This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updateson them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,
Post an idea
Upvote ideas that matter most to you
Get feedback from the IBM team to refine your idea
Specific links you will want to bookmark for future use
Problem Statement/Pain Points: We work with a government agency who has specific security requirements and we are utilizing Cloud Pak for Data within their environment. They have a need for utilizing S3 Data Connections to resources in AWS GovCloud. Currently, Cloud Pak for Data S3 Data Connections only allow Access Key/Secret Key to authenticate to the service. However, we are required to utilize more secure connection options than username/password (which is essentially the same as an Access Key/Secret Key). However, since IAM Role credentials are not stored within the application, then we are able to avoid this issue.
State your current workaround(s): We are currently utilizing Access Keys and Secret Keys and therefore have to enter a POAM with our client in order to remain compliant.
State any proposed solution(s): Allow user to have the ability to utilize either Access Keys and Secret Keys or AWS IAM Roles with S3 Connections. With IAM Roles, an application or a service offered by AWS (like Amazon EC2) can assume a role by requesting temporary security credentials for a role with which to make programmatic requests to AWS. You use a role this way so that you do not have to share or maintain long-term security credentials (for example, by creating an IAM user with Access Key and Secret Key) for each entity that requires access to a resource. An apparent limitation of this is that it limits the number of unique S3 Data Connections that we are allowed while using IAM Roles (since the roles would be assigned to the EC2 Cloud Pak for Data nodes). Therefore, we are interested in alternative solutions to meet this need while overcoming this limitation.
State the benefits/value this idea has: Per AWS best practices, for applications on Amazon EC2 or other AWS services to access Amazon S3 resources, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or Amazon EC2 instance. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised. Instead, you should use an IAM role to manage temporary credentials for applications or services that need to access Amazon S3. When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance or AWS service such as AWS Lambda. The role supplies temporary permissions that applications can use when they make calls to other AWS resources. [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html]
State # of users impacted and how often are they impacted): All users utilizing AWS S3 Buckets within Cloud Pak for Data would benefit
Do not place IBM confidential, company confidential, or personal information into any field.