Build SCC profile configurations with controls, assessments, scopes, and scheduled scan attachments.
Last verified: May 2026
Build SCC profile configurations with controls, assessments, scopes, and scheduled scan attachments.
Required Fields
profileNamecontrolsscopesOutput will appear here...IBM Cloud Security and Compliance Center (SCC) runs automated control assessments against your IBM Cloud resources to check compliance with frameworks like SOC 2, HIPAA, or your own custom profiles. The SCC Profile Builder generates a complete profile with controls grouped by domain, evaluations of which resources are in scope, and a scheduled scan attachment that runs the assessment on a cadence.
A profile is a set of controls and their evaluation rules. A scope defines which resources the profile evaluates against — a particular resource group, a particular set of regions, or a tagged subset. You attach a profile to one or more scopes; an attachment is what actually runs the assessment. Without scopes, a profile is just a checklist.
For most organizations, daily is right. Hourly is overkill for compliance posture (which doesn't change that fast) and generates noise. Weekly is too infrequent to catch the average compliance drift before an auditor asks. Daily plus on-demand for major changes is the sweet spot.
An upcoming SOC 2 audit requires demonstrating continuous monitoring of access controls and encryption-at-rest across IBM Cloud resources. You generate a profile combining IBM's SOC 2 control catalog and a few custom controls for your specific architecture. Attach it to two scopes (production and shared services), schedule daily scans, and route findings to your existing alerting. Audit evidence consists of three months of daily scan reports — produced automatically — instead of a frantic week of manual screenshots.
The builder collects the profile name, base controls (selected from IBM Cloud's built-in catalog or added as custom controls), scope filters (resource group, tags, regions), and scan schedule. Each control's parameters are validated against IBM Cloud's expected schema. Output is `ibm_scc_profile` and `ibm_scc_profile_attachment` Terraform resources, plus the schedule and notification routing configuration.
Use tags as scope filters. A profile attached to all resources tagged `compliance:in-scope` automatically includes new resources without manual scope updates — the burden shifts to correctly tagging new resources, which you should be doing anyway.
Wire the SCC results export into your existing observability stack. Compliance findings that only live in the SCC dashboard get forgotten; findings that show up alongside other engineering data get acted on.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.