Feed All posts About
Search…
DevSecOps · Part 8
· 15 min read · DevOps

Cloud security posture management

In this series (10 parts)
  1. What DevSecOps means
  2. Shift-left security
  3. SAST and DAST
  4. Software supply chain security
  5. Container security
  6. Kubernetes security in depth
  7. Secrets management in practice
  8. Cloud security posture management
  9. Compliance as code
  10. Incident response for DevSecOps

Cloud infrastructure drifts. A developer opens a security group for debugging and forgets to close it. A terraform apply creates a public S3 bucket because a default changed. An IAM policy grants * permissions because the scoped policy was too hard to write under deadline pressure. CSPM catches these drifts before attackers do.

What CSPM does

Cloud Security Posture Management tools perform three functions:

  1. Asset inventory. Enumerate every resource across all accounts and regions.
  2. Configuration assessment. Compare resource configurations against security benchmarks.
  3. Continuous monitoring. Detect configuration changes that introduce risk.
graph LR
  subgraph Cloud Accounts
      A1[AWS Account 1]
      A2[AWS Account 2]
      AZ[Azure Subscription]
      GC[GCP Project]
  end

  subgraph CSPM Platform
      SCAN[Scanner]
      RULES[Policy Engine]
      DB[(Findings DB)]
      DASH[Dashboard]
  end

  subgraph Outputs
      ALERT[Alerts]
      TICKET[Tickets]
      REPORT[Compliance Reports]
  end

  A1 --> SCAN
  A2 --> SCAN
  AZ --> SCAN
  GC --> SCAN

  SCAN --> RULES
  RULES --> DB
  DB --> DASH
  DB --> ALERT
  DB --> TICKET
  DB --> REPORT

CSPM architecture. Scanners read cloud APIs, the policy engine evaluates configurations, and findings flow to alerts, tickets, and compliance reports.

CSPM tools

AWS Security Hub

Security Hub aggregates findings from multiple AWS security services:

# Enable Security Hub with CIS benchmark
aws securityhub enable-security-hub \
  --enable-default-standards

# Get findings
aws securityhub get-findings \
  --filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}'

Security Hub integrates natively with GuardDuty (threat detection), Inspector (vulnerability scanning), and IAM Access Analyzer. It provides a unified view without third-party tools.

Prisma Cloud

Prisma Cloud (formerly Twistlock and RedLock) provides comprehensive multi-cloud CSPM:

  • Real-time asset inventory across AWS, Azure, GCP
  • 700+ out-of-box policies mapped to compliance frameworks
  • Infrastructure-as-code scanning (shift-left CSPM)
  • Network flow visualization showing actual traffic patterns

Wiz

Wiz takes an agentless approach, scanning cloud accounts via API without deploying agents or sidecars:

  • Graph-based analysis connecting vulnerabilities to exposure
  • Attack path visualization showing how a misconfiguration leads to data access
  • Prioritization based on actual exploitability, not just severity scores

The graph approach is powerful. A critical CVE in a container that has no network exposure and no access to sensitive data is low priority. The same CVE in an internet-facing container with access to production databases is an emergency.

Common misconfigurations

Public S3 buckets

The most notorious cloud misconfiguration. Detection is straightforward:

# Find public buckets
aws s3api list-buckets --query 'Buckets[].Name' --output text | \
  while read bucket; do
    acl=$(aws s3api get-bucket-acl --bucket "$bucket" 2>/dev/null)
    policy=$(aws s3api get-bucket-policy --bucket "$bucket" 2>/dev/null)
    if echo "$acl" | grep -q "AllUsers\|AuthenticatedUsers"; then
      echo "PUBLIC ACL: $bucket"
    fi
    if echo "$policy" | grep -q '"Principal":"*"'; then
      echo "PUBLIC POLICY: $bucket"
    fi
  done

Prevention is better. Block public access at the account level:

aws s3control put-public-access-block \
  --account-id 123456789012 \
  --public-access-block-configuration \
    BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

Over-privileged IAM

IAM Access Analyzer identifies unused permissions:

aws accessanalyzer start-policy-generation \
  --policy-generation-details '{
    "principalArn": "arn:aws:iam::123456789012:role/api-role"
  }'

It generates a least-privilege policy based on actual usage from CloudTrail logs over the past 90 days. The generated policy replaces wildcard permissions with only the actions the role actually used.

Common IAM anti-patterns:

Anti-patternRiskFix
"Action": "*"Full account accessScope to specific actions
"Resource": "*"Access to all resourcesScope to specific ARNs
Unused rolesDormant access pathsDelete after 90 days unused
Long-lived access keysPermanent credentialsUse IAM roles instead
No MFA on console accessAccount takeoverRequire MFA in policy conditions

Unencrypted storage

# Find unencrypted EBS volumes
aws ec2 describe-volumes \
  --filters "Name=encrypted,Values=false" \
  --query 'Volumes[].{ID:VolumeId,Size:Size}' \
  --output table

# Find unencrypted RDS instances
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier'

Enforce encryption by default:

# Enable EBS encryption by default
aws ec2 enable-ebs-encryption-by-default

With this setting, every new EBS volume is encrypted automatically. No developer action needed.

Continuous vs point-in-time scanning

Point-in-time scans run on a schedule (daily or weekly). They provide a snapshot but miss short-lived misconfigurations. An S3 bucket made public for 6 hours between daily scans goes undetected.

Continuous monitoring uses cloud event streams:

# AWS CloudTrail + EventBridge rule
{
  "source": ["aws.s3"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventName": ["PutBucketAcl", "PutBucketPolicy", "DeleteBucketPolicy"]
  }
}

This triggers evaluation within seconds of any S3 policy change. Combine event-driven checks with scheduled full scans for complete coverage.

Over-privileged IAM is the most pervasive issue. It exists in some form in the majority of cloud accounts. Fixing it requires ongoing effort, not a one-time cleanup.

Multi-cloud considerations

Organizations using multiple cloud providers need unified visibility. Key differences:

AWS: Security Hub + GuardDuty + Config provide native CSPM. Config Rules evaluate resource compliance continuously.

Azure: Microsoft Defender for Cloud provides CSPM with a secure score. Azure Policy enforces guardrails at the ARM level.

GCP: Security Command Center aggregates findings. Organization Policy Service enforces constraints across projects.

Third-party tools like Prisma Cloud or Wiz unify these into a single dashboard. The trade-off is cost and complexity versus having one view across providers.

Building a CSPM program

  1. Enable cloud-native tools first. Security Hub, Defender for Cloud, or Security Command Center are free or low-cost and provide immediate visibility.
  2. Prioritize high-impact findings. Public data stores, wildcard IAM policies, and missing encryption are where breaches start.
  3. Automate remediation for clear-cut issues. Auto-encrypt new volumes. Auto-block public S3 access. These have no legitimate exceptions.
  4. Track metrics. Measure findings over time. Are misconfigurations decreasing or accumulating?
  5. Integrate with IaC scanning. Catch misconfigurations in Terraform before they reach the cloud.

What comes next

The next article on compliance as code covers automating compliance checks with Open Policy Agent and Rego. You will learn to write policies that enforce CIS benchmarks, generate audit evidence for SOC 2 and ISO 27001, and integrate policy enforcement into CI/CD pipelines.

← Back to all series
Start typing to search across all content
navigate Enter open Esc close