Control: 3.5 Ensure the account owner can login only from a list of authorized countries/IP ranges
Description
Monitor the account owner's access to the IBM Cloud account is done from authorized locations that are restricted by IP addresses.
Remediation
Complete the following steps to monitor the locations from which the account owner logs in to the account:
First, you need to identify the email of the account owner.
- In the Cloud UI, go to Manage > Access (IAM), then select Users.
- Identify the user that has the tag owner.
- Select the account owner. Then, click Details.
- Copy the email address of the account owner and the list of authorized IP addresses.
Launch the Activity Tracker instance in Frankfurt. This is the instance where login security events are collected in the account. In the Views section, select the Everything view. Then, enter the following query in the search bar: (action login) AND initiator.name: < email address > AND -initiator.host.address:(list of IP addresses). Replace with the account owner's email address. Replace with the list of IP addresses that are separated by OR, for example, (xxx.xxx.xxx.xxx OR xxx.xxx.xxx.xxx) and configured for the account owner. The view now reports all the events that are reported when the account owner tries to login from an unauthorized location.
Next, you can define an alert on the view to get a notification immediately after 1 event is received.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_3_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_3_5 --share
SQL
This control uses a named query:
manual_control