IBM Cloud Docs
Preparing to deploy the Essential Security and Observability Services deployable architecture

Preparing to deploy the Essential Security and Observability Services deployable architecture

The Essential Security and Observability Services deployable architecture is a preconfigured set of infrastructure as code assets that are designed to deploy select IBM Cloud security services according to best practices. The included security services are crucial for helping ensure that you have a robust security and compliance strategy for your applications and data. By using this architecture, you can accelerate your deployment and tailor it to meet your organizations security and compliance requirements.

When you deploy the architecture, you can:

  • Implement security: The architecture provisions security services such as IBM Key Protect and IBM Cloud Secrets Manager that can help you to manage sensitive data for your organization.

  • Ensure observability: The architecture provisions observability services such as IBM Log Analysis, IBM Cloud Monitoring, IBM Cloud Activity Tracker Event Routing, IBM Cloud Event Notifications, and log retention through IBM Cloud Object Storage buckets.

  • Monitor for regulatory compliance: The architecture helps to ensure regulatory compliance by provisioning IBM Cloud Security and Compliance Center Workload Protection to validate the configurations that are made as part of application lifecycle management against the CIS IBM Cloud Foundations Benchmark profile. To see the controls that are included, go to the Essential Security and Observability Services deployable architecture catalog tile in the console and click the Security & compliance tab.

Before you deploy

Before you can deploy the Essential Security and Observability Services deployable architecture, you must have the following prerequisites.

  • A Pay-As-You-Go or Subscription IBM Cloud account.

    Don't have one? Create one. Have a Trial or Lite account? Upgrade your account.

  • The required level of access to deploy and manage resources in the account.

  • An IBM Cloud API Key in the target account with the suffienct permissions. Be sure to save the API key value for a later configuration.

    • Evaluation environments: If your environment is used for evaluating, grant the Administrator role on the IAM Identity Service, All Identity and Access enabled services, Activity Tracker Event Routing and All Account Management services.
    • Production environments: If your environment is used for production resources, restrict access to the minimum permissions level as indicated in the Permissions tab of the details page of the deployable architecture catalog entry.

    For more information, see Using an API key with Secrets Manager to authorize a project to deploy an architecture.

  • Optional: Install the IBM Cloud CLI Project plug-in by running the ibmcloud plugin install project command. For more information, see the Project CLI reference.

  • Optional: Familiarize yourself with the Customization options.

You might see notifications in IBM Cloud Projects that new versions of a configuration are available. You can ignore these messages because they do not prevent you from deploying the stack. No specific action is required from you. These notifications are expected, as we are rapidly iterating on the development of the underlying components. As new stack versions become available, the versions of the underlying components are also updated.