Control: 1.1 Monitor account owner for frequent, unexpected, or unauthorized logins
Monitor login activity of the account owner to prevent unauthorized usage of the privileged account.
Complete the following steps to monitor how many times an account owner logs in to the account:
First, you need to identify the email of the account owner.
- Log in to IBM Cloud.
- In the Cloud UI, go to Manage > Access (IAM), then select Users.
- Identify the user that has the tag owner.
- Select the account owner. Then, click Details.
- Copy the email address of the account owner
Launch the Activity Tracker instance in Frankfurt. This is the instance where login security events are collected in the account. In the Views section, select the Everything view. Then, enter the following query in the search bar: (action login) AND initiator.name: email address. Replace with the account owner's email address. The view now reports all the login actions that are reported for the account owner. Next, you can define an alert on the view to get a notification when N number of events are received within a 24 hour period. The value of N depends on how you operate your cloud. You can start with a default value of 25 and increase or decrease depending on the tasks that the account administrator cam perform in the account.
Run the control in your terminal:
steampipe check ibm_compliance.control.cis_v100_1_1
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share ibm_compliance.control.cis_v100_1_1
This control uses a named query:manual_control