Update: 08-10-2024

assign-access.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-10-07"
+lastupdated: "2024-10-08"
 
 keywords: IAM access for {{site.data.keyword.compliance_short}}, permissions for {{site.data.keyword.compliance_short}}, identity and access management for {{site.data.keyword.compliance_short}}, roles for {{site.data.keyword.compliance_short}}, actions for {{site.data.keyword.compliance_short}}, assigning access for {{site.data.keyword.compliance_short}}
 
@@ -70,7 +70,6 @@ You can assign *Administrator* access for the service, or you can create a custo
 5. Assign that role to the user or group that needs access to {{site.data.keyword.compliance_short}}.
 
 
-
 ## Assigning access to a scope or subscope
 {: #assign-access-scopes}
 
@@ -103,8 +102,6 @@ To allow for certain users of your account to view results without having access
 5. Review your selections in the side panel.
 6. Click **Assign**.
 
-
-
 ## Assigning access to Satellite
 {: #assign-access-sat}
 

change-logs/ai-security.md

@@ -1,7 +1,7 @@
 ---
 copyright:
   years: "2024"
-lastupdated: "2024-09-10"
+lastupdated: "2024-10-08"
 
 keywords: release notes for {{site.data.keyword.compliance_short}}, ibm security best practices, profile changes, enhancements, fixes, improvements, ai security
 
@@ -59,7 +59,6 @@ The following rules were updated in the AI Security Guardrails 2.0 profile as of
 {: caption="Table. Summary of the changes for version 1.1.0 of the AI Security Guardrails 2.0 profile" caption-side="top"}
 
 
-
 ## Version 1.0.0
 {: #ai-security-version1}
 

framework/at-events.md

@@ -1,7 +1,7 @@
 ---
 copyright:
   years: 2020, 2024
-lastupdated: "2024-10-07"
+lastupdated: "2024-10-08"
 
 keywords: Activity Tracker for {{site.data.keyword.compliance_short}}, LogDNA for {{site.data.keyword.compliance_short}}, {{site.data.keyword.compliance_short}} events, {{site.data.keyword.compliance_short}} security, audit logs for {{site.data.keyword.compliance_short}}, viewing {{site.data.keyword.compliance_short}} events, {{site.data.keyword.compliance_short}} events
 
@@ -24,7 +24,6 @@ As a security officer, auditor, or manager, you can use the {{site.data.keyword.
 You must use a paid plan for the {{site.data.keyword.at_short}} service to see events for the {{site.data.keyword.compliance_short}}.
 {: note}
 
-
 | Action                                            | Description     |
 | :-----------------------------------------------------|:----------------|
 | `compliance.posture-management-profiles.list` | List the available profiles. |

getting-started.md

@@ -26,7 +26,6 @@ For highly regulated industries, such as financial services, achieving continuou
 {: shortdesc}
 
 
-
 Running an evaluation does not ensure regulatory compliance. An evaluation provides a point in time statement of your current posture for a specific resource. It is your responsibility to review and interpret the results to ensure that your organization is adhering to the controls that are required for your industry. 
 {: important}
 

landing.json

@@ -1,6 +1,6 @@
 {
   "title": "Security and Compliance Center docs",
-  "lastupdated": "2024-10-07",
+  "lastupdated": "2024-10-08",
   "introduction": "With IBM Cloud Security and Compliance Center, you can embed security checks into your every day workflows to help monitor for security and compliance.",
   "section_devtools": {
     "api": "/apidocs/security-compliance",

limits.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-10-07"
+lastupdated: "2024-10-08"
 
 keywords: known limitations, rules, limits, configuration, ibm remediation, ssh key
 
@@ -30,8 +30,6 @@ subcollection: security-compliance
 {: tab-group="limits"}
 {: class="simple-tab-table"}
 
-
-
 | Scope entities | Limit |
 |:--------|:-------|
 | Scopes | 1000 per instance   /n 300 per attachment |
@@ -42,8 +40,6 @@ subcollection: security-compliance
 {: tab-group="limits"}
 {: class="simple-tab-table"}
 
-
-
 | Profile entities | Limit |
 |:--------|:-------|
 | Custom profiles | 50 per account |

releases.md

@@ -24,8 +24,6 @@ The following changes to the service were made available with the associated dat
 <annotations>Control annotations
 :   You can now add annotations to controls to include important details or notes related to the controls in a profile. The annotations are visible in the results and are added as part of the creating an attachment flow. Additionally, the audit history for annotations can be used to track any changes or updates made to them over time. To get started with annotations, [create an attachment](/docs/security-compliance?topic=security-compliance-attachments). </annotations>
 
-
-
 ## 7 October 2024
 {: #security-compliance-Oct0724}
 {: release-note}
@@ -34,8 +32,6 @@ Subscopes
 :   You can now segment a scope to ensure that only those users who need to have access to certain resource information have it. For more information see, [Segmenting your scope](/docs/security-compliance?topic=security-compliance-subscopes).
 
 
-
-
 ## 17 September 2024
 {: #security-compliance-sep1724}
 {: release-note}

results.md

@@ -19,15 +19,10 @@ subcollection: security-compliance
 With {{site.data.keyword.compliance_full}}, you can view the results of a compliance evaluation in the dashboard or by using the API. 
 {: shortdesc}
 
-
-
 If you have access to a subscope but not the overarching scope, you will only see the results for the resources that you have [access to view](/docs/security-compliance?topic=security-compliance-assign-roles).
 {: tip}
 
 
-
-
-
 ## Before you begin
 {: #before-results}
 
@@ -79,13 +74,10 @@ When you view results in {{site.data.keyword.compliance_short}}, each evaluation
 
 To view the information of a scan, you can use the {{site.data.keyword.compliance_short}} UI.
 
-
-
 If you edit your scope after it is already part of an attachment, any following scan results are listed as a new entry in the detailed results for your attachment. This means that you might see two entries with the same name.
 {: note}
 
 
-
 1. In the {{site.data.keyword.cloud_notm}} console, go to the **Resource list** page and select your instance of {{site.data.keyword.compliance_short}}.
 2. In your instance of {{site.data.keyword.compliance_short}}, go to the **Dashboard**.
 3. In the **Detailed results** section, find the row for the specific **Scope** and **Profile** combination that you want to view results for and click **View** in the **Results** column.

toc.yaml

@@ -33,6 +33,8 @@ toc:
       topics:
       - tutorials/osco-v2.md
       - tutorials/tags.md
+      - topic: tutorials/scan-watson.md
+        navtitle: Evaluate Watson Machine Learning resources
   - navgroup:
       id: howto
       topics:

tutorials/scan-watson.md

@@ -0,0 +1,147 @@
+---
+
+copyright:
+  years: "2024"
+lastupdated: "2024-10-08"
+
+keywords: watson machine learning, ai profiles, ai, artificial intelligence, scanning, secrets-manager, credentials
+
+subcollection: security-compliance
+
+content-type: tutorial
+services: security-compliance, secrets-manager, account
+completion-time: 20m
+
+---
+
+{{site.data.keyword.attribute-definition-list}}
+
+
+# Evaluate your Watson Machine Learning resources for security and compliance
+{: #scan-watson}
+{: toc-content-type="tutorial"}
+{: toc-services="security-compliance, secrets-manager, account"}
+{: toc-completion-time="30m"}
+
+As the focal in charge of setting up the compliance posture in an environment that contains your SaaS services, such as Watson Machine Learning, you can use {{site.data.keyword.compliance_full}}. This tutorial walks you through scanning your Watson Machine Learning resources against the [AI Security Guardrails 2.0](/docs/security-compliance?topic=security-compliance-ai-security-change-log&interface=ui) profile.
+{: shortdesc} 
+
+To scan the Watson Machine Learning resources in your account, you use an IAM API key that you store in {{site.data.keyword.secrets-manager_short}} as an IAM credentials or arbitrary secret. After you create a target, you can then add the API key of an IAM service ID that is part of the IBM watsonx project.
+
+## Before you begin 
+{: #scan-watson-machine-learning-prerequisites} 
+
+Before you get started, complete the following tasks.
+
+- Make sure that you can create IAM credentials for your organization.
+- Create an instance of [{{site.data.keyword.secrets-manager_short}}](/docs/secrets-manager?topic=secrets-manager-create-instance), if you don't have an existing one. 
+
+## Configure the required access permissions for {{site.data.keyword.compliance_short}}
+{: #watson-required-access}
+{: step}
+
+Before you can scan your watson resources, you must set up the required access permissions.
+
+### Create service credentials
+{: #watson-iam-serviceid-apikey}
+
+First, create a service ID and API key that you can later store in your {{site.data.keyword.secrets-manager_short}} instance.
+
+- Create a [service ID](/docs/account?topic=account-serviceids&interface=ui#create_serviceid) with `Viewer` role to access your Watson Machine Learning service. Go to **Manage** > **Access (IAM)** > **Service ID**.
+
+- Create an [API key](/docs/account?topic=account-serviceidapikeys&interface=ui#create_service_key) from that service ID to access the account that contains your Watson Machine Learning service. Go to **Manage** > **Access (IAM)** > **API keys**.
+
+### Authorize {{site.data.keyword.secrets-manager_short}} to connect to {{site.data.keyword.compliance_short}}
+{: #watson-secrets-manager-authorization}
+
+Before you can scan your Watson Machine Learning resources, connect your instance of {{site.data.keyword.compliance_short}} and {{site.data.keyword.secrets-manager_short}}. 
+
+[Create an authorization](/docs/account?topic=account-serviceauth&interface=ui) between your {{site.data.keyword.compliance_short}} instance and your {{site.data.keyword.secrets-manager_short}} instance.
+
+   1. Go to **Manage** > **Access (IAM)** > **Authorizations**.
+   2. Create an authorization with the following values. 
+      1. In the **Source** section, add the account ID of the account that contains the {{site.data.keyword.compliance_short}} instance as the **Source account**. 
+      2. Select {{site.data.keyword.compliance_short}} as the **Service**. 
+      3. In the **Resources** field, add the service instance ID. 
+      4. In the **Target** section, select {{site.data.keyword.secrets-manager_short}} as the **Service**. 
+      5. Add the instance ID in the **Resources** field.
+      6. Assign `SecretsReader` as the **Role**. 
+
+### Create a trusted profile
+{: #watson-trusted-profile}
+
+To scan your account, [create a trusted profile](/docs/account?topic=account-create-trusted-profile&interface) with the following access policies and assign the specified roles.
+
+   * All Account Management services (`Viewer`, `Service Configuration Reader`)
+   * Kubernetes Service (`Reader`, `Viewer`, `Administrator`, `Service Configuration Reader`)
+   * All Identity and Access enabled services (`Reader`, `Viewer`, `Service Configuration Reader`)
+
+## Store your service credentials in {{site.data.keyword.secrets-manager_short}}
+{: #watson-credentials-secrets-manager}
+{: step}
+
+Next, it's time to store the API key in Secrets Manager so that {{site.data.keyword.compliance_short}} can access it to scan your Watson Machine Learning resources.
+
+In your instance of Secrets Manager, create an [arbitrary](/docs/secrets-manager?topic=secrets-manager-arbitrary-secrets) or [IAM credentials](/docs/secrets-manager?topic=secrets-manager-iam-credentials) secret to store the API key that you previously created.
+
+If you are using an arbitrary secret, save the API key as the secret value. If you choose to use an IAM credentials secret, use the service ID that is associated with the API key that you created.
+
+The secret must remain unlocked for Security and Compliance Center to be able to access and read it.
+{: important}
+
+
+## Create a target
+{: #scan-target-create} 
+{: step}
+
+Now that your {{site.data.keyword.compliance_short}} and {{site.data.keyword.secrets-manager_short}} instances are connected, you can target the trusted profile that you created.
+
+1. Navigate to your {{site.data.keyword.compliance_short}} instance. 
+2. Go to **Settings**.
+3. In the **Targets** section, click **Add**.
+4. In the **Add target** page, enter the **Name**, **Account ID**, and **Trusted profile ID** of your target account.
+5. Click **Add**.
+
+## Assign credentials to scan Watson Machine Learning
+{: #scan-targets-credentials-create} 
+{: step}
+
+After you create a target, you can assign the API key to the Watson Machine Learning resources that you want to scan. 
+
+1. In the **What's next** section, click **Assign credentials** to assign credentials that you want to use when you're scanning your Watson Machine Learning resources.
+2. In the **Select credential** tab, you can assign the secret that contains the API key. 
+3. Select the **Secrets Manager instance**, **Secret group**, and **Secret type**. 
+4. Select the secret that contains the API key, then click **Next**.
+5. Click **Add** icon (+) to select the Watson Machine Learning instances in your target account that you want to access with this credential. You can assign this credential to all or specific instances of the service. 
+6. Click **Assign**. 
+
+Alternatively, you can select **Locate by CRN** to enter the CRN of the secret that you want to use directly. 
+{: tip}
+
+## Create a scope
+{: #watson-create-scope}
+{: step} 
+
+A scope is the grouping of resources that you want to evaluate. For help with creating a scope, see [Targeting your resources](/docs/security-compliance?topic=security-compliance-scopes).
+
+## Scan your resources
+{: #watson-resources-scan}
+{: step} 
+
+After you assign the credentials, you're free to start scanning your Watson Machine Learning resources. Complete the following steps to do so.
+
+1. In the **Profiles** section of the console, select **AI Security Guardrails 2.0**. A details page opens.
+2. In the **Attachments** tab, click **Create**.
+2. Target your resources by selecting a **Scope**. Optionally, you can choose to exclude portions of your selected scope to ensure that they are not included in your scan.
+3. Click **Next**.
+4. Unless your profile contains additional controls, you can skip the **Parameters** tab by clicking **Next**.
+5. Toggle **Enable scan** to **On** to ensure that the scan runs.
+6. Select the frequency at which you want to evaluate your resource. Options include **Every day**, **Every 7 days**, and **Every 30 days**.
+7. Optionally, you can enable notifications.
+8. Click **Next**. Review your selections and click **Create**.
+
+## Next steps
+{: scan-watson-attachment-next}
+
+Now that you finished evaluating your Watson Machine Learning resources against the AI Security Guardrails 2.0 profile, you can [view detailed results in the dashboard](/docs/security-compliance?topic=security-compliance-results&interface=ui#view-detailed-results) and download a report. 
+