Cloud Security Glossary
CSPM (Cloud Security Posture Management)
Automated detection and remediation of misconfigurations in cloud environments (AWS, Azure, GCP). CSPM continuously monitors compliance with best-practice frameworks such as CIS benchmarks and identifies exposed S3 buckets, overprivileged IAM roles, and unencrypted databases.
CSPM solves a fundamental cloud problem: Misconfigurations in the cloud arise quickly, are often invisible, and can cause massive data breaches. A public S3 bucket, a security group that’s too open, an IAM role with admin privileges—CSPM automatically and continuously detects these issues.
The Cloud Misconfiguration Problem
Statistics (Gartner, Verizon DBIR)
- 80% of all cloud security incidents: caused by misconfiguration (not exploits)
- AWS S3 buckets: thousands publicly accessible (Capital One 2019: 100 million customer records exposed via SSRF + open S3)
- Azure Storage: regular discoveries of open blob containers
- GCP: Compute instances without firewall rules
Why misconfigurations are so common
- Cloud API: Infrastructure as Code → copy-paste errors
- Terraform/CDK: one wrong
"public": true→ public - IAM: "too many permissions" is faster than "least privilege"
- Pace: Feature shipping > Security review
- No continuous monitoring: Scan today, change tomorrow
Examples of real CSPM findings
- S3 bucket with customer data: public-read enabled
- RDS database: Snapshot publicly available
- IAM user: Access key never rotated (> 1 year old)
- Security group: SSH port 22 open to 0.0.0.0/0
- CloudTrail: disabled in one region
- GuardDuty: completely disabled
- MFA: Root account without MFA
- S3 Bucket Versioning: disabled (no ransomware protection)
What CSPM checks (Example: AWS)
CSPM audit categories according to CIS AWS Benchmark Level 1/2:
IAM (Identity and Access Management)
- Root account: MFA enabled?
- Root account: active access keys? (NOT the target state!)
- IAM users: MFA for all users with console access?
- IAM Password Policy: minimum length 14, complexity, rotation?
- Access keys: older than 90 days? → Rotation!
- IAM Roles: "AdministratorAccess" assigned to which entities?
- IAM: Policies without wildcards (*) on actions?
Storage (S3)
- All S3 buckets: Block Public Access enabled?
- S3 buckets: Server-Side Encryption enabled?
- S3 buckets: Versioning enabled? (Ransomware protection)
- S3 buckets: Logging enabled?
- S3 buckets: ACL not set to public-read or public-read-write?
Network
- Security Groups: Port 22 (SSH) not open to 0.0.0.0/0!
- Security Groups: Port 3389 (RDP) not open to 0.0.0.0/0!
- VPC: Flow logs enabled? (Required for threat detection!)
- NAT Gateway: All private subnets routed through NAT? (No direct internet access)
Monitoring & Logging
- CloudTrail: Active in ALL regions?
- CloudTrail: Log file validation enabled?
- CloudTrail logs: Stored in S3 with MFA Delete?
- CloudWatch Alerts for: Root login, MFA deactivation, security group changes
- AWS Config: Enabled in all regions?
- GuardDuty: Enabled in all regions?
Database (RDS)
- RDS: Snapshots not public?
- RDS: Encryption enabled?
- RDS: Backup retention > 7 days?
- RDS: Multi-AZ for production systems?
- RDS: Public access disabled?
Encryption
- CloudTrail logs: encrypted with KMS?
- EBS volumes: all encrypted?
- SNS topics: encrypted?
CSPM Tools Compared
Cloud-Native (Free / Low-Cost)
AWS Security Hub:
- Aggregates findings from GuardDuty, Macie, Inspector
- Automatic CIS AWS Benchmark check
- Multi-account aggregation
- Price: $0.001/control/account/month (approx. $10–50/month)
Azure Defender for Cloud (Microsoft):
- Secure Score: 0–100 points (what is good/bad)
- Recommendations with specific remediation instructions
- CIS Azure Benchmark, NIST 800-53, ISO 27001 mappings
- Microsoft Defender for Cloud: $15/server/month
Google Security Command Center (SCC):
- For GCP
- Standard (free) vs. Premium ($0.06/core/h)
Open Source
Prowler (AWS/Azure/GCP):
- CLI tool, 300+ checks
- CIS, GDPR, HIPAA, ISO 27001, NIS2 frameworks
- Free, very active community
- github.com/prowler-cloud/prowler
# Quick scan AWS
pip install prowler
prowler aws
# → CSV/JSON/HTML reportScoutSuite (ncc-group):
- Multi-cloud (AWS/Azure/GCP/Alibaba)
- GUI report
- github.com/nccgroup/ScoutSuite
Commercial Solutions
Wiz:
- Market leader in 2024 (unicorn)
- Agentless, very fast installation
- Graph-based: visualizes attack paths
- Pricing model: per workload
Orca Security:
- SideScanning technology (no agent required)
- Combines: CSPM + Vulnerability + Secrets Detection
- Good for: Multi-cloud
Lacework, Prisma Cloud (Palo Alto), Aqua Security:
- Enterprise solutions
- Combination of CSPM + Container + Runtime
| Use Case | Recommendation |
|---|---|
| SMB | Prowler + AWS Security Hub (affordable, good) |
| Enterprise | Wiz or Orca (comprehensive) |
CSPM Implementation
Phase 1: Visibility (Weeks 1–2)
- Select a CSPM tool
- Create a least-privilege IAM role for CSPM
- Perform initial scan (all regions/accounts)
- Categorize findings: Critical/High/Medium/Low
Phase 2: Quick Wins (Weeks 3–6)
Address critical findings immediately:
- Enable root MFA (5 minutes!)
- Delete root account access keys
- Close public S3 buckets (if not intentional)
- Security groups: Remove SSH/RDP public access
High findings: Address on a sprint basis
Phase 3: Automation (Months 2–3)
- CSPM alerts in ticketing system (Jira, ServiceNow)
# AWS Config Auto-Remediation
# If S3 bucket becomes public → automatically block public access
aws configservice put-remediation-configurations \
--remediation-configurations file://s3-remediation.json- CI/CD: CSPM scan in deployment pipeline
Phase 4: Governance (ongoing)
- Weekly CSPM report to security team
- Monthly posture trend report to management
- Compliance report: CIS/ISO 27001 coverage
- Quarterly: add new framework standards
KPIs
| KPI | Target |
|---|---|
| Number of Critical Findings | Trend: decreasing |
| Mean Time to Remediate (MTTR) | < 24h for Critical |
| CIS Benchmark Score | > 80% |
| Unresolved Findings > 90 days | = 0 |
CSPM vs. CWPP vs. CIEM
Differentiation of Cloud Security Tools
CSPM (Cloud Security Posture Management):
- Configuration and compliance
- "Is my cloud configured correctly?"
CWPP (Cloud Workload Protection Platform):
- Runtime protection for VMs, containers, serverless
- "Is my cloud workload secure?"
- Features: Anti-malware, HIDS, runtime behavior
CIEM (Cloud Infrastructure Entitlement Management):
- Analyze IAM permissions
- "Who actually has what access rights?"
- Finds: zombie accounts, over-privileged roles
CSNS (Cloud Native Security):
- CSPM + CWPP + CIEM combined
- "Unified Cloud Security Platform"
CNAPP (Cloud Native Application Protection Platform):
- Newest term (Gartner 2021)
- CSPM + CWPP + CIEM + Shift Left + IaC Security
- Vendors: Wiz, Prisma Cloud, Orca
Recommendation by Maturity Level
| Maturity Level | Recommendation |
|---|---|
| Beginner | CSPM first (clean configuration) |
| Advanced | Combine CSPM + CWPP |
| Enterprise | CNAPP (all-in-one) |
