Table: ibm_account - Query IBM Cloud Accounts using SQL
IBM Cloud Accounts are the foundational entities in IBM Cloud that provide the access to services, resources, and applications within IBM Cloud. They are used to organize resources, manage permissions, and control billing. IBM Cloud Accounts enable users to manage their cloud resources in a secure and efficient manner.
Table Usage Guide
The ibm_account
table provides insights into IBM Cloud Accounts. As a cloud administrator or DevOps engineer, explore account-specific details through this table, including account status, owner's identity, and associated metadata. Utilize it to uncover information about accounts, such as their creation time, resource group ID, and the state of the account.
Examples
Basic info
Explore the basic details of your IBM account such as name, status, and owner ID. This can be useful in understanding the current state of your account, and identifying the appropriate owner.
select name, guid as id, state, owner_user_idfrom ibm_account;
select name, guid as id, state, owner_user_idfrom ibm_account;
Get details about account owner
Explore which IBM accounts are linked with their respective owners, allowing you to identify instances where account ownership needs to be updated or verified. This provides useful insights into account management and ensures the correct assignment of resources.
select acc.name, acc.guid as id, acc.state, u.first_name || ' ' || u.last_name as owner_full_namefrom ibm_account as acc, ibm_iam_user as uwhere acc.owner_user_id = u.user_id;
select acc.name, acc.guid as id, acc.state, u.first_name || ' ' || u.last_name as owner_full_namefrom ibm_account as acc, ibm_iam_user as uwhere acc.owner_user_id = u.user_id;
Query examples
- ibm_account_count
- ibm_account_table
- ibm_compute_instance_by_account
- ibm_compute_instance_disk_age_table
- ibm_compute_instance_disk_by_account
- ibm_compute_instance_disk_storage_by_account
- ibm_is_security_group_by_acount
- ibm_is_volume_by_account
- ibm_is_volume_storage_by_account
- ibm_is_vpc_by_account
- ibm_kms_key_age_table
- ibm_kms_key_by_account
Control examples
- CIS v1.0.0 > 1 IAM > 1.1 Monitor account owner for frequent, unexpected, or unauthorized logins
- CIS v1.0.0 > 1 IAM > 1.14 Minimize the number of users with admin privileges in the account
- CIS v1.0.0 > 1 IAM > 1.15 Minimize the number of Service IDs with admin privileges in the account
- CIS v1.0.0 > 1 IAM > 1.17 Ensure Inactive User Accounts are Suspend
- CIS v1.0.0 > 1 IAM > 1.18 Enable audit logging for IBM Cloud Identity and Access Management
- CIS v1.0.0 > 1 IAM > 1.19 Ensure Identity Federation is set up with a Corporate IDP
- CIS v1.0.0 > 1 IAM > 1.2 Ensure API keys unused for 180 days are detected and optionally disabled
- CIS v1.0.0 > 1 IAM > 1.5 Ensure no owner account API key exists
- CIS v1.0.0 > 1 IAM > 1.6 Ensure compliance with IBM Cloud password requirements
- CIS v1.0.0 > 2 Storage > 2.1 Cloud Object Storage > 2.1.1 Cloud Object Storage Encryption > 2.1.1.1 Ensure Cloud Object Storage encryption is done with customer managed keys
- CIS v1.0.0 > 2 Storage > 2.1 Cloud Object Storage > 2.1.1 Cloud Object Storage Encryption > 2.1.1.2 Ensure Cloud Object Storage Encryption is set to On with BYOK
- CIS v1.0.0 > 2 Storage > 2.1 Cloud Object Storage > 2.1.1 Cloud Object Storage Encryption > 2.1.1.3 Ensure Cloud Object Storage Encryption is set to On with KYOK
- CIS v1.0.0 > 2 Storage > 2.1 Cloud Object Storage > 2.1.2 Ensure network access for Cloud Object Storage is restricted to specific IP range
- CIS v1.0.0 > 2 Storage > 2.1 Cloud Object Storage > 2.1.3 Ensure network access for Cloud Object Storage is set to be exposed only on Private end-points
- CIS v1.0.0 > 2 Storage > 2.1 Cloud Object Storage > 2.1.4 Ensure Cloud Object Storage bucket access is restricted by using IAM and S3 access control
- CIS v1.0.0 > 2 Storage > 2.2 File Block Storage > 2.2.1 Cloud Block Storage Encryption > 2.2.1.1 Ensure Block Storage is encrypted with customer managed keys
- CIS v1.0.0 > 2 Storage > 2.2 File Block Storage > 2.2.1 Cloud Block Storage Encryption > 2.2.1.2 Ensure Block Storage is encrypted with BYOK
- CIS v1.0.0 > 2 Storage > 2.2 File Block Storage > 2.2.1 Cloud Block Storage Encryption > 2.2.1.3 Ensure Block Storage is encrypted with KYOK
- CIS v1.0.0 > 2 Storage > 2.2 File Block Storage > 2.2.2 Ensure 'OS disk' are encrypted with Customer managed keys
- CIS v1.0.0 > 2 Storage > 2.2 File Block Storage > 2.2.3 Ensure 'Data disks' are encrypted with customer managed keys
- CIS v1.0.0 > 2 Storage > 2.2 File Block Storage > 2.2.4 Ensure 'Unattached disks' are encrypted with customer managed keys
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.1 Ensure auditing is configured in the IBM Cloud account
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.2 Ensure that archiving is enabled for audit events
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.3 Ensure that events are collected and processed to identify anomalies or abnormal events
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.4 Ensure alerts are defined on custom views to notify of unauthorized requests, critical account actions, and high-impact operations in your account
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.5 Ensure the account owner can login only from a list of authorized countries/IP ranges
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.6 Ensure Activity Tracker data is encrypted at rest
- CIS v1.0.0 > 3 Maintenance, Monitoring and Analysis of Audit Logs > 3.7 Ensure Activity Tracker trails are integrated with LogDNA Logs
- CIS v1.0.0 > 4 IBM Cloud Databases Family > 4.1 Ensure IBM Cloud Databases disk encryption is enabled with customer managed keys
- CIS v1.0.0 > 4 IBM Cloud Databases Family > 4.2 Ensure IBM Cloud Databases are only accessible via HTTPS or TLS Connections
- CIS v1.0.0 > 4 IBM Cloud Databases Family > 4.3 Ensure network access to IBM Cloud Databases service is set to be exposed on “Private end points only
- CIS v1.0.0 > 4 IBM Cloud Databases Family > 4.4 Ensure IBM Cloud Databases disk encryption is set to On
- CIS v1.0.0 > 5 Cloudant > 5.1 Ensure Cloudant encryption is set to On
- CIS v1.0.0 > 5 Cloudant > 5.2 Ensure IBM Cloudant encryption is enabled with customer managed keys
- CIS v1.0.0 > 5 Cloudant > 5.3 Ensure IBM Cloudant is only accessible via HTTPS or TLS Connections
- CIS v1.0.0 > 6 Networking > 6.1 IBM Cloud Internet Services > 6.1.2 Ensure Web application firewall is set to ON in IBM Cloud Internet Services (CIS)
- CIS v1.0.0 > 6 Networking > 6.1 IBM Cloud Internet Services > 6.1.3 Ensure DDoS protection is Active on IBM Cloud Internet Services
- CIS v1.0.0 > 6 Networking > 6.2 IBM Virtual Private Cloud (VPC) > 6.2.2 Ensure the default security group of every VPC restricts all traffic
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.1 Use a Key Management Service (KMS) provider to encrypt data in Kubernetes secrets > 7.1.1.1 Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK)
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.1 Use a Key Management Service (KMS) provider to encrypt data in Kubernetes secrets > 7.1.1.2 Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK)
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.2 Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.3 Ensure IBM Cloud Kubernetes Service worker nodes are updated to the latest image to ensure patching of vulnerabilities
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.4 Ensure that clusters are accessible only by using private endpoints
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.5 Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.6 Ensure IBM Cloud Kubernetes Service clusters have the monitoring service enabled
- CIS v1.0.0 > 7 Containers > 7.1 IBM Kubernetes Service > 7.1.7 Ensure IBM Cloud Kubernetes Service clusters have the logging service enabled
- CIS v1.0.0 > 7 Containers > 7.2 Container Registry > 7.2.1 Block deployments of vulnerable images to Kubernetes clusters
- CIS v1.0.0 > 8 Key Management > 8.1 IBM Key Protect for IBM Cloud > 8.1.1 Ensure IBM Key Protect has automated rotation for customer managed keys enabled
- CIS v1.0.0 > 8 Key Management > 8.1 IBM Key Protect for IBM Cloud > 8.1.2 Ensure the IBM Key Protect service has high availability
- CIS v1.0.0 > 9 Security and Compliance > 9.1 Ensure alerts are enabled for vulnerabilities discovered in container images in Container Registry
Schema for ibm_account
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The ID fof the account. |
country_code | text | Specifies the country code. | |
currency_code | text | Specifies the currency type. | |
customer_id | text | The customer ID of the account. | |
guid | text | An unique ID of the account. | |
members | jsonb | A list of members associated with this account. | |
name | text | Specifies the name of the account. | |
organizations | jsonb | A list of organizations the account is associated. | |
owner_guid | text | An unique Id of the account owner. | |
owner_unique_id | text | An unique identifier of the account owner. | |
owner_user_id | text | The owner user ID used for login. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
state | text | The current state of the account. | |
type | text | The type of the account. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm
You can pass the configuration to the command with the --config
argument:
steampipe_export_ibm --config '<your_config>' ibm_account