IBM Cloud Docs
Scanning resources across accounts

Scanning resources across accounts

With IBM Cloud® Security and Compliance Center, you can scan resources in other IBM Cloud accounts that are either part of an enterprise or outside of an enterprise. You can enable scanning across other accounts by adding these IBM Cloud accounts to your attachment as target accounts.

You can take advantage of an automation script that can help you to automatically register to scan resources across accounts. For more information, check out the script in GitHub.

Before you begin

Before you get started, make sure that you create a trusted profile with the following access policies set for the target account, and assign the specified roles.

  • All Account Management services (Viewer, Service Configuration Reader)

  • Kubernetes Service (Reader, Viewer, Administrator, Service Configuration Reader)

    This access policy is required to run the OpenShift Compliance Operator (OSCO) scan when an attachment is created.

  • All Identity and Access enabled services (Reader, Viewer, Service Configuration Reader)

The trusted profile must also contain the Security and Compliance Center instance Cloud Resource Name (CRN) for the monitoring account in the IBM Cloud services. You can find the CRN in the Settings > Service instance section of the Security and Compliance Center UI.

Adding target accounts for scanning

To enable scanning of resources across accounts, add a target account to your attachment.

  1. In the Security and Compliance Center navigation, click Settings.
  2. In the Targets section, click Add.
  3. Specify a unique name for your target account.
  4. Specify the ID of the target account to add.
  5. Specify the ID of the trusted profile for scanning across accounts.
  6. Click Add to add the target account to your attachment.

Removing target accounts from scanning

Before you remove a target account from your scans, make sure that you remove that account from any of your attachments that are configured to scan resources in it.

  1. In the Security and Compliance Center navigation, click Settings.
  2. In the Targets section, find the account that you want to remove. Then, click the Menu icon Menu icon and select Remove.
  3. Click Remove to confirm that you want to remove this target account from scanning across accounts.

Scheduling a recurring scan for resources across accounts

To schedule a recurring scan for resources across accounts, create an attachment. When you create an attachment for a profile with the IBM Cloud environment, you can view the accounts that are registered in the Settings page. Then, you can select from these accounts to use as your scope. If you select multiple accounts, each account is created as a separate scope within the attachment. You cannot select or exclude resource groups for scanning across accounts.

When the scan completes, your results are available in the Security and Compliance Center dashboard. If your results are not updated, review the troubleshooting guide.