Cloud Security Posture Management (CSPM)
Continuous monitoring, misconfiguration detection, policy-as-code, and compliance automation across multi-cloud environments.
Learning Outcomes
- Understand CSPM concepts and why misconfigurations are the #1 cloud risk
- Identify and use native CSPM tools across AWS, Azure, and GCP
- Apply Policy-as-Code principles with tools like Checkov, OPA, and SCPs
- Prioritize and remediate cloud security findings effectively
Topics Covered
| # | Topic | Time |
|---|---|---|
| 1 | Core Concepts: CSPM, drift, PaC, CNAPP, CIEM, CWPP | 12 min |
| 2 | Interview Q&A (20 questions) | 20 min |
| 3 | MCQ Quiz (25 questions) | 15 min |
| 4 | Simulation: Misconfiguration Risk Rater | 4 min |
| 5 | Simulation: CSPM Tool Matcher (3-cloud) | 3 min |
| 6 | Simulation: Policy-as-Code Tool Selector | 3 min |
| 7 | Simulation: Remediation Priority Queue | 3 min |
CSPM Fundamentals
What is CSPM?
Cloud Security Posture Management (CSPM) is a category of security tools that continuously monitors cloud infrastructure configurations, detects misconfigurations and policy violations, and ensures ongoing compliance across cloud environments. It addresses the #1 cause of cloud breaches: human misconfiguration.
Key Concepts
| Concept | Definition |
|---|---|
| Configuration Drift | When live infrastructure diverges from its approved/desired state over time — caused by manual changes, failed deployments, or ad-hoc fixes. |
| Policy-as-Code (PaC) | Defining security and compliance policies in code that is version-controlled and automatically evaluated against infrastructure. |
| CSPM | Continuous cloud posture monitoring — detects misconfigurations, policy violations, and compliance gaps. |
| CNAPP | Cloud Native Application Protection Platform — unified platform combining CSPM + CWPP + CIEM + container/code security. |
| CWPP | Cloud Workload Protection Platform — runtime protection for VMs, containers, serverless (threat detection, vulnerability scanning, process monitoring). |
| CIEM | Cloud Infrastructure Entitlement Management — identifies overprivileged identities, unused permissions, and excessive access rights in IAM. |
| Compliance-as-Code | Mapping regulatory requirements (CIS, SOC 2, PCI-DSS) into automated checks that run continuously. |
Native CSPM Tools — Three Clouds
| Tool | Cloud | Key Features |
|---|---|---|
| AWS Security Hub | AWS | Aggregates findings from GuardDuty, Inspector, Macie; CIS/PCI/NIST benchmark checks; Security Score (0–100%); cross-account aggregation |
| Azure Defender for Cloud | Azure | Secure Score, actionable recommendations, Defender plans per workload (VMs, SQL, K8s, Storage, Key Vault); regulatory compliance dashboard |
| GCP Security Command Center (SCC) | GCP | Asset inventory, vulnerability findings, threat detection, compliance mapping; Security Health Analytics; Event Threat Detection |
Third-party CSPM: Wiz (agentless, graph-based risk prioritization), Prisma Cloud (Palo Alto, full CNAPP), Orca Security (SideScanning™ technology), Lacework (anomaly-based).
Policy-as-Code Tools
| Tool | Scope | Use Case |
|---|---|---|
| AWS SCPs | AWS Organizations | Org-wide guardrails — deny actions across all accounts (e.g., prevent resource creation outside approved regions) |
| AWS Config Rules | AWS account | Continuous evaluation of resource configurations; managed rules + custom Lambda rules |
| Azure Policy | Azure subscriptions | Enforce and audit resource configurations; deny/audit/append effects; compliance reports |
| GCP Organization Policies | GCP organization | Enforce constraints on resource configuration (e.g., restrict public IPs, require OS login) |
| OPA (Open Policy Agent) | Multi-platform | General-purpose policy engine; works with Kubernetes admission, Terraform, API calls; Rego language |
| Checkov | IaC files | Static analysis of Terraform, CloudFormation, ARM, Kubernetes YAML for misconfigurations in CI/CD pipelines |
| HashiCorp Sentinel | Terraform | Policy-as-code framework embedded in Terraform Cloud/Enterprise |
Common Misconfigurations Detected by CSPM
| Misconfiguration | Risk | Severity |
|---|---|---|
| Public S3 bucket / Azure blob / GCP bucket | Data exposure to internet | Critical |
| Security group 0.0.0.0/0 on port 22/3389 | SSH/RDP brute force from internet | Critical |
| Root/admin account without MFA | Account takeover leading to full compromise | Critical |
| Unencrypted storage volumes / databases | Data readable if storage media compromised | High |
| CloudTrail / audit logs disabled | Blind spot — no forensic evidence of attacks | High |
| IAM policy with Action:* Resource:* | Any compromise = full account access | Critical |
| EC2 instances with public IPs unnecessarily | Expanded attack surface | Medium |
| Default VPC in use with permissive rules | Network isolation not enforced | Medium |
Remediation Approaches
Lambda function / Logic App triggered by finding → automatically fixes the issue (e.g., make S3 bucket private, enable encryption). Fast but risks unintended consequences. Use with caution in production.
Finding → ticket in Jira/ServiceNow → engineer reviews and fixes. Slower but safer. Recommended for high-impact production changes. Always use for Critical findings.
Interview Questions & Model Answers
Click any question to reveal the model answer.
It is important because:
- Cloud environments are highly dynamic — resources are created/destroyed constantly, making manual audits impossible
- Misconfigurations are the #1 cause of cloud breaches (Gartner: 99% of cloud failures are customer-caused)
- A single public S3 bucket can expose millions of records — CSPM catches this immediately
- Multi-cloud complexity (AWS + Azure + GCP) requires unified visibility
- Regulatory compliance (CIS, PCI-DSS, SOC 2) requires continuous evidence
- Manual console changes ("quick fixes") that bypass IaC
- Failed IaC deployments that leave partial configurations
- Auto-scaling events creating resources with non-standard configs
- Engineers applying emergency patches without updating the baseline
- Continuously scanning resource configurations against a desired baseline
- Alerting when any resource deviates (e.g., encryption disabled, public access enabled)
- Some tools (AWS Config, Azure Policy) can auto-remediate drift back to compliant state
- Providing an audit trail of when and how drift occurred
Key tools:
- Checkov: Open-source IaC scanner — scans Terraform, CloudFormation, ARM templates for misconfigurations before deployment
- OPA (Open Policy Agent): General-purpose policy engine using Rego language; can enforce policies on Kubernetes admission, API calls, Terraform plans
- AWS SCPs: JSON-based policies applied at AWS Organization level — preventative guardrails across all member accounts
- Azure Policy: Built-in or custom policies enforced on Azure resource operations
- HashiCorp Sentinel: Policy framework embedded in Terraform Cloud — blocks applies that violate policy
- Aggregates security findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools
- Runs automated checks against CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, PCI-DSS, NIST 800-53
- Provides a consolidated Security Score (percentage of passed controls)
- Supports multi-account aggregation via AWS Organizations (delegate to a security account)
- Integrates with EventBridge for automated remediation and SIEM forwarding
- Supports custom insights (filtered views of findings)
- Secure Score: A 0–100% score representing the percentage of security recommendations completed; each recommendation has a point value based on severity
- Security recommendations: Prioritized, actionable guidance for each resource (e.g., "Enable MFA on accounts with Owner permissions")
- Regulatory compliance dashboard: Mapping to CIS, NIST, PCI-DSS, ISO 27001, Azure Security Benchmark
- Defender plans: Paid workload protection for VMs (MDfS), Storage, SQL, Kubernetes, App Service, Key Vault, DNS, ARM — each adds runtime threat detection
- Attack path analysis: Visual graph showing how a misconfiguration chain could lead to a breach
- Asset inventory: Discovers and monitors all GCP assets across projects and organizations
- Security Health Analytics: Detects misconfigurations (public buckets, unrestricted firewall rules, no MFA)
- Event Threat Detection: ML-based detection of threats (crypto mining, data exfiltration, malware)
- Web Security Scanner: Scans web applications for XSS, SQLi, and other vulnerabilities
- Compliance dashboard: CIS GCP Foundations Benchmark, PCI-DSS, NIST
- Container Threat Detection: Runtime security for GKE workloads
- Public cloud storage: S3 buckets, Azure blobs, GCP buckets with public read/write access — most common breach vector
- Overly permissive network rules: Security groups/NSGs allowing 0.0.0.0/0 on SSH (22), RDP (3389), or all ports
- No MFA on privileged accounts: Root account, admin users, break-glass accounts without MFA
- Unencrypted data stores: RDS without encryption, EBS volumes unencrypted, Azure SQL without TDE
- Audit logging disabled: No CloudTrail, no Azure Activity Log retention, no GCP Audit Logs
- Wildcard IAM permissions: Action:* or Resource:* in policies; AdministratorAccess on service accounts
- Default VPCs with permissive rules: AWS default VPC allows all inbound between instances
- Unused credentials: IAM users with access keys not rotated, inactive accounts not disabled
| Capability | CSPM | CNAPP |
|---|---|---|
| Cloud configuration/posture monitoring | ✅ Core capability | ✅ Included |
| Runtime workload protection (VMs, containers) | ❌ | ✅ (CWPP component) |
| IAM entitlement analysis (over-privilege) | ❌ or limited | ✅ (CIEM component) |
| Container/K8s security (image scanning, runtime) | ❌ | ✅ |
| IaC scanning (shift-left) | ❌ or limited | ✅ |
| Attack path / risk graph analysis | Limited | ✅ (Wiz, Prisma) |
CNAPP = CSPM + CWPP + CIEM + container security + IaC scanning — a unified platform replacing multiple point solutions. Coined by Gartner in 2021. Examples: Wiz, Prisma Cloud, Microsoft Defender for Cloud (full), Lacework.
CIEM tools:
- Analyze all IAM policies across cloud accounts to discover what permissions are granted
- Identify what permissions are actually used (by analyzing CloudTrail/Activity Logs)
- Highlight the gap: unused permissions that represent unnecessary risk
- Recommend or auto-generate least-privilege policies
- Detect cross-account privilege escalation paths
- Vulnerability scanning: Agent or agentless scanning of OS packages and application libraries
- Malware detection: Scanning for known malicious files and behaviour
- Runtime threat detection: Detecting anomalous process execution, network connections, file modifications
- Container security: Image scanning, runtime policy enforcement (Falco), Kubernetes admission control
- Host hardening: CIS benchmark compliance for OS configurations
OPA can enforce policies for:
- Kubernetes: Admission controller (Gatekeeper) — prevent non-compliant pods from being scheduled
- Terraform: Evaluate Terraform plans before apply — block non-compliant resource configurations
- API authorization: Fine-grained access control decisions for microservices
- CI/CD pipelines: Gate deployments based on policy compliance
- SCPs work as guardrails — they restrict what IAM policies in member accounts can do
- SCPs do NOT grant permissions; they only restrict. Even if an IAM policy allows an action, the SCP can deny it
- Applied to OUs or individual accounts; affect all users and roles including root
- Common SCP examples: deny deletion of CloudTrail, deny creating resources outside approved regions, deny disabling GuardDuty, require MFA for sensitive operations
- Management account is NOT affected by SCPs
- Terraform, CloudFormation, ARM Templates, Bicep, Kubernetes YAML, Helm, Serverless, Dockerfile, GitHub Actions
- 500+ built-in checks covering CIS benchmarks, NIST, SOC 2, PCI-DSS
- Custom checks written in Python or YAML
- SARIF output for IDE/GitHub integration
- CI/CD integration: runs in GitHub Actions, GitLab CI, Jenkins — blocks merge if critical findings exist
AWS pattern: Security Hub finding → EventBridge rule matches finding type → triggers Lambda function → Lambda calls AWS SDK to fix (e.g.,
s3.put_bucket_acl(ACL='private'))
Azure pattern: Defender for Cloud recommendation → Logic App triggered → Azure SDK call to fix resource (e.g., enable storage encryption)
Best practices for auto-remediation:
- Start with low-risk, high-confidence fixes (e.g., enable logging, add tags)
- Never auto-remediate in production without testing in staging first
- Implement a "dry-run" mode that logs what would be fixed without doing it
- Send a notification after every auto-remediation for human review
- Use break-glass: stop auto-remediation if error rate exceeds threshold
- For Critical findings involving data or access: always require human approval
- CIS AWS Foundations Benchmark (v1.5.0 current)
- CIS Microsoft Azure Foundations Benchmark
- CIS Google Cloud Platform Foundation Benchmark
- CIS Kubernetes Benchmark
- Description and rationale
- Remediation steps for console and CLI
- Level 1 (essential, low-risk) vs Level 2 (defence-in-depth, may impact usability)
- Each security recommendation has a point value (max points) based on its severity
- Completing a recommendation adds its points to your score
- Score = (Points achieved / Max possible points) × 100%
- Recommendations are grouped into security controls (e.g., "Enable MFA", "Protect applications with Azure Firewall")
- Each control shows the potential score increase if all resources in that control are remediated
| Aspect | CSPM Finding | SIEM Alert |
|---|---|---|
| What it detects | Misconfiguration / policy violation / compliance gap | Suspicious activity / security event / behavioral anomaly |
| Nature | Static state issue (how something is configured) | Dynamic event (something happened) |
| Example | "S3 bucket is publicly accessible" | "1000 S3 GetObject calls from unknown IP in 60 seconds" |
| Urgency | Remediate before exploitation | Investigate immediately — may be active attack |
| Source | AWS Security Hub, Azure Defender, GCP SCC | Microsoft Sentinel, Splunk, QRadar |
| Response | Fix the configuration | Triage, investigate, contain |
- Agentless: Connects via read-only cloud APIs — no agents deployed, no performance impact on workloads
- Security Graph: Builds a graph of all cloud resources and their relationships; identifies combined risk paths (e.g., public VM + unpatched CVE + admin IAM role = Critical)
- Toxic Combinations: Prioritizes findings where multiple risk factors combine to create exploitable paths — not just individual misconfiguration counts
- Multi-cloud unified: Single platform for AWS, Azure, GCP, OCI, Kubernetes — consistent findings and scoring
- Full CNAPP: CSPM + CWPP + CIEM + container security + IaC scanning + secrets detection
- Critical internet-exposed misconfigurations first: Public storage buckets, RDP/SSH open to 0.0.0.0/0, public databases — these have the highest exploitation probability
- Privileged identity risks: No MFA on admin/root accounts, wildcard IAM policies — compromise = full account takeover
- Audit log gaps: Disabled CloudTrail/logging — fix this early so you can see what happened in case of a breach
- Data protection: Unencrypted storage containing sensitive data (use tagging to identify sensitivity)
- High-severity benchmark failures: Use CIS Level 1 controls as your baseline target
- Business context: Prioritize production environments over dev/test; revenue-generating systems over internal tools
- AWS Config: Records configuration history for every resource; Config Rules flag deviations; Config drift report compares snapshots
- Terraform:
terraform planshows drift between state file and live infrastructure;terraform refreshdetects external changes - Azure Policy: Continuously evaluates resource compliance; "Audit" effect logs non-compliant resources without blocking them
- Continuous scanning: CSPM tools poll cloud APIs every 1–24 hours and compare against baseline
- Event-driven detection: CloudTrail → EventBridge → Lambda evaluates any resource-modifying API call immediately
Multiple Choice Questions
Misconfiguration Risk Rater
Rate each cloud misconfiguration by severity: Critical, High, Medium, or Low.
CSPM Tool Matcher
Match each finding to the native CSPM tool that would detect it: AWS Security Hub, Azure Defender for Cloud, or GCP Security Command Center.
Policy-as-Code Tool Selector
Select the correct Policy-as-Code tool for each scenario.
Remediation Priority Queue
Click findings to select them in order from most to least urgent (click 1st most urgent, then 2nd, etc.).
Module Complete!
You've finished Module 05: Cloud Security Posture Management.