Change log: IBM Cloud Framework for Financial Services (Moderate)
In this change log, you can learn about the latest changes, improvements, and updates for the Service Organization Control (IBM Cloud Framework for Financial Services (Moderate)) profile. The change log lists changes that were made, ordered by the version number.
Disclaimer: IBM Cloud Framework for Financial Services (Moderate) Security and Compliance Center profile should be used if you choose IBM® Key Protect for IBM Cloud® and/or IBM Cloud Activity Tracker Hosted Event Search as your data/log management solution, as per your information and data classification requirements. For further details on the differences between IBM® Key Protect for IBM Cloud® and IBM Cloud® Hyper Protect Crypto Services, read Data encryption at rest in IBM Cloud for a comparison of functionality. Additionally, for more information on auditing and monitoring of workload and data, read Audit logging of IBM Cloud events.
Profile versioning
When specifications or controls are edited, removed from, or added to a profile in a way that is not compatible with the current version, a new version is released. To take advantage of the changes in a new version, update your attachments to use the newest profile version.
This profile is consistently updated and is not an exhaustive list of all the controls that might be required for every organization. Be sure to validate the available controls to determine where you might need to supplement your workloads with other security measures.
Version summary
The following table details the release dates and status of each profile version.
New attachments cannot be created on deprecated profile versions. Select the most recent version to use for your evaluation.
| Version number | Release date | Status |
|---|---|---|
| Version 1.1.0 | 2024-08-27 |
Active |
| Version 1.0.0 | 2024-06-06 |
Active |
Version 1.1.0
The following rules were updated in the IBM Cloud for Financial Services library and profile as of 27 August 2024.
| Rule ID | Rule description | Associated controls | Update |
|---|---|---|---|
rule-1d0a1c93-b89f-432e-af25-758ae517a7ba |
Check whether App Configuration can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-b5675539-fb0a-4464-93a3-f9c3ab1da0f8 |
Check whether App Configuration can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-9b2822ec-cde3-4367-b3b7-3aabceb7ce13 |
Check whether Auto scale for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-7cbf96ea-a032-4bc0-aae7-21d088965ef4 |
Check whether Auto scale for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
| rule-30e49535-38d9-4969-8f78-56cf8be67557 | Check whether Backup for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-6b80be89-7c9f-472f-9ad2-363086fbcc86 |
Check whether Backup for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-1399da2c-af02-47a3-bec1-0baa48297619 |
Check whether Bare Metal Servers for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-a6843b59-7e8b-4e5f-8f45-fe98a28269e2 |
Check whether Bare Metal Servers for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-23aca5fe-3659-4b4d-a965-daad23ce2a01 |
Check whether Block Storage for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-3d843573-0a71-44cc-926a-330fbcf80ec6 |
Check whether Block Storage for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-bf187b2f-0d3b-48f2-a5a7-cab0c0788c43 |
Check whether Block Storage Snapshots for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-af1c19bb-a40e-4798-92ad-57d4e9d540ba |
Check whether Block Storage Snapshots for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-8f3a6416-3621-4666-a2a7-271704432552 |
Check whether Client VPN for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-9d0ae8c0-7332-4b65-858c-56fe9875789f |
Check whether Client VPN for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-9eb7b514-5c27-43ba-83fc-26d75e0bf695 |
Check whether Cloud Object Storage can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-61878b48-e181-455d-aed3-5730b6e27890 |
Check whether Cloud Object Storage can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-e9bae442-b92e-414d-88a9-d107511f554c |
Check whether Code Engine can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-15e9118b-2fd4-46a7-a454-7af07b2b342c |
Check whether Code Engine can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-87b52247-ec12-4e84-b328-d00491301e16 |
Check whether Container Registry can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-94ca1725-f251-4cee-8c4c-280e141f194a |
Check whether Container Registry can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-4aebb5fe-61df-458c-b534-60fd644ae542 |
Check whether Dedicated Host for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-c5642f67-fb2c-4fe1-aed1-585d9215808f |
Check whether Dedicated Host for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-94048ffe-f910-4ff2-881f-50df9005c0a2 |
Check whether Direct Link can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-65627941-63ee-4f52-9248-3b5a09163965 |
Check whether Direct Link can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-6252793f-9da5-4a04-9f9d-279b6e2c6907 |
Check whether DNS Services can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-dce07761-8ffd-4beb-a7cc-d38a17fffd4e |
Check whether DNS Services can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-c9dfee2f-6283-43ce-9337-4eaacaa3313c |
Check whether Event Notifications can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-0ffd34a1-3ca7-4d53-adbe-40f3980694e6 |
Check whether Event Notifications can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AAC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-762180a3-95e1-462b-a7ca-7995ca0dfb7c |
Check whether Event Streams can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-23850407-cbf6-42cf-8985-f90b2c966d04 |
Check whether Event Streams can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-a4841766-a395-41be-8a64-b51e85168fab |
Check whether Flow Logs for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-5593b5b5-dd27-45c9-b088-b40e447af5ef |
Check whether Flow Logs for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-315c8bb3-3eb8-4186-85bc-e66d68ba9dd0 |
Check whether Hyper Protect Crypto Services can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-00882b45-ee37-4dc1-b948-afa618755fbd |
Check whether Hyper Protect Crypto Services can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AAC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-0051b1c6-bee9-4e04-87e2-300e2c145104 |
Check whether IAM access groups can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-a534cbfa-1d2b-4b10-b405-7d6a0a969944 |
Check whether IAM access groups can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-e9a2d69f-757d-4371-8508-419fc13550f1 |
Check whether IAM access management can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-8e7fd3c6-01aa-47b8-9898-ba34ebc27015 |
Check whether IAM access management can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-0cddf009-8620-47e2-add9-e7609d82a221 |
Check whether IAM identities can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-56c515ef-4d2b-42e2-aa62-df4b37eab801 |
Check whether Kubernetes Service can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-4554e868-eb89-4b18-8692-564da18e0c2d |
Check whether Kubernetes Service can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-b5a6bedd-16b0-4a21-bb01-04d70d48a752 |
Check whether Load Balancer for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-10b28c5d-27aa-4d03-b863-2e770090df74 |
Check whether Load Balancer for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-3d59273d-8ed1-4767-8112-c3f95ce09c3e |
Check whether Schematics can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-553bdee0-a3c4-4ff9-a2f2-7903cc98ca2f |
Check whether Schematics can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-c26980c7-5fae-47b7-ad2a-e96e87cf28fc |
Check whether Secrets Manager can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-21fd1a1e-7909-48a4-949a-ada1785a34cf |
Check whether Secrets Manager can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-d6b8cc81-b78b-49a5-87a3-34c71a198a71 |
Check whether Security and Compliance Center can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-5c9aed4a-af5e-47e0-8a86-cac8199aa90d |
Check whether Security and Compliance Center can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-ff00ff6c-61d2-4a94-8de8-b150b4d35aab |
Check whether there are no wild cards in the private endpoint allow list for IAM identities (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-b426a552-33c4-4b8d-8e71-659e06a45024 |
Check whether Transit Gateway can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-ca36ff5d-003b-4b21-b584-061a2ac5268a |
Check whether Transit Gateway can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-7601aadc-cce6-4929-b3d2-26c4ba7e05ad |
Check whether User Management can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-e54063a9-379f-4cdf-a00c-2fd02c8d9eda |
Check whether User Management can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-9d963fd1-c56c-45ad-976e-96a45899b576 |
Check whether Virtual Private Cloud can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-29286737-f65b-41fb-8ba7-30e81f0f9dd8 |
Check whether Virtual Private Cloud can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-45e6a74e-74d4-495d-88da-f0cda147d8b4 |
Check whether Virtual Private Endpoints for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-fce897fe-d572-4412-9c74-828bfab0c26a |
Check whether Virtual Private Endpoints for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-4a8fce3e-5bf4-4b57-8df7-c9f2f374abf3 |
Check whether Virtual Servers for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-b6b7e67f-e7c2-4435-a883-80ab3d835d0e |
Check whether Virtual Servers for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-a3ee571a-b0fe-408f-9c8b-064e44fe99d5 |
Check whether VPC floating IPs can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-4736fc5d-63e2-4673-92e5-4c1f381645f5 |
Check whether VPC floating IPs can be accessed only through a private endpoint (Context-based restrictions or service) and allowed Ips | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-72f16940-fa5b-4719-a7e8-35a1cc721a6a |
Check whether VPC images can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-ed883cda-bdd3-48fd-972b-bf98b085423b |
Check whether VPC images can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-eaff5bf5-7754-4218-8cb7-ae87ec8fdc7f |
Check whether VPC network access control lists can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-9a64c779-5744-4bcc-a5ac-e4ad04b0f59c |
Check whether VPC network access control lists can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-113e00c2-0503-4a09-8e6c-893ad51b6643 |
Check whether VPC placement groups can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-fdabbd31-1b00-4a84-aca2-6c57e8404b9e |
Check whether VPC placement groups can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-3ead3fb3-9156-4d93-971c-7b782ceb00ae |
Check whether VPC public gateways can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-7758e8eb-c4d8-42a8-869f-30e3c189f6fa |
Check whether VPC public gateways can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-02ad5735-93ba-4229-9d10-70dd48d0f96c |
Check whether VPC security groups can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-2b0fc034-063b-47a7-86e9-5a96c8ca9f23 |
Check whether VPC security groups can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-235d040e-ae2b-4832-9c28-b79cc2d6be6c |
Check whether VPC SSH keys can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-b96fdad1-c2d5-4399-861f-49adecfd3485 |
Check whether VPC SSH keys can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-f33e4a5e-3297-4ec1-91b6-5f902fe87e75 |
Check whether VPC subnets can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-8b014ee6-2fcf-4e78-9412-d290251ff2a1 |
Check whether VPC subnets can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-2a1b103a-4ef3-416e-822a-abf556f8dbae |
Check whether VPN for VPC can be accessed only through a private endpoint (Context-based restrictions or service) | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was removed. |
rule-a4cc268c-9c97-4dbb-b02f-bf74d5a5aa93 |
Check whether VPN for VPC can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(a), SC-7(b), SC-7(4)(a), and SC-7(5) |
The rule was added. |
rule-3898fc92-305f-41c2-9464-c26ca71d639e |
"Check whether VPN for VPC has an ""establish mode"" configuration that is different from 'peer_only'" | SC-13 |
The rule was added. |
rule-8226d451-d6a7-46a7-8313-f8c091d6e33f |
Check whether IBM Cloud Kubernetes Service Ingress has TLS 1.2 enabled for all inbound traffic | SC-11SC-13, SC-23, CM-7(b), SC-7(4)(C), SC-8, and SC-8(1) |
The rule was added. |
rule-da567ec9-8e24-4c65-993b-ad290bfdb855 |
Check whether Cloud Object Storage buckets are enabled with IBM Activity Tracker | SC-11, SC-13, SC-23, CM-7(b), SC-7(4)(C), SC-8, and SC-8(1) |
The rule was added. |
rule-84a0c7b9-cb37-430b-8a6d-afafb384ed9b |
Check that Activity Tracker hosted Event Search is configured to collect global events generated by IBM Cloud services | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), SI-4, and SI-4(c) |
The rule was added. |
rule-2f84317e-83b3-451d-bb95-9bd4ba953bdf |
Check that there is an Activity Tracker hosted event search defined in each region to collect location-based events | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), SI-4, and SI-4(c) |
The rule was added. |
rule-ba79b984-ec18-4fc1-965d-82cf701eb94f |
Check whether an instance of IBM Log Analysis exists in each required region and is configured to receive platform logs | AC-4 |
The rule was removed. |
Version 1.0.0
- Now available
- As of 6 June 2024, the IBM Cloud Framework for Financial Services (Moderate) profile is a collection of controls that is designed to validate the configuration of your resources.
The following changes were made.
- All the existing customer-managed encryption Keep Your Own Key (KYOK) rules were replaced with customer-managed encryption (Bring Your Own Key (BYOK) or Keep Your Own Key (KYOK)).
The following rules were added.
| Rule ID | Rule description | Associated controls | Update |
|---|---|---|---|
rule-84a0c7b9-cb37-430b-8a6d-afafb384ed9b |
Check that Activity Tracker hosted Event Search is configured to collect global events generated by IBM Cloud services | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-2f84317e-83b3-451d-bb95-9bd4ba953bdf |
Check that there is an Activity Tracker hosted event search defined in each region to collect location-based events | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-ed64fa73-81e5-4920-8519-acfad845dd6c |
Check whether Identity and Access Management (IAM) is enabled with audit logging | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a), AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-ab4301de-c43b-489f-ba0a-2ced0080ba8f |
Check whether IBM Log Analysis instance log retention is set to at least # days | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-d592e06a-8756-4efc-a401-1ec215168f48 |
Check whether IBM Activity Tracker trails are integrated with LogDNA logs | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-5910ed25-7ad7-42d0-8e42-905df0123346 |
Check whether IBM Activity Tracker is provisioned in multiple regions in an account | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-911a3948-f5af-4d91-b329-5c71c1ebf8c2 |
Check whether an IBM Cloud Activity Tracker instance is available across all provisioned resource regions | AC-2(4), AC-2(7)(b), AC-2(g), AC-6(9), AU-12(a), AU-12(b), AU-12(c), AU-2(a), AU-2(d), AU-3, AU-8(1)(a),
AU-8(1)(b), AU-8(a), AU-8(b), CA-7(d), SI-4(a), SI-4(b), and SI-4(c) |
The rule was added. |
rule-c98fab05-5119-451a-b100-35df840d2326 |
Check whether IBM Activity Tracker logs are encrypted at rest | SC-13, SC-28, and SC-28(1) |
The rule was added. |
rule-14808a2d-ab9b-4333-8275-f12559620cbb |
Check whether there are no wild cards in the private endpoint allow list for IBM Log Analysis (Context-based restrictions or service) | AC-4 |
The rule was added. |
rule-2aa7888e-ed67-40f3-9bff-8a70fddb4671 |
Check whether IBM Log Analysis can be accessed only through a private endpoint (Context-based restrictions or service) and allowed IPs | AC-4, CM-7(a), CM-7(b), SC-7(4)(a), SC-7(5), SC-7(a), and SC-7(b) |
The rule was added. |