Configuring archiving through the UI

Prerequisites on the IBM Cloud Activity Tracker service

• You must have a paid service plan for the IBM Cloud Activity Tracker service. Learn more.

• Check that your user ID has permissions to launch the web UI and configure archiving. The following table lists the minimum roles that a user must have to be able to launch the IBM Cloud Activity Tracker web UI, and configure archiving through the UI or by using the API:

For more information on how to configure policies for a user, see Granting user permissions to a user or service ID.

Step 1. Grant IAM policies to a user to work with IBM Cloud Object Storage

Note: This step must be completed by the account owner or an administrator of the IBM Cloud Object Storage service on the IBM Cloud.

As an administrator of the IBM Cloud Object Storage service, you must be able to provision instances of the service, grant other users permissions to work with these instances, and create service IDs.

There are different ways in which you can grant a user permission to become an editor of the IBM Cloud Object Storage service:

• As administrator of the service in the account, the user must have an IAM policy for the IBM Cloud Object Storage service with the platform role Administrator. You must assign this user access to an individual resource in the account.

• As administrator of the service within the context of a resource group, the user must have an IAM policy for the IBM Cloud Object Storage service with the platform role Administrator within the context of the resource group.

The following table lists the roles that a user can have to complete the actions listed for the IBM Cloud Object Storage service:

Complete the following steps to assign a user administrator role to the IBM Cloud Object Storage service within the context of a resource group:

1. Log in to your IBM Cloud account.

2. From the menu bar, click Manage > Access (IAM), and then select Users.

3. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

4. Select Assign access within a resource group.

5. Select a resource group.

6. If the user does not have a role already granted for the selected resource group, choose a role for the Assign access to a resource group field.

   Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

   You can select No access, if you want the user to only have access to the IBM Cloud Activity Tracker service in the resource group.

7. Select Cloud Object Storage.

8. Select the platform role Administrator.

9. Click Assign.

Step 2. Provision an instance of IBM Cloud Object Storage

Note: This step must be completed by an editor, or administrator of the IBM Cloud Object Storage service on the IBM Cloud. Complete the following steps to provision an IBM Cloud Object Storage instance:

1. From the menu bar, click Catalog. The list of the services that are available in IBM Cloud opens.

2. To filter the list of services that is displayed, select the Storage category.

3. Click the Object Storage tile.

4. Enter a name for the service instance.

5. Select a resource group.

   By default, the Default resource group is set.

6. Select a service plan.

   By default, the Lite plan is set.

7. Click Create.

Step 3. Create a bucket

Buckets are a way to organize your data in an IBM Cloud Object Storage instance.

To manage buckets, your user must be granted permissions to work with buckets on the IBM Cloud Object Storage instance. For more information about roles, see Identity and Access Management roles.

To create a bucket, your user must have manager or writer permissions for the IBM Cloud Object Storage instance.

Complete the following steps to create a bucket:

1. From the Navigation menu, select Resource List.

2. Select the IBM Cloud Object Storage instance where you plan to create the bucket.

3. Select Buckets. Then, click Create Bucket.

   If you are configuring archiving in an EU-managed location, you must configure a bucket that complies with the EU-managed and GDPR regulations.

4. Enter a bucket name for the Unique bucket name field.

   Note: All buckets in all regions across the globe share a single namespace.

   You can use as part of the bucket name your IBM Cloud Activity Tracker instance name. For example, for an instance with name logging-1, you can use accountN-logging-1 as your bucket name.

   You will need this name to configure archiving through the IBM Cloud Activity Tracker web UI.

5. Choose the type of resiliency and a location where you would like your data to be physically stored.

   Resiliency refers to the scope and scale of the geographic area across which your data is distributed.

   Cross Region resiliency will spread your data across several metropolitan areas.

   Regional resiliency will spread data across a single metropolitan area.

   A Single Data Center will only distribute data across devices within a single site.

   For more information, see Select regions and endpoints.

6. Choose the type of Storage class.

   You can create buckets with different storage classes. Choose the storage class for your bucket based on your requirements to retrieve data. For more information, see Use storage classes.

   Note: It is not possible to change the storage class of a bucket once the bucket is created. If objects need to be reclassified, it is necessary to move the data to another bucket with the wanted storage class.

7. Optionally, add a Key Protect Key to encrypt data at rest.

   All objects are encrypted by default using randomly generated keys and an all-or-nothing-transform. While this default encryption model provides at-rest security, some workloads need to be in possession of the encryption keys used. For more information, see Manage encryption.

Step 4. Create a service ID for the IBM Cloud Object Storage instance

A service ID identifies a service similar to how a user ID identifies a user. Service IDs are not tied to a specific user. If the user that creates the service ID leaves your organization and is deleted from the account, the service ID remains.

You must create a service ID for your IBM Cloud Object Storage instance. This service ID is used by the IBM Cloud Activity Tracker instance to authenticate with your IBM Cloud Object Storage instance.

You must assign specific access policies to the service ID that restrict permissions for using specific services, or even combine permissions for accessing different services.

Complete the following steps to create a service ID with writing permissions for the IBM Cloud Object Storage instance:

1. From the Dashboard, select the IBM Cloud Object Storage instance where you plan to create the bucket.

2. Select Service credentials. Then, select New credential.

3. Enter a name that it is easy to recognize. For example, you can name the service ID activity-tracker-cos-serviceID.

4. Select the Reader role.

5. Click Add.

   A new service ID is created and added to the list.

   Note: The service ID that is created in the IBM Cloud and listed through the IAM UI has a generic name. The name of the service ID in the IAM UI maps to the value of the field iam_apikey_name that you created in this step through the COS service ID UI.

6. [Optional] To lock the service ID to prevent deletion, from the menu bar, click Manage > Access (IAM). Search for the service ID. Then, select the action Lock.

For the service ID that you just created, click View credentials. You can see information that is related to the service ID.

• Copy the API key. This is the value set for the field apikey.

  When the service credential is rotated, make sure the API Key is updated with the new API Key. Archiving will stop if the API Key is not updated.

• Copy the resource instance ID. This is the value set for the field resource_instance_id.

• Copy the value of the iam_apikey_name field.

Step 5. Restrict the service ID to only have writing permissions for the bucket

If you want to restrict the service ID to only have writing permissions for a bucket, complete the following steps:

1. From the COS UI, select the bucket.

2. From the bucket menu, select Policies. The Bucket access policies page opens.

3. Select Service IDs.

4. In the field Select a service ID, look for a service ID that has the following name: auto-generated-serviceId-<ID that is part of the iam_apikey_name value>.

5. Select the service ID. Then, in Access policies, select Writer.

6. Click Create access policy.

Step 6. Select the endpoint

An endpoint defines where to look for a bucket. There are different endpoints depending on the region and type of resiliency. For more information, see Select regions and endpoints.

Complete the following steps to obtain the endpoint for your bucket:

1. Log in to your IBM Cloud account.

   After you log in, the IBM Cloud Dashboard opens.

2. From the Dashboard, select the IBM Cloud Object Storage instance where you plan to create the bucket.

3. Select Buckets. Then, select the bucket that you created where you want to archive events.

4. Select Configuration.

5. Copy one of the private endpoints.

Step 7. Grant IAM policies to a user to archive events

The following table lists the policies that a user must have to configure archiving of events from the IBM Cloud Activity Tracker web UI into a bucket in an IBM Cloud Object Storage instance:

Learn more.

Complete the following steps to assign a user permission to archive events:

1. From the menu bar, click Manage > Access (IAM), and then select Users.

2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

3. Select Assign access within a resource group.

4. Select a resource group.

5. If the user does not have a role already granted for the selected resource group, choose a role for the Assign access to a resource group field.

   Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

   You can select No access, if you want the user to only have access to the IBM Cloud Activity Tracker service in the resource group.

6. Select IBM Cloud Activity Tracker.

7. Select the platform role Viewer.

8. Select the service role Manager.

9. Click Assign.

Step 8. Configure archiving for your IBM Cloud Activity Tracker instance

Complete the following steps to configure archiving of your IBM Cloud Activity Tracker instance into a COS bucket:

1. Launch the IBM Cloud Activity Tracker web UI.

2. Select the Configuration icon. Then select Archiving.

3. Select IBM Cloud Object Storage.

4. Set the bucket, endpoint, API key, and instance ID where you want events to be archived.

   Table 4. COS fields

   Field	Value
   Bucket	Set to the COS bucket name.
   Endpoint	Set to the COS bucket private endpoint.
   API Key	Set to the API key associated to the COS service ID.
   Instance ID	Set to the COS instance ID.

5. Click Save.

Notice that when you save the configuration, you can get a message that informs you that the configuration has been saved successfully. When you get this message, the integration between the auditing instance and the bucket is verified. A test to upload and delete an object from the bucket is completed successfully.

If you get an error when you save the configuration, the verification process fails. Check your configuration and retry again.

When the service credential is rotated, make sure the API Key is updated with the new API Key. Archiving will stop if the API Key is not updated.