Showing security findings from public cloud

You can create a Config Map to get the findings of interest from public cloud providers, such as IBM Cloud® and Amazon Web Services, and present them in the Governance and risk dashboard of the IBM Cloud Pak® for Multicloud Management console.

After you decide which findings in your public cloud provider to retrieve, you create a Config Map in the OpenShift console to specify the data types and the connection to your cloud provider. Then, when you next view the Security findings tab of the Governance and risk dashboard in the IBM Cloud Pak for Multicloud Management console, you also see security alerts and vulnerabilities from your public cloud provider.

The configuration map contains the public cloud provider information that you want to get from the IBM Cloud security findings: provider name, name of the secret in the vault containing the credentials, regions, and other information. It is also used to provide some filters such as the source of the findings.

Before you begin

Confirm that you have the secret from your cloud provider for connecting to the cloud. For more information, see Understanding API Keys Opens in a new tab or IBM Cloud Secrets Manager Documentation.

Creating the providers Config Map

In the IBM Cloud Dashboard, open the Navigation Menu and select Security and Compliance > Findings. You'll refer to the Findings page when you create or edit the providers Config Map.
Log in to your OpenShift Container Platform cluster.
From the navigation menu, click Workloads > Config Map.
Update the Project field by selecting the drop-down arrow. Select kube-system.
Select Create Config Map. The YAML editor for the new kube-system Config Map is displayed.
For metadata name, enter providers-cm.
For data, replace the example property with the public cloud provider json name, such as ibmcloud.json or awsproviders.json, and delete the remaining example and property rows.
Create a nested entry under the provider json file name:
1. name is a unique name of your choosing for identification, such as "name":"my_provider".
2. credentials is the secret name that is kept in the vault, such as "credentials":"my_secret". The secret has the key for you to connect to the cloud.
3. regions is the region name (or names), such as "regions":["us-east-1","us-east-2"]. For IBM Cloud, the regions that are currently available are us-south and eu-gb.
4. accounts is the account or accounts to which you have access on your cloud provider and includes a name of your choosing and the id, such as "accounts":[{"name":"myaccountname","id":"a123b45678901cd0bdbf3e6bf482de11"}]. In the IBM Cloud console, you can find the id by selecting Manage > My Account > Account settings.
5. sources is optional for specifying the service you want to see, such as "sources":["Mutation Advisor - File", "Mutation Advisor - Process"]. If you don't include this element, all the findings data is retrieved.
  Note: In the IBM Cloud console, this is the term that you see in the Source column of the Security and Compliance > Findings page. Two sources that you cannot select are IBM Cloud Certificate Manager and IBM Vulnerability Advisor because they were created under a special account that you are unable to see.
6. security_classification defines the key security terms: security standards, security categories, and security control. such as "security_classification":{"security_standards":[PCI],"security_categories":["System and communications protection"], "security_control":"Vulnerability Advisor"}. These are used when we map and classify the findings.
  
  Example of a providers-cm Config Map that was created for the IBM Cloud provider, with one data source (ibm-provider1) defined:
```
apiVersion: v1
kind: ConfigMap
metadata:
 name: providers-cm
 namespace: kube-system
data:
 ibmcloud.json:
   [{"name":"ibm-provider1","credentials":"ibm-provider1","regions":["us-south","eu-gb"],"accounts":[{"name":"8000ps Account","id":"c176f39623004dc0bdbf3e6bf482de33"}],"sources":["Vulnerability Advisor"],"security_classification":{"security_standards":[NIST],"security_categories":["System and communication protections"]"security_control":"Mutation Advisor"}}]
```
Repeat step 8 for each data source that you want to see in the security findings.

If you want to specify another public cloud provider, start a new entry and repeat step 8.

Example of a providers-cm Config Map that was created for the IBM Cloud provider, with multiple accounts and data sources defined. The Config Map also specifies the Amazon Web Services public cloud provider:

apiVersion: v1
kind: ConfigMap
metadata:
  name: providers-cm
  namespace: kube-system
data:
  ibmcloud.json: >-
    [{"name":"ibm-provider1","credentials":"ibm-provider1",
    "regions":["us-south"],"accounts":[{"name":"BODOps
    Account","id":"c176f39623004dc0bdbf3e6bf482de33"}], "sources":["Mutation
    Advisor - File", "Mutation Advisor - Process"],
    "security_classification":{"security_standards":["NIST
    CSF"],"security_categories":["System and communication protections"],
    "security_control":"Mutation
    Advisor"}},{"name":"ibm-provider2","credentials":"ibm-provider2",
    "regions":["us-south"],"accounts":[{"name":"BODOps
    Account","id":"c176f39623004dc0bdbf3e6bf482de33"}],
    "sources":["Vulnerability Advisor"],
    "security_classification":{"security_standards":["PCI"],"security_categories":["System
    and communication protections"], "security_control":"Vulnerability
    Advisor"}},{"name":"ibm-provider3","credentials":"ibm-provider3",
    "regions":["us-south"],"accounts":[{"name":"BODOps
    Account","id":"c176f39623004dc0bdbf3e6bf482de33"}], "sources":["Vulnerability Advisor"],
    "security_classification":{"security_standards":["PCI"],"security_categories":["System
    and communication protections"], "security_control":"Vulnerability Advisor"}}]
  awsproviders.json: >-
    [{"name":"provider1","credentials":"provider1","regions":
    ["us-east-1","us-east-2"],"tags":{"type":"tag1","size":"tag2"}},
    {"name":"provider2","tags":{"type":"tag1","size":"tag3"}}

Click Create. The providers-cm Config Map is created. For more information, see ConfigMaps in the OpenShift Container Platform documentation .

You should now see the public cloud findings from the provider-cm configuration map in the IBM Cloud Pak for Multicloud Management console when you view Security findings from the Governance and risk page. You can edit the provider-cm configuration map at any time to adjust the settings.

Editing the policy adapter

The Config Map for the policy adapter controls whether you can see the findings from your public cloud that you configured for display in the IBM Cloud Pak for Multicloud Management console, which is enabled by default, and at what refresh interval, which is set to 5 minutes by default.

Complete these steps if you want to change either setting:

Log in to your OpenShift Container Platform cluster.
Open the navigation menu and click Workloads > Config Map.
Update the Project field by selecting kube-system from the drop-down list.
Open the multicluster-hub-policy-adapter-configuration Config Map and change either or both of these parameters:
- ENABLE_PUBLIC_FINDINGS is set to "true" by default to enable you to view the public cloud findings in the IBM Cloud Pak for Multicloud Management console. Change the setting to "false" if you want to disable it.
- PUBLIC_FINDINGS_FREQUENCY is set to 5 minutes (300s) by default for refreshing the incoming public findings in the Governance and risk dashboard. You can change the refresh rate to as frequently as every 30 seconds (30s).
Restart the policy adapter by deleting the pod:
1. In the OpenShift Container Platform console, open the navigation menu and click Workloads > Pods.
2. Update the Project field by selecting kube-system from the drop-down list.
3. Search for "adapter" and select the multicluster-hub-policy-adapter pod from the list. The Pod Details are displayed.
4. From the Actions menu, select Delete Pod.
After the pod is deleted, Kubernetes creates a new pod with the values that you changed in the Config Map.