IBM Cloud Docs
Implementing CSPM (Cloud Security Posture Management) for IBM Cloud

Implementing CSPM (Cloud Security Posture Management) for IBM Cloud

The compliance module in IBM Cloud® Security and Compliance Center Workload Protection maintains a detailed inventory of resources, enabling prioritization based on full context, and facilitating the resolution of posture misconfigurations. The compliance module supports cloud and Kubernetes Security Posture Management (CSPM and KSPM, respectively) across hybrid cloud environments.

Workload Protection CSPM and KSPM provide compliance and configuration management of resources and critical workloads. Several predefined policies are supported, including IBM Cloud Framework for Financial Services, Digital Operational Resilience Act (DORA) or CIS IBM Cloud Foundations Benchmark to achieve security and compliance for your environment. Custom policies are also supported.

The IBM Cloud CSPM feature in Workload Protection interacts with App Configuration for gathering all your resource configuration details. The integration uses IBM IAM trusted profiles for managing permissions.

You can easily integrate IBM Cloud accounts to implement CSPM for new and for existing Workload Protection instances.

Before you begin

Before you get started, make sure you have the following requirements completed:

  • You have assigned at least the Manager role to the App Configuration service. This is required for the CSPM to enable service configuration.
  • You already have a Workload Protection instance or enough permissions to create a new instance.
  • Permissions to create and manage trusted profiles.

Integrating with an existing Workload Protection instance

To enable CSPM for your IBM Cloud account from your existing Workload Protection instance, follow the next steps:

  1. Go to the Resource list and select your Workload Protection instance. You can find your Workload Protection instances under the Security section.
  2. Select Sources and go to the IBM Cloud Account tab.
  3. In this tab, click on Add. Introduce the trusted profile name, App Configuration name, and select the plan.
  4. Finally, click on Add to have CSPM on your IBM Cloud account.

Once you provision your instance, results are displayed a few minutes after the connection is established, depending on the number of resources.

Integrating to a new Workload Protection instance

To enable CSPM for your IBM Cloud account when provisioning a new Workload Protection instance via IBM Cloud catalog, set the Enable Cloud Security Posture Management (CSPM) for your IBM Cloud account switch to on.

  1. Select the trusted profile name that will be used for connecting to App Configuration service and collecting resource definitions for running the posture validations.
  2. Select the App Configuration instance name and plan. By default the Basic plan is selected.

Once you provision your instance, results are displayed about 5-10 minutes after the connection, depeding on the number of resources.

Disabling CSPM on the IBM Cloud account

To disable CSPM for your IBM Cloud account, follow the next steps:

  1. Go to the Resource list and select your Workload Protection instance. You can find all Workload Protection instances under the Security section.
  2. Select Sources and go to the IBM Cloud Account tab.
  3. Click on the three dots of the account you want to disable and click Remove.

Your account will be disabled for CSPM in the selected Workload Protection instance.

Integrating your account

This section describes the steps you need to perform with the CLI and API in order to manually onboard an IBM Cloud account onto Workload Protection for implementing CSPM.

You can use the steps described here to also integrate a different IBM Cloud account than the one where you have your Workload Protection instance.

Before you begin:

  • You need to have a Workload Protection instance. If you don't have one, create one as described in Provisioning an instance.
  • Get your Workload Protection CRN. You can get this by going to the Resource list and clicking the service that you're targeting. In the Details section, copy the CRN. It will be referenced in this section as workload-protection-instance-crn.
  • Get your Workload Protection name. You can get this by going to the Resource list and clicking the service that you're targeting. In the Details section, copy the Name. It will be referenced in this section as workload-protection-instance-name.
  • Make sure you have the correct permissions to create trusted profiles, App Configuration and Workload Protection instances:
    • Account owner.
    • Administrator role on all account management services.
    • Administrator role on the IAM Identity Service. For more information, see IAM Identity service.
  • Installion of the IBM Cloud CLI. If the CLI is installed, continue with the next step.
  • Log in to the IBM Cloud account and region where you want to provision the instances. Run the following command: ibmcloud login.

This integration requires the following four steps:

  1. Create a trusted profile between Workload Protection and App Configuration.
  2. Create App Configuration instance.
  3. Create a trusted profile for App Configuration to collect resource configuration.
  4. Configure the App Configuration instance for collecting service configurations.
  5. Onboard your IBM Cloud account to your Workload Protection instance.

Step 1: Create a trusted profile for Workload Protection interaction with App Configuration

Before this step, your Workload Protection instance must already have been created. The Workload Protection instance CRN is used for creating and configuring the trusted profile to interact with App Configuration.

  • It requires the following access policies:
    • Enterprise account (Viewer + Usage Report Viewer) for validating the type of account.
    • App Configuration (Manager + Configuration Aggregator Reader)
  • CRN (Trust Relationship – IBM Cloud Services) is the Workload Protection CRN
    • For example: crn:v1:bluemix:public:sysdig-secure:us-south:a/1560be5426584bf8a43e75xxxxxxxxxx:299e4ca4-d96c-4fba-9691-xxxxxxxx::

You can create this trusted profile with the following CLI commands:

Create the trusted profile (you can modify the name). Save the ID to be used later. It will be referenced later as ibmcspm-tp-wp-app-config-ID:

ibmcloud iam trusted-profile-create ibmcspm-wp-app-config --description "Trusted profile for Workload Protection interaction with Config Service"

Assign the corresponding trust relationship. Replace workload-protection-instance-crn with your Workload Protection CRN:

ibmcloud iam trusted-profile-identity-create ibmcspm-wp-app-config --id workload-protection-instance-crn --id-type CRN

Create the policy for the trusted profile for the enterprise account:

ibmcloud iam trusted-profile-policy-create ibmcspm-wp-app-config -r Viewer,"Usage Report Viewer" --service-name enterprise

Create the Policy for the trusted profile for App Configuration:

ibmcloud iam trusted-profile-policy-create ibmcspm-wp-app-config -r Manager,"Configuration Aggregator Reader" --service-name apprapp

Step 2: Create App Configuration instance

In this step, you'll be creating an App Configuration instance that your Workload Protection will use for collecting all resource definitions to implement the IBM Cloud CSPM.

You can create a new App Configuration instance with the following CLI command. You can change the plan, region or resource group. See this doc for more information.

Save the CRN and the GUID to be used later. It will be referenced later as app-config-aggregator-CRN and app-config-aggregator-ID respectively.

Run the following command to create the App Configuration instance. Replace the plan, region or resource group based on your needs:

ibmcloud resource service-instance-create "ibmcspm-app-config" "apprapp" "basic" "us-south" -g Default

Note that the CRN (ID from the output) is referenced as app-config-aggregator-CRN. Likewise, instance ID (GUID from the output) is referenced as app-config-aggregator-ID. Save those values as they will be used in the following steps.

Step 3: Trusted profile for App Configuration for collecting service configuration

In this step, you'll be creating the trusted profile that your App Configuration instance uses to collect all service configurations to perform IBM Cloud CSPM. Make sure you have the App Configuration CRN (app-config-aggregator-CRN) you created in Step 2.

To configure the trusted profile correctly, you need the App Configuration instance CRN from the previous step.

  • It requires the following Access Policies:
    • All Account Management services (Viewer + Service Configuration Reader)
    • All Identity and Access enabled services (Reader + Viewer + Service Configuration Reader)
  • CRN (Trust Relationship – IBM Cloud Services) to the Config Service CRN
    • For example: crn:v1:bluemix:public:apprapp:us-south:a/1560be5426584bf8a43e75xxxxxxxxxx:b4829f20-6d22-4604-939d-xxxxxxxx::

You can create this trusted profile with the following CLI commands:

Create the trusted profile (you can modify the name). Note: save the ID to be used later. It will be referenced later as ibmcspm-tp-app-config-aggregator-ID:

ibmcloud iam trusted-profile-create ibmcspm-app-config-aggregator --description "Trusted profile for App Configuration for collecting service configuration"

Assign the corresponding Trust Relationship. Replace app-config-aggregator-CRN with your Workload Protection CRN:

ibmcloud iam trusted-profile-identity-create ibmcspm-app-config-aggregator --id app-config-aggregator-CRN --id-type CRN

Create the Policy for the trusted profile for the enterprise account:

ibmcloud iam trusted-profile-policy-create ibmcspm-app-config-aggregator -r Viewer,"Service Configuration Reader" --service-name "All Account Management services"

Create the Policy for the trusted profile for App Configuration:

ibmcloud iam trusted-profile-policy-create ibmcspm-app-config-aggregator -r Viewer,"Service Configuration Reader" --service-name "All Identity and Access enabled services"

Step 4: Configure the App Configuration instance for collecting service configurations

In this step, you configure App Configuration to start collecting your service configuration. Before starting this step, make sure you have:

  • The App Configuration GUID (app-config-aggregator-ID) you created in Step 2.
  • The trusted profile for App Configuration for collecting service configuration (ibmcspm-tp-app-config-aggregator-ID) that you created in Step 3.

For the following action, run an HTTP PUT request using curl.

First, get your IAM API token by running the following command:

export AUTH_TOKEN=`ibmcloud iam oauth-tokens | awk '{print $4}'`

This command stores your token in the variable AUTH_TOKEN. For more information, see Getting the IAM API token.

Now, run the following HTTP PUT request to your App Configuration instance. Remember to replace <app-config-aggregator-ID> with your App Configuration instance ID, <region> with the region where you have created your App Configuration instance:

curl -X PUT -H "Authorization: Bearer $AUTH_TOKEN" https://<region>.apprapp.cloud.ibm.com/apprapp/config-aggregator/v1/instances/<app-config-aggregator-ID>/settings -d '{"resource_collection_enabled": true, "trusted_profile_id": "<ibmcspm-tp-app-config-aggregator-ID>", "regions": ["all"]}'

You should receive the output with the configuration you have set, similar to:

{"additional_scope":[],"last_updated":"2024-06-20T15:17:15Z","regions":["all"],"resource_collection_enabled":true,"trusted_profile_id":"<ibmcspm-tp-app-config-aggregator-ID>"}

Step 5: Onboard your IBM Cloud account to your Workload Protection instance

In this final step, you configure your Workload Protection instance you need to use the following values from previous steps:

  • Your Workload Protection instance name (workload-protection-instance-name).
  • The App Configuration CRN (app-config-aggregator-CRN) that you created in Step 2.
  • The trusted profile for Workload Protection to interact with App Configuration (ibmcspm-tp-wp-app-config-ID) you created in Step 1.
  • Your IBM Cloud account ID (<ibm-cloud-account-id>). You can get it under Manage > Account > Account Settings in ID.

If previously you have onboarded any other IBM Cloud account or add any other parameter, make sure to keep existing parameters. You can see the existing used paramaters of your instance by running ibmcloud resource service-instance <workload-protection-instance-name> --output json replacing <workload-protection-instance-name> by your Workload Protection instance name.

Run the following CLI command to update your Workload Protection instance to onboard your IBM Cloud Account. Replace <workload-protection-instance-name> by your Workload Protection instance name, <app-config-aggregator-CRN> by your App Configuration instance CRN and <ibmcspm-tp-wp-app-config-ID> by the trusted profile ID created in Step 2 and <ibm-cloud-account-id> by your IBM Cloud account ID.

ibmcloud resource service-instance-update "<workload-protection-instance-name>" -p '{"enable_cspm": true, "target_accounts": [{"account_id": "<ibm-cloud-account-id>", "config_crn": "<app-config-aggregator-CRN>", "trusted_profile_id": "<ibmcspm-tp-wp-app-config-ID>"}]}' -g Default

Verifying CSPM implementation

Verifying the integration by following the next steps:

  • In your Workload Protection instance, select Sources / IBM Cloud Account. You should see your IBM Cloud account with the Active status. The status can take a few minutes to be updated.
  • Access to your Workload Protection instance by clicking in Open dashboard, your account will be listed under Integrations / Cloud Accounts.
  • In your Workload Protection, access Inventory and review the list of IBM Cloud resources of your account. You have many predefined filters available that you can choose from. Alternatively, you can use the search box to filter by resource type or resource name. By clicking in each resource, you can review the resource configuration, the posture controls applied against it and the results of the evaluation.
  • By accessing Posture / Compliance, you can review the results of the available frameworks (such as IBM Cloud Framework for Financial Services) of your IBM Cloud resources.

Disabling CSPM for IBM Cloud with the CLI

In order to disable CSPM for your account, you need to run the following command. Replace <workload-protection-instance-name> by your Workload Protection instance name, <app-config-aggregator-CRN> by your App Configuration instance CRN and <ibmcspm-tp-wp-app-config-ID> by the trusted profile ID created in Step 2 and <ibm-cloud-account-id> by your IBM Cloud account ID:

ibmcloud resource service-instance-update "<workload-protection-instance-name>" -p '{"enable_cspm": true, "target_accounts": [{"account_id": "<ibm-cloud-account-id>", "config_crn": "<app-config-aggregator-CRN>", "trusted_profile_id": "<ibmcspm-tp-wp-app-config-ID>", "delete": true}]}' -g Default

This is the same command described in Step 5 with the addition of "delete": true.