IBM COS HMAC Credentials
Service Name: IBM Cloud Object Storage
Service Description: IBM Cloud Object Storage is a highly scalable cloud storage service designed for storing unstructured data. It provides durability, security, and availability for data storage needs with HMAC authentication for API access.
Service Address: https://cloud.ibm.com/objectstorage
Validation Type: API Auth
IP Allow list: IP restrictions can be configured through IBM Cloud IAM policies and network access policies.
Secret Access Scope: Grants programmatic access to IBM Cloud Object Storage buckets and objects with permissions defined by the associated IAM policies.
Secret Revokement URL: https://cloud.ibm.com/iam/apikeys
Secret Example: AccessKeyId=AKIAIOSFODNN7EXAMPLE,SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPx RfiCYEXAMPLEKEY
Suspicious Activity Investigation Instructions:
- Review IBM Cloud Activity Tracker logs for unusual API calls or access patterns.
- Check for unexpected data transfers or bucket access from unfamiliar IP addresses.
- Monitor for unauthorized bucket creation, deletion, or permission changes.
- Examine access logs for operations performed outside normal business hours.
- Verify if there are any unusual storage cost spikes indicating potential data exfiltration.
Mitigation Instructions:
- Immediately rotate the compromised HMAC credentials by creating new credentials in the IBM Cloud console.
- Delete the compromised credentials from your IBM Cloud IAM settings.
- Review and update IAM policies to enforce the Principle of Least Privilege.
- Enable multi-factor authentication for IBM Cloud accounts if not already enabled.
- Update any application configurations or code that used the old credentials.
- Consider implementing bucket policies that restrict access based on IP address or other conditions.
- Review all buckets for unauthorized objects or modifications.
- Enable object versioning to protect against unauthorized modifications or deletions.