Tagging IBM Cloud resources and managing access with tags
All IBM Cloud resources in your account should be tagged with security attributes that you define. Apply user tags to organize your resources and easily find them later, to help you with identifying specific team usage or cost allocation, and to control access to your resources without requiring updates to your IAM policies.
For more information, see:
- Working with tags (through the Global Search and Tagging platform service)
- Controlling access to resources by using tags
Example tagging scheme
The IBM Cloud Framework for Financial Services doesn't require a specific set of tags that must be used, but they should be meaningful for your application. For illustration, you might use a scheme such as the one outlined.
In this example, it is suggested that you use one the following impact levels from Federal Information Processing Standards Publication 199:
fips199-high: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.fips199-moderate: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.fips199-low: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
In addition, for services that store data, it is suggested that you use one or more of these tags corresponding to different kinds of data:
audit: Audit logs or archivespublic: Publicly accessible, such as Cloud Object Storage buckets that hold public documentation or samplesconsumer-owned-data: Data owned by the consumerconsumer-metadata: Metadata owned by the consumerregulated-data: Data that is regulated
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
| Family | Control |
|---|---|
| Access Control (AC) | AC-16 Security Attributes |
| System and Communications Protection (SC) | SC-16 Transmission of Security Attributes |
Next steps
If using the VPC reference architecture, then see:
If using the Satellite reference architecture, then see: