Account Auditing Using Activity Tracker with LogDNA

6 min read

By: Powell Quiring

Auditing corporate policies for Identity and Access Management and Key Protect.

Corporations have policies that outline the access and usage of IT resources, and regulatory bodies like HIPAA and PCI have compliance regulations for IT access and security. In the past, it has been difficult for the IT organization to ensure resources are meeting security, privacy, data residency, and other concerns. 

Luckily, IBM Cloud supplies over 170 managed services and the monitoring required to ensure compliance.

This blog post will focus on the Identity and Access Management (IAM) and Key Protect services. These services form the foundation of secure access in the IBM Cloud. 

The goal will be to audit the following corporate policies:

  • Adding a user to the IAM Admin Access Group
  • Access from an unexpected source of a Key Protect key

The provisioning of resources described below will incur charges.

Activity Tracker with LogDNA

IBM Cloud Activity Tracker with LogDNA is the repository for events created in your IBM Cloud account. An Activity Tracker event corresponds to an API call to the IBM Cloud. A few examples of API calls that result in events include provisioning a resource, adding a user to an account, and using a Key Protect key to unwrap a secret key. In Activity Tracker with LogDNA, events can be viewed and alerts can be distributed.

audit1

Regional vs. global events

Many of the API calls are executed by regional services. For example, the Key Protect instance in a region will create events for operations like creating a Key Protect key, wrapping using a key, and unwrapping using a key, and these regional events will be sent to an Activity Tracker with LogDNA instance in the same region as the service.  

Other API calls—like adding a user to the IAM Administrative Access Group—do not apply to a single region and will result in the creation of a global event. Global events report activity which affect any or multiple regional locations. 

Create Global Activity Tracker in Frankfurt

Global events are persisted in the Frankfurt (eu-de) region. Check your account to see if Activity Tracker instances already exist, and if they do not, create them now:

If a Frankfurt (eu-de) regional instance does not exist, create one:

  • Click Create activity tracker instance.
  • For Choose a region/location to deploy in, select Frankfurt.
  • Choose the 14 day Event Search plan.

Open the Activity Tracker with LogDNA for Frankfurt:

On a different browser tab, generate some IAM activity:

  • In the IBM Cloud console, click  Manage > Access (IAM) at the top or go to https://cloud.ibm.com/iam/groups.
  • On the left, choose Access groups.
  • Click on Create to create a new group, and give it the name Fungroup:
  • Click on Create to create a new group, and give it the name Fungroup

  • Under Add users to Fungroup group, check someone to add, and click Add to group:
  • Under Add users to Fungroup group, check someone to add, and click Add to group

  • Back in the Fungroup group, click the ... on the right of their name and delete them:
  • Back in the Fungroup group, click the ... on the right of their name and delete them

Open the browser tab for LogDNA in Frankfurt. There will be an Everything view displayed—it takes a few minutes for the events to flow into the log viewer. It will look something like this:

Open the browser tab for LogDNA in Frankfurt. There will be an Everything view displayed

Notice that the view name is Everything. You may have lots more events than just the IAM events you are looking for, making it difficult to focus on them. The next step will address this.

LogDNA alert configuration

Use the following steps to narrow the search to just IAM events and configure an email alert when IAM events are found:

  • In the Search box on the bottom, type the string action:iam. Experiment in the UI or read the documentation to gain some more experience. The search capabilities of LogDNA are great!
  • You'll see that the name of the view changed from Everything to Unsaved View. Click on Unsaved View at the top and click the save option.
  • Optionally, give the view a name and click on Attach an alert.
    • Select email
    • Select View-specific alert and choose email
    • When 1 or more ... at the end of 30 seconds
    • Type your email address
  • Click Save view, and you will see the new view created on the left with the same name above.

Now, when you add and remove users from the Fungroup Access group, you will receive email alerts.

Create a Slack alert

Slack is collaboration software for teams. If you do not have a Slack account with permissions to create apps, you should sign up and create a new account before getting started.

A Slack webhook URL app is required for configuration with LogDNA.  See the documentation on Incoming Webhooks for instructions.

  • Create an app.
  • Create an incoming webhook for the app.
  • Copy the webhook URL into your paste buffer.
Create a Slack alert

Back in LogDNA

  • Locate the LogDNA browser tab for Activity Tracker.
  • Make sure the view name that you created earlier is displayed.
  • At the top, click on the view name drop-down and choose Edit alert.
  • When you see the email icon created earlier, click + and choose Slack.
  • Click 1 or more matches.
  • In the Webhook URL text box, paste the webhook url created in Slack.
  • Click Save alert.
Slack alert

To test your results back on your IBM Cloud IAM Group, choose the Fungroup and add or delete a user from the group. In a few minutes, you should see a notification in the Slack channel:

In a few minutes, you should see a notification in the Slack channel.

To restrict the number of events that are being sent to Slack, you can create a more fine-grained search in LogDNA:

  • Open the browser window containing LogDNA.
  • Select one of the IAM Access Groups: add member Admin events and click the twisty on the left.
  • Click on the text next to the Action and choose +.
  • Notice in the search box the text action:iam-groups.member.add.
  • Delete any other text in the text box.

Alerts will now only be sent when a user is added to any access group.

Audit a Key Protect policy

Key Protect is a cloud-based security service that provides life cycle management for encryption keys. Services like Cloud Object Storage encrypt data at rest using the industry-standard envelope encryption services provided by Key Protect.  

A corporate policy may demand that a Key Protect key used by a COS instance should not be used by any person or any other service—Activity Tracker can be used to audit that policy.

If an Activity Tracker with LogDNA instance in the Dallas, us-south, region does not exist, create one:

Create a Cloud Object Storage (COS) instance in Dallas if one does not exist:

  • Create a Regional bucket and a Key Protect key with authorization:
    • In the COS instance, choose Buckets and click Create bucket.
    • Choose a location of us-south.
    • Click Add Key Protect key.
    • Follow the instructions to create a Key Protect key and Grant Service Authorization if required.
    • Select the Key Protect instance and Key Name.

To generate some Activity Tracker events, upload an object into the bucket:

  • Open the LogDNA for Dallas Activity Tracker. You should see an event like this one:
  • audit10

  • In the search box, the minus () sign can prefix a search term to indicate that the search term should not be found. In this case, search for any that uses the key protect key—target.id—that does not match the COS instance—initiator.id.  This would indicate the use of a key that is not in compliance with the corporate policy:
    • search: target.id:"crn:v1:bluemix:public:kms:us-south:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:22ec6eba-770c-44fc-9d2f-ab5661c6413f:key:2b61ea55-bacf-453e-a61b-b7c7bf5405fd" -initiator.id:"crn-crn:v1:bluemix:public:cloud-object-storage:global:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:8bc7a6f0-f401-44b7-a446-fab4dbccfa10::"

Clean up

Optionally, you may want to delete the resources you created:

  • Fungroup access group  
  • Key Protect key and instance (be careful, because once a key is deleted, all data encrypted using the key is forever lost)
  • COS bucket and instance
  • Activity Tracker with LogDNA instances in Frankfurt and Dallas

Learn more about cloud solutions

Find more about creating solutions in the cloud by visiting our Solutions Tutorials page.  The solution tutorial "Apply end-to-end security to a cloud application" is particularly relevant.

Resources

Be the first to hear about news, product updates, and innovation from IBM Cloud