Auditing events for service instances
As a security officer, auditor, or manager, you can use the IBM Cloud Activity Tracker service to track how users and applications interact with the IBM Cloud services.
The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in IBM Cloud. To get started monitoring your user's actions, see IBM Cloud Activity Tracker.
Events for provisioning and managing service instances
The following table lists the actions that generate an event:
Action | Description |
---|---|
service_name.instance.create |
An event is generated when you provision a service instance. |
service_name.instance.update |
An event is generated when you rename a service instance or when you change the service plan. |
service_name.instance.delete |
An event is generated when a service instance is deleted. |
service_name.instance.schedule_reclaim |
An event is generated when a service instance is pending_reclamation. |
service_name.instance.restore |
An event is generated when a service instance is restored. |
Events for managing aliases that are associated to a service instance
An alias is a connection between your IAM-managed service within a resource group and an application within an org or a space.
The following table lists the actions that generate an event:
Action | Description |
---|---|
service_name.alias.create |
An event is generated when an alias for an instance is created. |
service_name.alias.update |
An event is generated when an alias for an instance is updated. |
service_name.alias.delete |
An event is generated when an alias for an instance is deleted. |
Events for managing service credentials that are associated to a service instance
A service credential provides the necessary information to connect an application to a service instance.
The following table lists the actions that generate an event:
Action | Description |
---|---|
service_name.key.create |
An event is generated when an API key is created for a service instance through the Service credentials section of the service instance UI. |
service_name.key.delete |
An event is generated when an API key that is associated with a service instance is deleted from the Service credentials section of the service instance UI. |
Events for binding and unbinding a service instance to an app
The following table lists the actions that generate an event:
Action | Description |
---|---|
service_name.binding.create |
An event is generated when you bind a service instance to an application. |
service_name.binding.delete |
An event is generated when you unbind a service instance from an application. |
Where to look for the events
Events are available in the Frankfurt (eu-de) region.
To view these events, you must provision an instance of the IBM Cloud Activity Tracker service in the Frankfurt (eu-de) region. Then, you must open the IBM Cloud Activity Tracker UI.
Analyzing events
Action service_name.instance.delete
When a service instance is deleted, consider the following information:
- Other actions are automatically triggered to clean up IAM permissions. These actions remove policies that are configured for users and service IDs in the account to work with the service instance.
- The initiator of these actions is an IBM service ID.
When the service instance that is deleted does not have IAM policies configured for users and service IDs, the events that are automatically generated for any of these resources report an outcome offailure
with a 404
outcome code. The following sample shows the events that are generated when a service instance that does not have policies configured in the account is deleted:
Apr 30 09:04:16 cloudcerts: delete instance Certificate Manager-v1
Apr 30 09:41:20 IAM Access Management: delete policy -failure
Apr 30 09:41:20 IAM Access Management: delete policy -failure