IBM Cloud Docs
Auditing events for service instances

Auditing events for service instances

As a security officer, auditor, or manager, you can use the IBM Cloud Activity Tracker service to track how users and applications interact with the IBM Cloud services.

The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in IBM Cloud. To get started monitoring your user's actions, see IBM Cloud Activity Tracker.

Events for provisioning and managing service instances

The following table lists the actions that generate an event:

Actions that generate events
Action Description
service_name.instance.create An event is generated when you provision a service instance.
service_name.instance.update An event is generated when you rename a service instance or when you change the service plan.
service_name.instance.delete An event is generated when a service instance is deleted.
service_name.instance.schedule_reclaim An event is generated when a service instance is pending_reclamation.
service_name.instance.restore An event is generated when a service instance is restored.

Events for managing aliases that are associated to a service instance

An alias is a connection between your IAM-managed service within a resource group and an application within an org or a space.

The following table lists the actions that generate an event:

Actions that generate events
Action Description
service_name.alias.create An event is generated when an alias for an instance is created.
service_name.alias.update An event is generated when an alias for an instance is updated.
service_name.alias.delete An event is generated when an alias for an instance is deleted.

Events for managing service credentials that are associated to a service instance

A service credential provides the necessary information to connect an application to a service instance.

The following table lists the actions that generate an event:

Actions that generate events
Action Description
service_name.key.create An event is generated when an API key is created for a service instance through the Service credentials section of the service instance UI.
service_name.key.delete An event is generated when an API key that is associated with a service instance is deleted from the Service credentials section of the service instance UI.

Events for binding and unbinding a service instance to an app

The following table lists the actions that generate an event:

Actions that generate events
Action Description
service_name.binding.create An event is generated when you bind a service instance to an application.
service_name.binding.delete An event is generated when you unbind a service instance from an application.

Where to look for the events

Events are available in the Frankfurt (eu-de) region.

To view these events, you must provision an instance of the IBM Cloud Activity Tracker service in the Frankfurt (eu-de) region. Then, you must open the IBM Cloud Activity Tracker UI.

Analyzing events

Action service_name.instance.delete

When a service instance is deleted, consider the following information:

  • Other actions are automatically triggered to clean up IAM permissions. These actions remove policies that are configured for users and service IDs in the account to work with the service instance.
  • The initiator of these actions is an IBM service ID.

When the service instance that is deleted does not have IAM policies configured for users and service IDs, the events that are automatically generated for any of these resources report an outcome offailure with a 404 outcome code. The following sample shows the events that are generated when a service instance that does not have policies configured in the account is deleted:

Apr 30 09:04:16 cloudcerts: delete instance Certificate Manager-v1
Apr 30 09:41:20 IAM Access Management: delete policy -failure
Apr 30 09:41:20 IAM Access Management: delete policy -failure