Enabling cloud compliance with CSPM

Enable cloud security posture management (CSPM) in Workload Protection to scan your IBM Cloud resources for compliance with security and regulatory frameworks. With CSPM enabled, Workload Protection continuously evaluates your cloud resources against predefined policies, helping you identify and resolve issues before they become security risks.

This topic focuses on enabling CSPM for IBM Cloud. Need to enable CSPM for another cloud provider, like AWS, Azure, GCP, or OCI? See Connect cloud accounts for more information.

To learn more about CSPM and how it works, go to About Workload Protection. To see an example workflow, go to Analyzing compliance postures from detection to remediation.

CSPM for Workload Protection depends on App Configuration, which collects configuration details from your IBM Cloud resources. The configuration aggregator feature in App Configuration is included at no charge as part of the Lite plan. The integration uses IAM trusted profiles to manage permissions securely.

You can enable CSPM for individual IBM Cloud accounts or for your entire enterprise. For enterprise-level compliance scanning, see Enabling cloud compliance for enterprises.

CSPM is enabled by default when you create an instance of Workload Protection. However, if you decide to disable it, you can enable it at any time by completing the following steps. For more information on creating an instance of Workload Protection with CSPM enabled, see Getting started.

Before you begin

Before you get started, make sure that you have the following:

  • An existing App Configuration instance. For more information, see Creating an instance.
  • Manager role or greater on the App Configuration service.
  • An existing Workload Protection instance with CSPM disabled. For more information, see Set up Workload Protection.
  • Permissions to create and manage trusted profiles.
  • Editor role or greater on the Workload Protection service.
  • The CRNs for your Workload Protection and App Configuration instances. If you don't already have them, you can find the CRNs by completing the following steps:
    1. In the IBM Cloud console, click the Navigation Menu icon Navigation Menu icon > Resource list and search for the service, either Workload Protection or App Configuration.
    2. After you open your instance of App Configuration, click Details and copy the CRN.
    3. After you open your instance of Workload Protection, copy the CRN from the Details panel.

If context-based restrictions are enabled for resources in your account, you must create a rule to allow App Configuration to collect configuration data. When creating the rule, select App Configuration as the reference service.

Creating a trusted profile

Create a trusted profile that allows your instance of Workload Protection access to the App Configuration service. Completing the following steps:

  1. Go to Manage > Access (IAM) > Trusted profiles and click Create.
  2. After providing a name for the trusted profile, establish trust by selecting IBM Cloud services as the trusted entity type, and enter the CRN for your Workload Protection instance.
  3. Add the following access policies to the trusted profile:
    • Viewer and Usage Report Viewer roles on the Enterprise service.
    • Configuration Aggregator Reader and Manager roles on the App Configuration service.
  4. After you create the trusted profile, copy the profile ID and save it for the next step.

Connecting your IBM Cloud account to Workload Protection

To start scanning your IBM Cloud account for compliance, add it to your existing Workload Protection instance. By doing so, you enable CSPM for your IBM Cloud account.

  1. In the IBM Cloud console, click the Navigation Menu icon Navigation Menu icon > Security > Compliance then click the name of your instance of Workload Protection.
  2. Click Sources, then select the IBM Cloud Account tab.
  3. Click Add and enter the trusted profile ID that you just created along with the CRN for your instance of App Configuration.
  4. Click Add to save your changes.

Enabling configuration aggregator in App Configuration

Your instance of Workload Protection is now connected to your instance of App Configuration. However, configuration aggregator within App Configuration must be enabled to gather information from your IBM Cloud account and resources. Complete the following steps:

  1. In the IBM Cloud console, click the Navigation Menu icon Navigation Menu icon > Resource list and search for App Configuration.
  2. Click the name of the App Configuration instance to open it.
  3. Click Configuration aggregator > Define an aggregation.
  4. Select All regions to gather data from all regions, and click Save.
  5. Enable Recording to begin collecting configuration data.

Compliance scan results appear within 5-10 minutes after provisioning, depending on the number of resources in your account.

Disabling CSPM

To stop scanning your IBM Cloud account for compliance, disable CSPM.

  1. In the IBM Cloud console, click the Navigation Menu icon Navigation Menu icon > Security > Compliance then click the name of your instance of Workload Protection.
  2. Click Sources, then select the IBM Cloud Account tab.
  3. Click the actions menu for the account you want to remove, then click Remove.

Compliance scanning stops for the selected account.