Define and enforce config rules on your Key Protect instances.

With the IBM Cloud Security and Compliance Center, you can embed security checks into your everyday workflows to prevent and monitor for security and compliance. By creating config rules, IBM Cloud customers can enforce resource configuration across accounts and use monitoring results to prove compliance for your organization. Config rules are guardrails for resources on how they are provisioned and configured. For example, IBM Cloud administrators can disable public access to resources in production accounts but allow it in testing accounts. Through config rule enforcement, you can manage the resources in your account with confidence that they adhere to the guidelines that are in place for your organization, which can significantly decrease the likelihood of a misconfiguration that could leave you vulnerable.

In this tutorial, learn how to create and manage rules that govern the way that resources can be configured across accounts. The focus of this tutorial will be on enforcing the use of only private networks for your IBM Key Protect for IBM Cloud instances in the Dallas region. To use another region or work with another service, check out the docs to see the available configurations.

Before you begin

Before you get started, be sure that you have the following prerequisites:

  • An IBM Cloud account. 
  • The required level of access to view and manage rules. To create a rule, you need the editor platform role or higher. For more information, see Assigning access.
  • An instance of Activity Tracker set up for the Dallas region in your account.

Step 1. Create a config rule

You can create rules by using the Security and Compliance Center UI.

  1. Navigate to the Security and Compliance Center on IBM Cloud. 
  2. Click Configure > Rules. 
  3. Click Create.
  4. Give your rule a meaningful name and description such as KP disable public endpoint and Rule to enforce private only network policy for Key Protect instances.
  5. Click Next. Select the Key Protect service and instance resource kind. The available configuration properties for this resource kind are shown to the right of the JSON editor. 
  6. Use the JSON editor to set the following properties:
    • property: allowed_network
    • operator: string_equals
    • value: private_only
  7. Your final rule will look like this:
      target: {
        service_name: 'kms',
        resource_kind: 'instance',
        additional_target_attributes: []
      required_config: {
        description: '',
        and: [
            property: 'allowed_network',
            operator: 'string_equals',
            value: 'private-only'
  8. Enable enforcement to prevent creation of a Key Protect instance with a public endpoint and click Next.
  9. Click Create and attach.

Step 2. Attach a rule

A rule is not in effect until it is attached to a scope. You can choose to attach your rule to your entire enterprise, specific resource group(s) or you can choose to exclude resource groups. If you attach a rule to your entire enterprise, the rule is applied to the target resources that exist within the enterprise. Likewise, if you limit a rule to a specific account group, its properties are inherited by the accounts that exist in that group. You can choose to exclude scopes, such as accounts that are used for testing, so that your rule is applied only where you need it. To attach your rule to a scope, complete the following steps:

  1. Click the Attach button.
  2. Under Select scope, choose your Entire account or the Specific resource group where your Key Protect instances will be provisioned.
  3. Click Attach.

Congrats! You have successfully created a rule and attached it to a scope.

Step 3. Seeing the rule in action

When a user makes a request to create a Key Protect service instance in your account, the request will be evaluated against the conditions that you defined in your config rule. If the account user creates the instance over a private network, Key Protect allows the action to complete because it is compliant with your rule. But, if the account user creates the instance over a public network, Key Protect blocks the request. To see it in action, try it out in the Key Protect UI or check out the following gif:

  1. Navigate to the catalog and search for Key Protect.
  2. Once on the Key Protect creation page, give your instance a meaningful service name, such as KP Private Endpoint.
  3. Set the location to Dallas (us-south).
  4. Under Allowed network policy, select Public and private.
  5. Click Create.
  6. You will see an error message indicating the requested action of creating a Key Protect instance with the public and private network policy is noncompliant with your config rules.
  7. Dismiss the error message and change the Allowed Network Policy to Private only.
  8. Click Create.
  9. Your Key Protect instance was successfully created.

Now that you have created a rule and a Key Protect instance, you can use the Security and Compliance Center to continuously monitor your rule and any noncompliant resources. Results are generated every 24 hours and can be viewed on the results page. To learn more, visit Viewing evaluation results.

Step 4. Viewing audit events

Whenever a user attempts to make an update to a resource in your account that is governed by a config rule, an event is forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location. The Activity Tracker logs can be used as part of your audit evidence to prove that you are compliant with the external regulations that are required for your industry. To view the events that are logged, you can use the Activity Tracker UI:

  1. Open the Activity Tracker service instance that is available in Dallas (us-south). For help getting to the UI, see Launching the web UI through the IBM Cloud UI.
  2. Filter for events based on specific fields by creating a query in Activity Tracker that takes the following form: action:compliance.configuration-governance-resource.eval <additional field>. Review the following additional fields and append the filter to create your query:
    • To see how often your config rules are compliant: compliance.isCompliant:true
    • To see how often your resources that are governed with config rules are allowed to be modified: compliance.isAllowed:true
    • To see how often resources are evaluated as noncompliant: compliance.isCompliant:false
    • To see how often a resource is prevented from being modified or provisioned due to an existing config rule: compliance.isAllowed:false

Tip: Filtering to see how often resources are evaluated as noncompliant is useful to see how big of an impact enabling enforcement on a config rule will have in your account.

In the following example, you can see the truncated result of a query for: action:compliance.configuration-governance-resource.eval compliance.isCompliant:true compliance.isAllowed:true

    "action": "compliance.configuration-governance-resource.eval",
    "compliance": {
        "complianceTraceId": "0074b9f4-5cfb-4f11-a79e-a8807c8rb587",
        "evaluationType": "enforcement",
        "isAllowed": true,
        "isCompliant": true,
        "requestedConfig": {
            "allowed_network": "private-only"
        "resource": {
            "accountId": "41e15133687ece0e45sfg9234de172u1138d",
            "crn": "crn:v1:staging:public:kms:us-south:a/41e15133687ece0e45sfg9234de172u1138d:b3a34724-9e02-494a-ab4c-6d02a2df7aa7::",
            "id": "b3a34724-9e02-494a-ab4c-6d02a2df7aa7",
            "location": "us-south",
            "name": "",
            "resourceGroupId": "e9ea11d38d1f4405a98c57de67bfaa7d1",
            "resourceKind": "instance",
            "serviceName": "kms"
        "rulesAllowedCount": 1,
        "rulesCompliantCount": 1,
        "rulesEvaluatedCount": 1,
        "subRequestId": "b7bc1b04-32d2-4612-b95a-807028e42593",
        "updatedConfig": {
            "allowed_network": "private-only"
        "userId": "test"
    "target": {
        "id": "crn:v1:staging:public:kms:us-south:a/41e15133687ece0e45sfg9234de172u1138d:b3a34724-9e02-494a-ab4c-6d02a2df7aa7::",
        "typeURI": "kms/instance"
    "correlationId": "0024b91f-5cfb-4f11-a7d9-a8807c8ab548",

Because you attempted to create an instance of Key Protect twice, you will see two events: 

  • A noncompliant event from the blocked action in step 3.5
  • A compliant event from the allowed action in step 3.8.


By completing this tutorial, you performed the following tasks:

  • Created a config rule and attached it to a scope
  • Blocked creation of a Key Protect instance which was noncompliant with your newly created rule
  • Viewed audit events for noncompliant and compliant resource configuration changes 


More from Cloud

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…

IBM NS1 Connect: How IBM is delivering network connectivity with premium DNS offerings

4 min read - For most enterprises, how their users access applications and data is an essential part of doing business, and how they service those application and data responses has a direct correlation to revenue generation.    According to We Are Social’s Digital 2023 Global Overview Report, there are 5.19 billion people around the world using the internet in 2023. There’s an imperative need for businesses to trust their networks to deliver meaningful content to address customer needs.  So how responsive is the…

IBM Cloud Databases for MongoDB (Enterprise Edition): Changes to backup functionality

< 1 min read - We are announcing that IBM Cloud Databases for MongoDB (Enterprise Edition) will no longer support the creation of On Demand backups beginning on March 1, 2024. On Demand backups are being replaced by the recently deployed Point in Time Recovery (PITR) capabilities in the Enterprise Edition of our popular fully managed MongoDB service. With PITR, you can restore a copy of your database to any point in the past seven days. This gives you granular access to the past state…