Friday, March 24, 2023

Analyze your IBM Cloud access management setup

ER diagram for cloud security data
Recently, I looked into how to analyze the access management setup of my IBM Cloud account. I wanted to better understand what kind of access policies exist, what service instances are covered by rules and policies, etc. In the past, I have shared with you how to get insights into IBM Cloud account privileges or how to improve security by identifying inactive identities. This time, I looked across the existing APIs to obtain identity and access management (IAM) and resource data. I retrieved, then analyzed that security data. With these insights, it is possible to improve security for your IBM Cloud account and its resources.

API Overview

IBM Cloud offers APIs for the individual cloud services, but also many APIs for the IBM Cloud platform itself. I used these API functions to retrieve all kinds of data which, together, forms (most of) the big picture of the security setup.

API documentation for the IBM Cloud platform services

A database with data to analyze

Next, I created a database from that data with a schema as shown in the entity relationship diagram at the top. I turned many of the questions I had into SQL statements. The results helped me to improve account security.

You can read the full story in my IBM Cloud blog post Retrieve and Analyze Your Cloud Access Management Data. The link to all the tooling is included in that blog post. Enjoy!

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (, or LinkedIn.