logo

Get your Cloud Access Management Data and Examine it

Posted by Marbenz Antonio on March 20, 2023

3 Steps to Implement Identity & Access Management | OneLogin Blog

As an IBM Cloud account holder, it’s your responsibility to establish and supervise access management for your cloud resources. They discussed methods for obtaining information on IBM Cloud account privileges and enhancing security by detecting inactive identities. In this blog post, we’ll provide an overview of available APIs that enable you to acquire identity and access management (IAM) and resource data. Following that, we’ll demonstrate how to examine this security data. By utilizing these insights, you can enhance the security of your IBM Cloud account and its resources.

Numerous techniques exist for analyzing access management data, but our preferred method is to extract the data and save it in a relational database. This enables us to merge data from various origins and execute SQL queries, facilitating the creation of security reports.

Overview: Access management data

If you have experience working with IBM Cloud and have explored security and compliance in the past, you might already be familiar with all the resources listed below for enhancing account security:

Apart from the resources mentioned above, there exists data related to the account, its resources, user and service IDs, and their permissions. We refer to this data as “access management data” in this article. There are numerous ways to access and retrieve this data, including through the IBM Cloud console (UI), command line interface (CLI), and other interfaces. However, we will concentrate on the Application Programming Interfaces (APIs) for the IBM Cloud platform services in this article (as displayed in the screenshot above). Their documentation is available in the API and SDK reference library under the Platform category.

The key IBM Cloud APIs relevant to access management data are as follows:

Although there are other APIs accessible, the ones listed above are the primary ones. These APIs provide a (mostly static) overview of the security configuration by collecting data. This overview is similar, in a general sense and disregarding specific details, to the evaluation performed by the IBM Cloud Security and Compliance Center.

To use each of the API functions, an IAM access token is required, and each returns a JSON data set. However, the true worth of these APIs is in combining the data they provide to create a comprehensive view of the security setup – similar to assembling a puzzle from numerous pieces. This is the first step toward security analysis. The data from all APIs can either be held briefly in memory (for generating a few reports) or persisted for more in-depth analysis. They chose to persist the data by breaking down the JSON objects into relational tables. This enables us to utilize SQL queries and leverage their expressive capabilities for analysis.

It’s worth noting that the analysis we perform does not encompass any dynamic membership rules or context- or time-based access decisions. Such decisions necessitate more dynamic data and are made during IAM processing. We do not aim to replicate IAM decisions as they are highly contextual and dynamic. Instead, their analysis helps in identifying potential areas of concern within the security setup that may require further investigation and possible enhancement.

Retrieve and store

To construct our foundation using access management data, they began by transforming various JSON objects into relational tables. Several JSON objects have nested data, such as when listing policies, where the results include metadata, subjects, roles, and resource information associated with the policy. Consequently, their data store has four tables related to policies.

They decided to use Python to retrieve and store the data by leveraging pre-existing code from their past projects. Depending on the API function, retrieving data may necessitate paging through result sets. Typically, a single result is limited to 100 objects. Some API functions require additional parameters for obtaining enriched results, which include supplementary information that is beneficial for security analysis.

The code employs SQLAlchemy, which is a Python database toolkit, to interact with the data store. This provides the flexibility to switch between different backend databases, such as SQLite, PostgreSQL, or Db2 on Cloud, with ease.

Analyze cloud access management

Now that they have established the data store, they can proceed with the analysis of the cloud access management data. By consolidating data that is typically dispersed across different console pages or requires multiple API calls/CLI commands, they can effortlessly address security-related inquiries, such as:

  • Which cloud service instances are referenced in access policies but do not exist?
  • Which cloud service instances exist but are not used in any access group and their policies?
  • Which users (or service IDs or trusted profiles) are not members of any access group?
  • Which access groups do not have any policies with Reader or Viewer roles?
  • Which access groups do not reference any region or resource group in their policies?

The SQL queries required to answer the above questions can be executed from a Python script in a Jupyter or Zeppelin notebook, or any other SQL client. A section of a basic text-based report generated by a straightforward Python script is depicted in the screenshot below.

Conclusions

Analyzing cloud access management data is crucial to improving the security of your IBM Cloud account and its resources. The IBM Cloud platform services provide a set of APIs that allow you to obtain identity and access management (IAM) and resource data, which can be analyzed to gain insights into your cloud security setup. By combining data from multiple sources and running SQL queries, you can generate security reports and answer important security-related questions. Using tools like Python and SQLAlchemy, you can easily retrieve and store the data in a relational database, enabling deeper analysis and reporting. By taking advantage of these resources, you can enhance the security of your IBM Cloud account and better protect your resources.

 


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights