Cloud Security Posture Management: choosing and operating CSPM
CSPM scans your cloud configuration against benchmarks. The good ones reduce alert fatigue and block bad configurations at deploy time.
Cloud Security Posture Management (CSPM) is the discipline of continuously assessing cloud accounts (AWS, Azure, GCP, Oracle) against security configuration benchmarks. CSPM tools — Wiz, Prisma Cloud, Microsoft Defender for Cloud, AWS Security Hub, Lacework, Orca, Aqua — scan the API for misconfigurations: public S3 buckets, unrestricted security groups, unencrypted databases, IAM policy drift, missing logging.
The market splits between agentless and agent-based. Agentless CSPM (Wiz, Orca) reads from cloud APIs and snapshots EBS volumes for vulnerability scanning without installing software in workloads. Coverage is fast — minutes from connecting an account to receiving findings — and it scales gracefully across multi-cloud. Agent-based CSPM (Prisma Cloud Defenders, Aqua Enforcers) installs software in containers or VMs and gains runtime visibility but increases operational complexity. Many organizations run agentless for posture and a separate runtime tool (Falco, Tetragon, EDR) for runtime.
Operationalizing CSPM is where most programs fail. A CSPM connected to a hundred accounts produces tens of thousands of findings; without prioritization the report is ignored. Group findings by attack path, not by individual control. A toxic combination — public-facing VM with admin role attached, no MFA on the role's user — is one critical finding, not three medium findings. Wiz pioneered the toxic combination view; competitors followed. Use it.
Shift-left to prevent rather than detect. Apply infrastructure-as-code scanning with Checkov, KICS, tfsec, or the CSPM vendor's own IaC scanner in the pull request pipeline. Block merges with critical findings. Implement guardrails with Service Control Policies (AWS), Azure Policy, GCP Organization Policy that make insecure configurations impossible — for example, denying public S3 bucket creation outright. Treat CSPM findings older than 30 days as exceptions requiring written justification. The successful CSPM program prevents 90 percent of issues at IaC time and uses the runtime CSPM as the safety net, not the primary control.
Related reading
AWS security baseline checklist for new accounts
A new AWS account is wide open by default. Twenty controls applied in the first week prevent 90 percent of cloud incidents — here is the list.
Azure security on day one: a tenant-level hardening guide
Azure tenants come with risky defaults — Conditional Access disabled, security defaults insufficient. Here is the day-one hardening that actually moves the dial.
Kubernetes security baseline: clusters that survive contact
A vanilla Kubernetes cluster is not production-ready. The CIS Kubernetes Benchmark, NSA hardening guide, and Pod Security Standards translate to a practical first week.