We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Post your ideas
Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,
Post an idea
Upvote ideas that matter most to you
Get feedback from the IBM team to refine your idea
Help IBM prioritize your ideas and requests
The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The product management team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.
Receive notification on the decision
Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.
Problem Statement/Pain Points: We work with a government agency who has specific security requirements and we are utilizing Cloud Pak for Data within their environment. They have a need for utilizing S3 Data Connections to resources in AWS GovCloud. Currently, Cloud Pak for Data S3 Data Connections only allow Access Key/Secret Key to authenticate to the service. However, we are required to utilize more secure connection options than username/password (which is essentially the same as an Access Key/Secret Key). However, since IAM Role credentials are not stored within the application, then we are able to avoid this issue.
State your current workaround(s): We are currently utilizing Access Keys and Secret Keys and therefore have to enter a POAM with our client in order to remain compliant.
State any proposed solution(s): Allow user to have the ability to utilize either Access Keys and Secret Keys or AWS IAM Roles with S3 Connections. With IAM Roles, an application or a service offered by AWS (like Amazon EC2) can assume a role by requesting temporary security credentials for a role with which to make programmatic requests to AWS. You use a role this way so that you do not have to share or maintain long-term security credentials (for example, by creating an IAM user with Access Key and Secret Key) for each entity that requires access to a resource. An apparent limitation of this is that it limits the number of unique S3 Data Connections that we are allowed while using IAM Roles (since the roles would be assigned to the EC2 Cloud Pak for Data nodes). Therefore, we are interested in alternative solutions to meet this need while overcoming this limitation.
State the benefits/value this idea has: Per AWS best practices, for applications on Amazon EC2 or other AWS services to access Amazon S3 resources, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or Amazon EC2 instance. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised. Instead, you should use an IAM role to manage temporary credentials for applications or services that need to access Amazon S3. When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance or AWS service such as AWS Lambda. The role supplies temporary permissions that applications can use when they make calls to other AWS resources. [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html]
State # of users impacted and how often are they impacted): All users utilizing AWS S3 Buckets within Cloud Pak for Data would benefit
Do not place IBM confidential, company confidential, or personal information into any field.