Cloud Security Posture Management¶
Service ownership
Owner: security-platform (security-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11
Continuous misconfiguration detection and drift alerts across your Cloud Digit estate.
What it is¶
A scanner that walks your account and projects on a schedule (default every 6 h) and flags configurations that don't meet a baseline. Baselines are picked from libraries (CIS, BB ICT 4.0, PCI DSS) and customizable.
What it checks¶
- IAM — over-permissive roles, dormant credentials, unused MFA
- Networking — security groups with
0.0.0.0/0ingress, public-by-default subnets, missing flow logs - Storage — public buckets, unversioned buckets, no Object Lock on retention buckets, unencrypted volumes
- Compute — missing instance metadata service v2, public boot images
- Logging — disabled audit logs, missing log retention
- Drift — change vs your last-known-good baseline (e.g., a Terraform plan)
Output¶
- A dashboard showing findings by severity, by service, by project
- Per-finding remediation guidance with the API call to fix it
- Optional pull-request automation for IaC repos: open a PR with the fix
- Daily digest email to your security team
- Push to SIEM
Compliance frameworks¶
| Framework | Bundled checks |
|---|---|
| CIS Cloud Foundations | ~150 checks |
| BB ICT 4.0 | Mapped to relevant sections |
| PCI DSS v4.0 | Cloud-relevant requirements |
| ISO 27001:2022 | Annex A controls |
| NIST CSF 2.0 | Function/category mapping |
Pricing¶
Per-asset-month (counted as the number of evaluable resources). See Pricing.
Related¶
- SIEM — receives CSPM findings as events
- Compliance & sovereignty
Operate this service¶
Continuous scanning of Cloud Digit resources for misconfiguration, compliance drift, and security risk.
What it scans¶
- IAM (over-permissive policies, unused credentials)
- Network (publicly-exposed resources, open security groups)
- Storage (public buckets, missing encryption)
- Compute (outdated images, missing patches)
- DB (encryption settings, audit log status)
- Compliance posture (CIS, PCI-DSS, BB ICT 4.0 templates)
IAM¶
| Role | Can do |
|---|---|
cspm.viewer | Read findings, view dashboards |
cspm.remediator | Apply auto-remediation actions |
cspm.admin | Configure scans, exceptions, compliance templates |
cspm.viewer for security team broadly; cspm.remediator for designated incident responders.
Compliance templates¶
bash cd cspm template apply --template cis-1.1 --scope project=acme-prod cd cspm template apply --template pci-dss-4.0 --scope tag=pci=true cd cspm template apply --template bb-ict-4 --scope project=acme-banking
Templates encode the regulator's requirements; the scanner runs each requirement.
Auto-remediation¶
For non-disruptive fixes (e.g., enable encryption on a bucket, restrict an SG):
bash cd cspm policy set --finding "s3.bucket.public" --action auto-remediate
Risky fixes (deleting resources, IAM changes) should remain notify-only.
Exceptions¶
Some findings are accepted risk:
bash cd cspm exception add \ --finding "s3.bucket.public" \ --resource "arn:cd:s3:::acme-marketing-public/*" \ --justification "intentional public website" \ --expires 2026-12-31
Exceptions expire; re-justification keeps the list lean.
Reporting¶
Monthly compliance score: % of requirements passing, per template, per project. Used for board reporting and external audits.
Related¶
Metrics¶
| Metric | Healthy | Alert |
|---|---|---|
cspm.compliance_score.cis | > 90% | < 80% |
cspm.findings.critical | 0 | > 0 |
cspm.findings.high | minimal | climbing |
cspm.exceptions.expired_24h | 0 | > 0 |
cspm.scan.last_run_age_hours | < 24 | > 48 |
Finding workflow¶
Per finding: 1. Assess severity in context (CSPM's "critical" may be your "low" given mitigations) 2. Decide: remediate, exception, or ignore 3. If remediate: apply via console or auto-remediation 4. If exception: document with expiry 5. If ignore: lower severity or filter out (rare)
Daily triage¶
```bash cd cspm findings list --severity critical,high --status new
5-10 minutes daily; security team reviews¶
```
A backlog of unaddressed findings is a compliance liability — keep it close to 0.
Compliance score trends¶
Track over time:
bash cd cspm score history --template cis-1.1 --since 90d
Trending down → resource sprawl is outpacing remediation. Make security reviews part of resource-create gates.
Scan scope¶
Scope to projects/regions:
bash cd cspm scan config --include-projects '*' --exclude-projects 'acme-sandbox-*'
Don't exclude prod. Sandboxes can be deferred-scan if needed.
Integration¶
Stream findings to: - SIEM for incident correlation - Ticketing (Jira, ServiceNow) for tracking - Slack/email for daily summaries
bash cd cspm integration add --type siem --endpoint <splunk-hec>
Related¶
Compliance score dropping¶
cspm.compliance_score.cis trending down:
- Drill into the template:
cd cspm template details --template cis-1.1 - Identify failing requirements
- Bulk-remediate the largest categories first
Auto-remediation broke production¶
```bash cd cspm audit log --resource
Shows what CSPM did¶
```
Rollback: - Some actions are reversible (re-enable a public SG entry) - Some aren't (deleted IAM role) — restore from audit / backup
Tighten auto-remediation policy: only enable for actions that can't break workloads (encryption-at-rest, log enablement). Manual review for everything else.
Findings re-appearing after remediation¶
A finding fixed yesterday shows up again today. Causes:
- IaC (Terraform, Pulumi) reverted the manual fix on next apply
- Another team member ran a manual change
- The fix didn't address root cause (e.g., a default in a launch template)
Either fix the IaC source, or apply via IaC instead of console.
Scan stuck / not running¶
cspm.scan.last_run_age_hours > 48:
- Scan failed silently — check
cd cspm scan status - Scope too large; partition into multiple smaller scans
- API rate limits on the platform; ticket if persistent
Exception denied / fails¶
ERROR: ExceptionDenied: requires `cspm.admin` role
Exceptions for sensitive findings (IAM, encryption) require admin role even if you have cspm.remediator. By design.
False positive¶
CSPM flags a configuration that's actually compliant in your context:
- Document the rationale
- Add an exception with the rationale
- Submit to Cloud Digit for rule tuning (if the rule has wide false-positive incidence)
Scoring different than internal audit¶
CSPM templates approximate regulator requirements but aren't a substitute for an actual audit. Discrepancies are normal; use CSPM for continuous monitoring, formal audit for the regulator-facing assessment.