← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 05 · Multi-Cloud Security Curriculum

Cloud Security Posture Management (CSPM)

Continuous monitoring, misconfiguration detection, policy-as-code, and compliance automation across multi-cloud environments.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Understand CSPM concepts and why misconfigurations are the #1 cloud risk
  • Identify and use native CSPM tools across AWS, Azure, and GCP
  • Apply Policy-as-Code principles with tools like Checkov, OPA, and SCPs
  • Prioritize and remediate cloud security findings effectively

Topics Covered

#TopicTime
1Core Concepts: CSPM, drift, PaC, CNAPP, CIEM, CWPP12 min
2Interview Q&A (20 questions)20 min
3MCQ Quiz (25 questions)15 min
4Simulation: Misconfiguration Risk Rater4 min
5Simulation: CSPM Tool Matcher (3-cloud)3 min
6Simulation: Policy-as-Code Tool Selector3 min
7Simulation: Remediation Priority Queue3 min
💡 CSPM is one of the highest-frequency interview topics for cloud security roles. Interviewers often ask you to compare native tools (Security Hub vs Defender for Cloud vs SCC) and explain what misconfigurations you would fix first.
Core Concepts · ~12 min

CSPM Fundamentals

What is CSPM?

Cloud Security Posture Management (CSPM) is a category of security tools that continuously monitors cloud infrastructure configurations, detects misconfigurations and policy violations, and ensures ongoing compliance across cloud environments. It addresses the #1 cause of cloud breaches: human misconfiguration.

According to Gartner, through 2025, 99% of cloud security failures will be the customer's fault — predominantly due to misconfiguration. CSPM automates the detection of these failures at scale.

Key Concepts

ConceptDefinition
Configuration DriftWhen live infrastructure diverges from its approved/desired state over time — caused by manual changes, failed deployments, or ad-hoc fixes.
Policy-as-Code (PaC)Defining security and compliance policies in code that is version-controlled and automatically evaluated against infrastructure.
CSPMContinuous cloud posture monitoring — detects misconfigurations, policy violations, and compliance gaps.
CNAPPCloud Native Application Protection Platform — unified platform combining CSPM + CWPP + CIEM + container/code security.
CWPPCloud Workload Protection Platform — runtime protection for VMs, containers, serverless (threat detection, vulnerability scanning, process monitoring).
CIEMCloud Infrastructure Entitlement Management — identifies overprivileged identities, unused permissions, and excessive access rights in IAM.
Compliance-as-CodeMapping regulatory requirements (CIS, SOC 2, PCI-DSS) into automated checks that run continuously.

Native CSPM Tools — Three Clouds

ToolCloudKey Features
AWS Security HubAWSAggregates findings from GuardDuty, Inspector, Macie; CIS/PCI/NIST benchmark checks; Security Score (0–100%); cross-account aggregation
Azure Defender for CloudAzureSecure Score, actionable recommendations, Defender plans per workload (VMs, SQL, K8s, Storage, Key Vault); regulatory compliance dashboard
GCP Security Command Center (SCC)GCPAsset inventory, vulnerability findings, threat detection, compliance mapping; Security Health Analytics; Event Threat Detection

Third-party CSPM: Wiz (agentless, graph-based risk prioritization), Prisma Cloud (Palo Alto, full CNAPP), Orca Security (SideScanning™ technology), Lacework (anomaly-based).

Policy-as-Code Tools

ToolScopeUse Case
AWS SCPsAWS OrganizationsOrg-wide guardrails — deny actions across all accounts (e.g., prevent resource creation outside approved regions)
AWS Config RulesAWS accountContinuous evaluation of resource configurations; managed rules + custom Lambda rules
Azure PolicyAzure subscriptionsEnforce and audit resource configurations; deny/audit/append effects; compliance reports
GCP Organization PoliciesGCP organizationEnforce constraints on resource configuration (e.g., restrict public IPs, require OS login)
OPA (Open Policy Agent)Multi-platformGeneral-purpose policy engine; works with Kubernetes admission, Terraform, API calls; Rego language
CheckovIaC filesStatic analysis of Terraform, CloudFormation, ARM, Kubernetes YAML for misconfigurations in CI/CD pipelines
HashiCorp SentinelTerraformPolicy-as-code framework embedded in Terraform Cloud/Enterprise

Common Misconfigurations Detected by CSPM

MisconfigurationRiskSeverity
Public S3 bucket / Azure blob / GCP bucketData exposure to internetCritical
Security group 0.0.0.0/0 on port 22/3389SSH/RDP brute force from internetCritical
Root/admin account without MFAAccount takeover leading to full compromiseCritical
Unencrypted storage volumes / databasesData readable if storage media compromisedHigh
CloudTrail / audit logs disabledBlind spot — no forensic evidence of attacksHigh
IAM policy with Action:* Resource:*Any compromise = full account accessCritical
EC2 instances with public IPs unnecessarilyExpanded attack surfaceMedium
Default VPC in use with permissive rulesNetwork isolation not enforcedMedium

Remediation Approaches

Auto-Remediation

Lambda function / Logic App triggered by finding → automatically fixes the issue (e.g., make S3 bucket private, enable encryption). Fast but risks unintended consequences. Use with caution in production.

Manual Remediation

Finding → ticket in Jira/ServiceNow → engineer reviews and fixes. Slower but safer. Recommended for high-impact production changes. Always use for Critical findings.

Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer.

1What is CSPM and why is it important in cloud environments?Easy
CSPM (Cloud Security Posture Management) is a category of tools that continuously monitors cloud infrastructure for misconfigurations, security policy violations, and compliance drift across cloud accounts and services.

It is important because:
  • Cloud environments are highly dynamic — resources are created/destroyed constantly, making manual audits impossible
  • Misconfigurations are the #1 cause of cloud breaches (Gartner: 99% of cloud failures are customer-caused)
  • A single public S3 bucket can expose millions of records — CSPM catches this immediately
  • Multi-cloud complexity (AWS + Azure + GCP) requires unified visibility
  • Regulatory compliance (CIS, PCI-DSS, SOC 2) requires continuous evidence
💡 Real example: Capital One breach (2019) — a misconfigured WAF + overprivileged EC2 role led to theft of 100M+ records. A CSPM tool would have flagged both issues.
2What is configuration drift and how does CSPM address it?Medium
Configuration drift occurs when the actual state of deployed infrastructure diverges from the intended/approved state. Causes include:
  • Manual console changes ("quick fixes") that bypass IaC
  • Failed IaC deployments that leave partial configurations
  • Auto-scaling events creating resources with non-standard configs
  • Engineers applying emergency patches without updating the baseline
CSPM addresses drift by:
  • Continuously scanning resource configurations against a desired baseline
  • Alerting when any resource deviates (e.g., encryption disabled, public access enabled)
  • Some tools (AWS Config, Azure Policy) can auto-remediate drift back to compliant state
  • Providing an audit trail of when and how drift occurred
💡 AWS Config's "Conformance Packs" bundle multiple Config Rules into a single deployable compliance framework — great for drift detection at scale.
3What is Policy-as-Code? Give examples of tools.Medium
Policy-as-Code (PaC) is the practice of expressing security and compliance policies as version-controlled code that is automatically evaluated against infrastructure — either at deployment time (shift-left) or continuously at runtime.

Key tools:
  • Checkov: Open-source IaC scanner — scans Terraform, CloudFormation, ARM templates for misconfigurations before deployment
  • OPA (Open Policy Agent): General-purpose policy engine using Rego language; can enforce policies on Kubernetes admission, API calls, Terraform plans
  • AWS SCPs: JSON-based policies applied at AWS Organization level — preventative guardrails across all member accounts
  • Azure Policy: Built-in or custom policies enforced on Azure resource operations
  • HashiCorp Sentinel: Policy framework embedded in Terraform Cloud — blocks applies that violate policy
💡 PaC advantages over manual review: consistent enforcement, version history, peer-reviewable via pull requests, no human error.
4What is AWS Security Hub and what does it do?Easy
AWS Security Hub is AWS's native CSPM and security findings aggregator. It:
  • Aggregates security findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools
  • Runs automated checks against CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, PCI-DSS, NIST 800-53
  • Provides a consolidated Security Score (percentage of passed controls)
  • Supports multi-account aggregation via AWS Organizations (delegate to a security account)
  • Integrates with EventBridge for automated remediation and SIEM forwarding
  • Supports custom insights (filtered views of findings)
💡 Security Hub is NOT a threat detection tool — GuardDuty does that. Security Hub aggregates GuardDuty findings alongside posture checks. Know this distinction in interviews.
5What is Azure Defender for Cloud and what is the Secure Score?Easy
Azure Defender for Cloud (formerly Azure Security Center) is Microsoft's integrated CSPM and cloud workload protection platform. It provides:
  • Secure Score: A 0–100% score representing the percentage of security recommendations completed; each recommendation has a point value based on severity
  • Security recommendations: Prioritized, actionable guidance for each resource (e.g., "Enable MFA on accounts with Owner permissions")
  • Regulatory compliance dashboard: Mapping to CIS, NIST, PCI-DSS, ISO 27001, Azure Security Benchmark
  • Defender plans: Paid workload protection for VMs (MDfS), Storage, SQL, Kubernetes, App Service, Key Vault, DNS, ARM — each adds runtime threat detection
  • Attack path analysis: Visual graph showing how a misconfiguration chain could lead to a breach
💡 The Secure Score is a great KPI for board-level reporting — it gives executives a single number to track cloud security improvement over time.
6What is GCP Security Command Center?Easy
GCP Security Command Center (SCC) is Google Cloud's centralized security and risk management platform:
  • Asset inventory: Discovers and monitors all GCP assets across projects and organizations
  • Security Health Analytics: Detects misconfigurations (public buckets, unrestricted firewall rules, no MFA)
  • Event Threat Detection: ML-based detection of threats (crypto mining, data exfiltration, malware)
  • Web Security Scanner: Scans web applications for XSS, SQLi, and other vulnerabilities
  • Compliance dashboard: CIS GCP Foundations Benchmark, PCI-DSS, NIST
  • Container Threat Detection: Runtime security for GKE workloads
💡 SCC has two tiers: Standard (free, limited findings) and Premium (full threat detection, compliance reports, additional sources). Always clarify which tier is in use during interviews about GCP deployments.
7What are the most common misconfigurations CSPM tools detect?Easy
  • Public cloud storage: S3 buckets, Azure blobs, GCP buckets with public read/write access — most common breach vector
  • Overly permissive network rules: Security groups/NSGs allowing 0.0.0.0/0 on SSH (22), RDP (3389), or all ports
  • No MFA on privileged accounts: Root account, admin users, break-glass accounts without MFA
  • Unencrypted data stores: RDS without encryption, EBS volumes unencrypted, Azure SQL without TDE
  • Audit logging disabled: No CloudTrail, no Azure Activity Log retention, no GCP Audit Logs
  • Wildcard IAM permissions: Action:* or Resource:* in policies; AdministratorAccess on service accounts
  • Default VPCs with permissive rules: AWS default VPC allows all inbound between instances
  • Unused credentials: IAM users with access keys not rotated, inactive accounts not disabled
💡 In interviews, always know the "Top 5" misconfigurations cold and be able to explain how to detect AND fix each one.
8What is the difference between CSPM and CNAPP?Medium
CapabilityCSPMCNAPP
Cloud configuration/posture monitoring✅ Core capability✅ Included
Runtime workload protection (VMs, containers)✅ (CWPP component)
IAM entitlement analysis (over-privilege)❌ or limited✅ (CIEM component)
Container/K8s security (image scanning, runtime)
IaC scanning (shift-left)❌ or limited
Attack path / risk graph analysisLimited✅ (Wiz, Prisma)

CNAPP = CSPM + CWPP + CIEM + container security + IaC scanning — a unified platform replacing multiple point solutions. Coined by Gartner in 2021. Examples: Wiz, Prisma Cloud, Microsoft Defender for Cloud (full), Lacework.
💡 The industry is consolidating from standalone CSPM tools to full CNAPP platforms. Wiz's $12B acquisition by Google (2024) signals this trend.
9What is CIEM (Cloud Infrastructure Entitlement Management)?Hard
CIEM is a security capability that focuses on managing and reducing excessive permissions and entitlements in cloud IAM — addressing the "permissions gap" where identities have far more access than they actually use.

CIEM tools:
  • Analyze all IAM policies across cloud accounts to discover what permissions are granted
  • Identify what permissions are actually used (by analyzing CloudTrail/Activity Logs)
  • Highlight the gap: unused permissions that represent unnecessary risk
  • Recommend or auto-generate least-privilege policies
  • Detect cross-account privilege escalation paths
Examples: AWS IAM Access Analyzer (native, limited), Ermetic, Sonrai Security, CrowdStrike Falcon CIEM, Wiz CIEM.
💡 Studies show the average cloud identity uses only 5% of its granted permissions — CIEM helps right-size permissions to reduce blast radius if any identity is compromised.
10What is CWPP (Cloud Workload Protection Platform)?Medium
CWPP provides runtime security for cloud workloads — VMs, containers, serverless functions, and databases. Key capabilities:
  • Vulnerability scanning: Agent or agentless scanning of OS packages and application libraries
  • Malware detection: Scanning for known malicious files and behaviour
  • Runtime threat detection: Detecting anomalous process execution, network connections, file modifications
  • Container security: Image scanning, runtime policy enforcement (Falco), Kubernetes admission control
  • Host hardening: CIS benchmark compliance for OS configurations
Examples: AWS Inspector v2 (agentless), Azure Defender for Servers (MDE integration), Prisma Cloud Defender agent, Aqua Security, Sysdig Secure.
💡 CWPP is "what's happening inside the workload" while CSPM is "how the workload is configured." Both are needed for comprehensive cloud security.
11What is OPA (Open Policy Agent)?Hard
OPA is an open-source, general-purpose policy engine that decouples policy decision-making from policy enforcement. Policies are written in Rego, a declarative query language.

OPA can enforce policies for:
  • Kubernetes: Admission controller (Gatekeeper) — prevent non-compliant pods from being scheduled
  • Terraform: Evaluate Terraform plans before apply — block non-compliant resource configurations
  • API authorization: Fine-grained access control decisions for microservices
  • CI/CD pipelines: Gate deployments based on policy compliance
OPA is CNCF graduated. Used by Netflix, Pinterest, Atlassian for policy enforcement at scale.
💡 OPA doesn't enforce policies itself — it returns a decision (allow/deny + reasons). The calling system enforces it. This separation makes OPA highly flexible.
12What are AWS Service Control Policies (SCPs)?Medium
SCPs are a type of organizational policy in AWS Organizations that set maximum permissions for all accounts within an organizational unit (OU) or the entire organization. Key points:
  • SCPs work as guardrails — they restrict what IAM policies in member accounts can do
  • SCPs do NOT grant permissions; they only restrict. Even if an IAM policy allows an action, the SCP can deny it
  • Applied to OUs or individual accounts; affect all users and roles including root
  • Common SCP examples: deny deletion of CloudTrail, deny creating resources outside approved regions, deny disabling GuardDuty, require MFA for sensitive operations
  • Management account is NOT affected by SCPs
💡 SCPs are preventative (they stop bad things from happening), while AWS Config Rules are detective (they find things that already happened). Use both together for defense in depth.
13What is Checkov and how is it used?Medium
Checkov is an open-source static analysis tool for Infrastructure-as-Code (IaC) security scanning. It supports:
  • Terraform, CloudFormation, ARM Templates, Bicep, Kubernetes YAML, Helm, Serverless, Dockerfile, GitHub Actions
  • 500+ built-in checks covering CIS benchmarks, NIST, SOC 2, PCI-DSS
  • Custom checks written in Python or YAML
  • SARIF output for IDE/GitHub integration
  • CI/CD integration: runs in GitHub Actions, GitLab CI, Jenkins — blocks merge if critical findings exist
Example: Checkov scan of Terraform detects an S3 bucket without server-side encryption or versioning before it is ever deployed — "shifting security left."
💡 Checkov is free and maintained by Bridgecrew (acquired by Prisma Cloud). The paid Bridgecrew SaaS adds historical drift tracking, PR comments, and policy-as-code management UI.
14How does auto-remediation work in CSPM?Hard
Auto-remediation automatically fixes a misconfiguration when a CSPM finding is generated:

AWS pattern: Security Hub finding → EventBridge rule matches finding type → triggers Lambda function → Lambda calls AWS SDK to fix (e.g., s3.put_bucket_acl(ACL='private'))

Azure pattern: Defender for Cloud recommendation → Logic App triggered → Azure SDK call to fix resource (e.g., enable storage encryption)

Best practices for auto-remediation:
  • Start with low-risk, high-confidence fixes (e.g., enable logging, add tags)
  • Never auto-remediate in production without testing in staging first
  • Implement a "dry-run" mode that logs what would be fixed without doing it
  • Send a notification after every auto-remediation for human review
  • Use break-glass: stop auto-remediation if error rate exceeds threshold
  • For Critical findings involving data or access: always require human approval
💡 Auto-remediation is powerful but dangerous — a bug in your remediation Lambda could cause an outage (e.g., accidentally making all S3 buckets private breaks a CDN). Test thoroughly.
15What is CIS Benchmark for cloud and how is it used?Easy
CIS (Center for Internet Security) Benchmarks are vendor-neutral security configuration guidelines developed by security experts. Cloud-specific benchmarks include:
  • CIS AWS Foundations Benchmark (v1.5.0 current)
  • CIS Microsoft Azure Foundations Benchmark
  • CIS Google Cloud Platform Foundation Benchmark
  • CIS Kubernetes Benchmark
Each benchmark has 50–100+ controls grouped by area (IAM, Logging, Monitoring, Networking, Storage). Each control has:
  • Description and rationale
  • Remediation steps for console and CLI
  • Level 1 (essential, low-risk) vs Level 2 (defence-in-depth, may impact usability)
How used: AWS Security Hub, Azure Defender for Cloud, and GCP SCC all have built-in CIS benchmark assessment standards that automatically evaluate your environment against these controls.
💡 CIS Benchmark compliance is often a contractual requirement in enterprise cloud contracts and a baseline for SOC 2 type assessments.
16What is Secure Score in Azure Defender for Cloud?Easy
Secure Score is a metric in Azure Defender for Cloud (0–100%) that represents the security health of your Azure subscriptions. It works as follows:
  • Each security recommendation has a point value (max points) based on its severity
  • Completing a recommendation adds its points to your score
  • Score = (Points achieved / Max possible points) × 100%
  • Recommendations are grouped into security controls (e.g., "Enable MFA", "Protect applications with Azure Firewall")
  • Each control shows the potential score increase if all resources in that control are remediated
Use cases: executive KPI reporting, prioritization (tackle highest-point recommendations first), tracking improvement over time, contractual SLA reporting.
💡 AWS Security Hub has a similar concept called "Security Score" showing % of passed security controls — same idea, different implementation. Know both for multi-cloud interviews.
17What is the difference between a CSPM finding and a SIEM alert?Hard
AspectCSPM FindingSIEM Alert
What it detectsMisconfiguration / policy violation / compliance gapSuspicious activity / security event / behavioral anomaly
NatureStatic state issue (how something is configured)Dynamic event (something happened)
Example"S3 bucket is publicly accessible""1000 S3 GetObject calls from unknown IP in 60 seconds"
UrgencyRemediate before exploitationInvestigate immediately — may be active attack
SourceAWS Security Hub, Azure Defender, GCP SCCMicrosoft Sentinel, Splunk, QRadar
ResponseFix the configurationTriage, investigate, contain
💡 CSPM findings feed SIEMs: Security Hub → EventBridge → Sentinel via connector. A CSPM finding about a public bucket + a SIEM alert about large data access from that bucket = confirmed breach in progress.
18What is Wiz and what makes it different from native CSPM tools?Hard
Wiz is a cloud security platform that provides agentless CNAPP capabilities. Key differentiators:
  • Agentless: Connects via read-only cloud APIs — no agents deployed, no performance impact on workloads
  • Security Graph: Builds a graph of all cloud resources and their relationships; identifies combined risk paths (e.g., public VM + unpatched CVE + admin IAM role = Critical)
  • Toxic Combinations: Prioritizes findings where multiple risk factors combine to create exploitable paths — not just individual misconfiguration counts
  • Multi-cloud unified: Single platform for AWS, Azure, GCP, OCI, Kubernetes — consistent findings and scoring
  • Full CNAPP: CSPM + CWPP + CIEM + container security + IaC scanning + secrets detection
vs Native tools: Native tools (Security Hub, Defender) are free/cheap but siloed per cloud. Wiz costs money but provides unified multi-cloud visibility with context-aware risk prioritization.
💡 Google announced acquisition of Wiz for ~$32B in 2024 — the largest cybersecurity acquisition ever. This signals how critical cloud security posture has become.
19How would you prioritize CSPM findings for remediation?Hard
A structured prioritization approach:
  1. Critical internet-exposed misconfigurations first: Public storage buckets, RDP/SSH open to 0.0.0.0/0, public databases — these have the highest exploitation probability
  2. Privileged identity risks: No MFA on admin/root accounts, wildcard IAM policies — compromise = full account takeover
  3. Audit log gaps: Disabled CloudTrail/logging — fix this early so you can see what happened in case of a breach
  4. Data protection: Unencrypted storage containing sensitive data (use tagging to identify sensitivity)
  5. High-severity benchmark failures: Use CIS Level 1 controls as your baseline target
  6. Business context: Prioritize production environments over dev/test; revenue-generating systems over internal tools
Use a risk scoring matrix: Severity × Exploitability × Asset Value × Exposure.
💡 Never try to fix everything at once. Use a risk-based approach: "What's most likely to be exploited and what would the blast radius be?" Frame findings in terms of business risk.
20What is drift detection and how is it implemented?Medium
Drift detection identifies when infrastructure deviates from its defined desired state. Implementation approaches:
  • AWS Config: Records configuration history for every resource; Config Rules flag deviations; Config drift report compares snapshots
  • Terraform: terraform plan shows drift between state file and live infrastructure; terraform refresh detects external changes
  • Azure Policy: Continuously evaluates resource compliance; "Audit" effect logs non-compliant resources without blocking them
  • Continuous scanning: CSPM tools poll cloud APIs every 1–24 hours and compare against baseline
  • Event-driven detection: CloudTrail → EventBridge → Lambda evaluates any resource-modifying API call immediately
💡 The fastest drift detection is event-driven (seconds latency) vs periodic polling (minutes to hours). For Critical resources (production IAM, security group changes), use event-driven detection.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Progress:
0 / 25
Simulation 1 · ~4 min

Misconfiguration Risk Rater

Rate each cloud misconfiguration by severity: Critical, High, Medium, or Low.

Simulation 2 · ~3 min

CSPM Tool Matcher

Match each finding to the native CSPM tool that would detect it: AWS Security Hub, Azure Defender for Cloud, or GCP Security Command Center.

Simulation 3 · ~3 min

Policy-as-Code Tool Selector

Select the correct Policy-as-Code tool for each scenario.

Simulation 4 · ~3 min

Remediation Priority Queue

Click findings to select them in order from most to least urgent (click 1st most urgent, then 2nd, etc.).

Click each finding in order of priority (1 = most urgent). Click again to deselect.
    🎉

    Module Complete!

    You've finished Module 05: Cloud Security Posture Management.