloud console, go to the Resource list page and select your instance of Security and Compliance Center.

  2. In your instance of Security and Compliance Center, go to the Scopes page and click Create.

  3. Provide a name and a description of your scope. Then, click Next.

    Be sure to be as specific as possible so that other members of your team are able to quickly find the scan results.

  4. Define your scope.

    1. Select either Amazon Web Services or Microsoft Azure as your environment.
    2. Connect the Workload Protect integration.
    3. Select the resources that you want to evaluate by providing the Locations, Accounts, Organizations, and any Labels.
    4. Optionally, provide the information that is required to evaluate Kubernetes clusters that run on your selected environment.

  5. Review your selections and click Create.

Next, create an attachment to start evaluating your resources.