| copyright | lastupdated | keywords | subcollection | content-type | completion-time | ||
|---|---|---|---|---|---|---|---|
|
2024-06-04 |
customize, deployable architecture, set up, security and compliance center, custom profiles |
secure-enterprise |
tutorial |
10m |
{{site.data.keyword.attribute-definition-list}}
{: #compliance-evaluation-resources} {: toc-content-type="tutorial"} {: toc-completion-time="10m"}
With IBM Cloud Security and Compliance Center, as a security focal within your enterprise, you can scan your account resources to evaluate whether they meet your enterprise's regulatory compliance requirements. {: shortdesc}
This tutorial walks you through the process of setting up the automatic evaluation of your VSI on VPC landing zone deployable architecture{: external} resources against the IBM Cloud Framework for Financial Services profile. This workflow requires you to set up an attachment to target a resource group in your account that is to contain the resources for the deployable architecture.
You can follow the Using IBM Cloud deployable architectures to build a deployable architecture tutorial to customize the deployable architecture to meet your needs and offer it through a private catalog to your enterprise users. Or, you can use the unedited deployable architecture from the catalog. Either way, with this tutorial, you can scan your account resources on a recurring schedule to get ready for audits.
{: #security-prereqs}
Before you get started, be sure that you have the following prerequisites.
- Check whether you are part of the relevant access group in your enterprise's account. The access group must have the required permissions to select a profile, set up attachments, run scans, view detailed results, and more.
- To manage your security and compliance evaluations, you need to make sure that you have the Editor platform role or higher.
- Make sure that you have an authorization with Writer access permissions in place to enable communication between Security and Compliance Center and Cloud Object Storage.
{: #storage-setup-tutorial} {: step}
You must connect the Security and Compliance Center service to a Cloud Object Storage bucket to store your results. Then, you can create an attachment.
- In the IBM Cloud Dashboard, go to Resource list and select the Security and Compliance Center instance that you want to work with.
- In the Security and Compliance Center console, go to the Settings page.
- In the Storage section, click Connect.
- Select the correct Cloud Object Storage instance from the dropdown list.
- Select the Cloud Object Storage bucket where you want to store your scan results.
- Click Connect.
{: #attachment-create-tutorial} {: step}
In this scenario, your solution architect and development team plan to customize and deploy the VSI on VPC landing zone architecture{: external}. Working as a team, you can determine which specific deployable architecture resources are to be contained in the resource group that you plan to use. Then, you can set up an attachment between the resource group and the profile that best meets your enterprise's regulatory objectives.
The attachment that you're creating validates the group of specific deployable architecture resources in your account against the IBM Cloud Framework for Financial Services profile. The IBM Cloud Framework for Financial Services profile evaluates the deployable architecture resources that the resource group contains, whether they're created already or are planned to be in the future.
-
In the IBM Cloud Dashboard, go to Resource list and select the Security and Compliance Center instance that you want to work with.
-
In the Security and Compliance Center console, navigate to the Attachments page and click Create.
-
Provide a name and description for your attachment. Click Next.
-
Select the IBM Cloud Framework for Financial Services profile in the Profile dropdown list. Then, click Next.
-
Define a scope by selecting the resource group that you created with your team and specify the resources that you want to exclude from your scope. Click Next.
-
Select Weekly as the frequency at which you want to evaluate your resources. With this interval, the scan starts as soon as the attachment is created. Click Next.
If your development team hasn't deployed the deployable architecture resources to the resource group yet, select Never. When the team adds the resources to the resource group, you can return and update the frequency of the scans. {: note}
-
Review your choices and click Create.
When you create your attachment, a scan is scheduled. When the scan completes, your results are available in the Security and Compliance Center dashboard. If your results are not updated, review the troubleshooting guide. {: note}
{: #profile-tutorial-next}
Now that you set up the attachment to scan the resource group that is to contain the VSI on VPC landing zone deployable architecture resources, you can view scan results and prepare for audits. For more information, check out Viewing results.
When your development team is ready to customize the architecture, they can use the Security and Compliance Center attachment that you just created to validate the architecture before they deploy it.