Cloud Infrastructure
Security
What Is CSPM? Cloud Security Posture Management Explained
TL;DR: CSPM (Cloud Security Posture Management) continuously scans your cloud configurations for misconfigurations and compliance gaps - checking whether S3 buckets are public, security groups are too permissive, or encryption is missing. The market has largely consolidated into CNAPP platforms, but the underlying capability is now table stakes for any cloud security program. CloudQuery provides the same visibility in SQL against your own database, without vendor lock-in or export limits.
In 2019, Capital One disclosed a breach exposing 106 million customer records. The cause wasn't a zero-day exploit - a misconfigured web application firewall let an attacker exploit a server-side request forgery (SSRF) vulnerability, reach the AWS metadata service, steal IAM credentials, and exfiltrate data from hundreds of S3 buckets. That pattern - misconfiguration as the attack vector, not platform vulnerability - has held ever since. Verizon's annual Data Breach Investigations Report consistently identifies misconfiguration among the leading causes of cloud security incidents year after year.
Cloud Security Posture Management (CSPM) exists to catch these misconfigurations before attackers do.
In this article:
What Is CSPM? #
Cloud Security Posture Management (CSPM) is the continuous monitoring, assessment, and remediation of security misconfigurations across cloud infrastructure. A CSPM tool connects to your cloud provider APIs - AWS, GCP, Azure, Kubernetes - and evaluates your configuration against security best practices and compliance frameworks, surfacing deviations as findings.
The core question a CSPM answers: Is this cloud environment configured the way security policy says it should be?
That means checking things like:
- Are any S3 buckets publicly readable?
- Are security groups allowing unrestricted inbound access (0.0.0.0/0) on sensitive ports?
- Is encryption at rest enabled for RDS instances and EBS volumes?
- Are CloudTrail logs enabled across all regions?
- Are IAM users using MFA?
- Are Kubernetes API servers exposed to the public internet?
CSPM tools run these checks continuously - not just during annual audits - so that misconfigurations are caught quickly, ideally before they're exploited.
What Do Cloud Misconfigurations Actually Cost? #
Misconfiguration isn't a niche risk - it's the dominant cause of cloud security incidents. The numbers make this concrete.
IBM's 2024 Cost of a Data Breach Report puts the average cost of a data breach at $4.88 million. Breaches originating from misconfigured cloud environments typically sit at the higher end of that range because of the data volume involved - a misconfigured storage bucket doesn't just expose one record; it exposes whatever was in the bucket.
Misconfiguration and human error are consistently identified as leading cloud breach vectors - appearing in Verizon's annual Data Breach Investigations Report among the top patterns in cloud-related security incidents year over year.
Beyond breach costs, misconfiguration creates ongoing compliance exposure. Organizations spending on security tools but not addressing configuration drift often discover their compliance posture during an audit - not before it. The Capital One breach alone resulted in an $80 million civil penalty from the OCC, plus years of enhanced compliance requirements imposed by the Federal Reserve.
The CSPM market reflects this urgency. Multi-cloud adoption, expanding compliance requirements, and cloud infrastructure that no team can monitor manually have made automated posture management a standard part of enterprise security programs - to the point where CSPM or CNAPP coverage is now a baseline category in most enterprise security vendor evaluations.
What Are the Core Capabilities of a CSPM? #
Continuous Misconfiguration Detection #
The foundational capability: scanning cloud APIs on a recurring schedule and flagging resources that violate security policies. Most CSPMs include hundreds of built-in checks mapped to common frameworks (CIS, NIST, SOC 2). Better tools let you write custom checks for organization-specific policies that vendor libraries don't cover.
Compliance Monitoring and Reporting #
CSPMs map infrastructure findings to specific compliance controls, generating audit-ready reports. Instead of manually gathering evidence for SOC 2 or PCI DSS audits, compliance teams can pull a continuous compliance report directly from the platform. This is particularly valuable for SOC 2 Type II, which requires demonstrating controls were effective over time - not just at a snapshot.
Risk Prioritization #
Raw CSPM findings can run into the thousands. Most platforms score findings by severity, asset exposure (is this resource internet-facing?), and business context to help security teams focus on what matters rather than chasing a long flat list. Some tools use attack path analysis to surface findings that are more likely to be exploitable given other factors in the environment.
Drift Detection #
When someone changes a resource through the console rather than Terraform - bypassing the approved change process - a CSPM detects the configuration drift and alerts. This is particularly important for preventing unauthorized changes from introducing misconfigurations in production.
Remediation Guidance and Automation #
Better CSPMs provide step-by-step remediation instructions for each finding. Some platforms offer auto-remediation via IaC integration, and most can create tickets in Jira or PagerDuty alerts for high-severity findings automatically.
Inventory and Asset Visibility #
A CSPM maintains a running inventory of cloud resources across accounts and regions - providing the context needed to assess which assets are affected by any given finding and to demonstrate coverage to auditors.
Attack Path Analysis #
Modern CSPMs go beyond individual finding alerts to identify attack paths - chains of seemingly unrelated misconfigurations that an attacker could exploit in sequence.
The concept: a single open security group might be low severity in isolation. But combine it with an EC2 instance that has an overprivileged IAM role, which can access an S3 bucket containing credentials, and you have a viable lateral movement path from the internet to your most sensitive data. Vendors like Wiz call these "toxic combinations." No single finding is critical - but together, they're exploitable.
A concrete example of an attack path:
- A security group allows inbound SSH from
0.0.0.0/0(internet) - low severity finding on its own - The EC2 instance behind that security group has an IAM instance profile with
s3:*permissions - medium severity - An S3 bucket accessible by that role contains AWS access keys stored in a config file - medium severity
- Those access keys belong to an IAM user with
AdministratorAccess- critical severity
Individually, findings 1-3 might generate low-priority alerts. Together, they form a complete attack chain from internet to full admin access. Attack path analysis surfaces this chain as a single critical finding - the path from entry point to blast radius - rather than four disconnected alerts.
Attack path analysis models your cloud environment as a graph: nodes are cloud resources and identities, edges are the connections between them (network access, IAM permissions, trust relationships). The CSPM traverses this graph looking for paths from external entry points to sensitive targets. High-risk paths get surfaced regardless of whether the individual findings would have triggered an alert on their own.
For security teams drowning in thousands of low-severity findings, attack path analysis is what makes prioritization tractable. Instead of triaging 5,000 findings, you focus on the 20 paths that could actually lead to a breach.
How Do Modern and Legacy CSPMs Differ? #
The CSPM category spans a wide range of approaches. Older tools were built before cloud-native infrastructure existed - they adapted network scanning concepts to cloud environments, with predictable gaps.
The practical difference: a legacy CSPM generates a flat list of findings. A modern CSPM generates a prioritized risk picture with context about what matters and why.
The third category - CloudQuery's approach - is neither. CloudQuery provides raw infrastructure data in SQL, letting you implement whatever checks your organization needs rather than consuming a vendor's predefined finding library.
CSPM vs CWPP vs CIEM vs CNAPP #
These four categories protect different layers of your cloud environment.
In short: CSPM secures how your cloud is configured. CWPP secures what's running inside your cloud. CIEM secures who can access your cloud. A CNAPP (Cloud Native Application Protection Platform) bundles all three into a single product - which is why most major vendors now market their platforms as CNAPPs.
For teams buying point solutions, CSPM is typically the starting point because misconfiguration is the most common cloud breach cause and the easiest to address systematically.
How Does CSPM Map to Compliance Frameworks? #
One of CSPM's primary use cases is continuous compliance monitoring. Here's how the major frameworks map to CSPM capabilities.
CIS Benchmarks #
The Center for Internet Security (CIS) publishes hardening benchmarks for AWS, GCP, and Azure that serve as the most widely used CSPM baseline. CIS benchmarks cover specific, testable controls - "ensure CloudTrail is enabled in all regions" (CIS AWS v3.0 control 3.1), "ensure the default network does not exist in a project" (CIS GCP v2.0 control 3.1). Most CSPM platforms ship with CIS benchmark mappings out of the box, making compliance against these benchmarks largely automated.
SOC 2 #
SOC 2 specifies Trust Service Criteria (security, availability, processing integrity, confidentiality, and privacy) without prescribing specific technical controls - your auditor assesses whether your controls achieve the criteria, not whether you've implemented a specific checklist.
CSPM maps directly to the Common Criteria (CC) section that most SOC 2 audits focus on:
- CC6.1 (Logical and Physical Access Controls): CSPM continuously monitors IAM configurations - MFA enforcement, access key rotation, overprivileged roles
- CC6.6 (System Boundaries): CSPM detects public-facing resources that create unauthorized network entry points
- CC7.2 (System Monitoring): CSPM provides continuous evidence that monitoring controls are active
- CC8.1 (Change Management): CSPM drift detection flags configuration changes that bypassed approved change management
The continuous monitoring aspect is particularly important for SOC 2 Type II, which requires demonstrating controls were effective over a period of time - typically 6 or 12 months. Point-in-time CSPM scans don't satisfy this; continuous evidence does. Auditors want to see that the security controls they're certifying were in place throughout the audit period, not just when the audit started.
HIPAA #
The HIPAA Security Rule requires technical safeguards protecting electronic protected health information (ePHI). For cloud environments, this means controls around access, audit logging, transmission security (encryption in transit), and integrity controls.
An important prerequisite: AWS, GCP, and Azure will sign a Business Associate Agreement (BAA), but the Shared Responsibility Model means the cloud provider's signing a BAA doesn't make your cloud environment HIPAA-compliant. Your organization is responsible for the workloads, configurations, and access controls that govern how ePHI is processed and stored. CSPM addresses exactly this gap.
Specific misconfigurations CSPM monitors in HIPAA environments:
- Access controls (§164.312(a)): IAM users with admin access who haven't authenticated recently; service accounts with broader permissions than needed
- Audit controls (§164.312(b)): CloudTrail disabled in regions where ePHI workloads run; database audit logging turned off
- Transmission security (§164.312(e)): Load balancers or APIs accepting unencrypted HTTP traffic; RDS instances with encryption in transit disabled
- Integrity (
§164.312(c)): S3 buckets with public write access; databases without backup enabled
HIPAA also requires ongoing risk assessments - CSPM generates the continuous inventory and misconfiguration data those assessments depend on, and provides the audit trail showing controls were active when HHS auditors review.
PCI DSS #
The Payment Card Industry Data Security Standard requires continuous monitoring of all systems in scope for cardholder data. PCI DSS v4.0 (fully in effect since March 2025) strengthens requirements around continuous monitoring - Requirement 11 explicitly requires detecting and alerting on unauthorized changes.
Key PCI DSS v4.0 requirements CSPM addresses directly:
- Requirement 1: Network security controls - CSPM monitors security groups and firewall rules for unauthorized access paths
- Requirement 3: Protect stored account data - CSPM checks for unencrypted databases and storage in the cardholder data environment
- Requirement 7: Restrict access by business need - CSPM surfaces overprivileged IAM roles and service accounts with access to in-scope systems
- Requirement 10: Log and monitor all access - CSPM verifies CloudTrail, VPC Flow Logs, and database audit logging are enabled for in-scope accounts
- Requirement 11: Test security regularly - CSPM provides continuous configuration testing rather than periodic point-in-time assessments
The v4.0 update's shift toward continuous monitoring (rather than periodic assessment) aligns exactly with what CSPM provides by default.
NIST CSF and FedRAMP #
The NIST Cybersecurity Framework (CSF) v2.0 (released February 2024) organizes security activities across six core functions. CSPM contributes most directly to:
- Identify (ID): Asset inventory and configuration data for all cloud resources
- Protect (PR): Continuous enforcement of configuration controls mapped to access management and data security requirements
- Detect (DE): Continuous monitoring for configuration deviations and drift
For organizations pursuing FedRAMP authorization, CSPM provides a significant portion of the continuous monitoring program required by the Authorization to Operate (ATO) process. FedRAMP's continuous monitoring requirements - monthly vulnerability scanning, ongoing configuration assessment, and incident response readiness - align directly with what mature CSPM implementations provide. The FedRAMP Continuous Monitoring Strategy Guide explicitly requires ongoing assessment of security controls, which CSPM automates for cloud configuration controls.
Which CSPM Vendors Are Worth Knowing in 2026? #
The CSPM market has largely consolidated into broader CNAPP platforms.
Wiz has become the defining cloud security platform, built around an agentless approach that scans environments through API access. Wiz's security graph identifies attack paths - combinations of misconfigurations, vulnerabilities, and excessive permissions that an attacker could chain together. Google completed its $32 billion acquisition of Wiz in March 2026, its largest acquisition ever. Wiz remains the platform most often cited when organizations evaluate cloud security for the first time.
Palo Alto Networks Cortex Cloud (renamed from Prisma Cloud in February 2025) covers the widest scope of any enterprise CNAPP - CSPM, CWPP, CIEM, code security, and supply chain security in a single platform. Cortex Cloud's breadth makes it the default choice for large enterprises that want one vendor for cloud security - though that breadth comes with complexity and cost.
Orca Security uses SideScanning technology to analyze cloud environments without deploying agents, giving deep visibility into vulnerabilities and misconfigurations. Orca is particularly strong for organizations that want agentless visibility and detailed attack path analysis without agent deployment overhead.
CrowdStrike Falcon Cloud Security extends CrowdStrike's endpoint protection heritage into cloud environments with a unified agent covering both endpoints and cloud workloads. Security teams already using CrowdStrike for endpoints typically find it the most practical path to cloud security coverage.
Microsoft Defender for Cloud is the natural choice for organizations with significant Azure footprint or existing Microsoft security investment. It covers multi-cloud (AWS, GCP, Azure) but has the deepest integration with Azure-native services and Microsoft Sentinel SIEM.
Lacework was acquired by Fortinet in 2024 in what the industry widely viewed as a distressed sale. The original Lacework product team was largely restructured post-acquisition and the roadmap was absorbed into Fortinet's platform. If you're evaluating cloud security tools today, Lacework as an independent product is effectively no longer on the table - what you're buying is Fortinet's security platform, with a different go-to-market and roadmap than the original Lacework.
SentinelOne Singularity Cloud Security has expanded significantly from its endpoint protection roots into a full CNAPP offering with CSPM, CWPP, and code security capabilities. SentinelOne's AI-driven approach combines real-time threat detection with cloud posture management, making it a strong option for security operations centers that want unified endpoint and cloud visibility in one platform.
If you're starting a cloud security program and not sure where to begin: Wiz and Microsoft Defender for Cloud cover the most common starting scenarios. Wiz if you want best-in-class attack path analysis and your environment is multi-cloud or cloud-agnostic. Defender if you're Azure-heavy or already have Microsoft E5 licensing where it's largely included. The others are worth evaluating for specific needs, but these two have the broadest fit for teams building from scratch.
How CloudQuery Fits into Your CSPM Strategy #
CloudQuery Platform is not a traditional CSPM. We don't provide GUI dashboards with pre-built compliance reports or one-click remediation. What we provide is the data layer that makes CSPM-style posture management possible with the tools your team already uses.
CloudQuery syncs configuration data from 70+ cloud sources into a SQL-queryable database you control. Your entire cloud posture is accessible through standard SQL, in your own PostgreSQL, Snowflake, or BigQuery instance - which means your existing BI tools, dashboards, and compliance workflows operate against it without modification.
The practical difference: a traditional CSPM gives you their security checks in their dashboard. CloudQuery gives you the data, so you can write exactly the checks your organization needs. We've seen teams use this to write compliance checks their CNAPP vendor didn't cover, join security findings with cost data to prioritize exposed resources by blast radius, and maintain compliance posture across hybrid environments where a commercial CSPM didn't have full coverage.
Want to find all production EBS volumes without encryption enabled?
SELECT
account_id,
region,
volume_id,
volume_type,
size,
tags->>'Environment' AS environment
FROM aws_ec2_ebs_volumes
WHERE encrypted = false
AND tags->>'Environment' = 'production'
ORDER BY account_id, region;
Want to find S3 buckets with public access not in your approved CDN accounts?
SELECT
account_id,
name,
region
FROM aws_s3_buckets
WHERE (
block_public_acls = false
OR block_public_policy = false
OR ignore_public_acls = false
OR restrict_public_buckets = false
)
AND account_id NOT IN ('111122223333')
ORDER BY account_id;
Want to find IAM users with AWS console access but no MFA - a fundamental access control gap that maps to CIS AWS v3.0 control 1.10?
SELECT
u.account_id,
u.user_name,
u.arn,
u.create_date,
u.password_last_used
FROM aws_iam_users AS u
LEFT JOIN aws_iam_mfa_devices AS m
ON u.user_name = m.user_name
WHERE u.password_enabled = true
AND m.user_name IS NULL
ORDER BY u.account_id, u.password_last_used;
These queries power CloudQuery Policies - SQL-based rules that run continuously against your infrastructure. When a violation appears, CloudQuery can notify your team or trigger a remediation workflow through Automations.
For a hands-on walkthrough, see our guide on how to build a CSPM with Grafana and CloudQuery. For teams that want security findings, cost data, and ownership context surfaced together on each resource automatically, that's what CloudQuery Insights is built for.
Build a SQL-Powered Security Posture
Query your entire cloud security posture with SQL. Detect misconfigurations across 70+ sources, map findings to compliance frameworks, and integrate with your existing toolchain. Or check out the documentation.
FAQ #
What does CSPM stand for? #
CSPM stands for Cloud Security Posture Management. It refers to tools and practices that continuously monitor cloud infrastructure for security misconfigurations and compliance violations.
What is the difference between CSPM and CWPP? #
CSPM focuses on how your cloud services are configured - checking for misconfigured storage buckets, overly permissive security groups, missing encryption, or compliance violations at the service level. CWPP (Cloud Workload Protection Platform) focuses on what's running inside your compute resources - monitoring processes, detecting malware, and preventing attacks inside VMs, containers, and serverless functions. They protect different layers and are typically used together.
Is CSPM the same as CNAPP? #
No. A CNAPP (Cloud Native Application Protection Platform) is a broader category that bundles CSPM with CWPP, CIEM, and often code security and vulnerability management. CSPM is one component of a CNAPP. Most vendors that sold standalone CSPM tools have expanded their products into CNAPPs - which is why you'll often see CSPM described as a feature within a larger platform.
Does CSPM replace a SOC 2 audit? #
No. CSPM provides continuous evidence that security controls are active and effective, which simplifies the audit process - but it doesn't replace the audit. A SOC 2 Type II audit still requires a certified auditor reviewing your processes and controls over a defined period. CSPM makes that process faster by continuously collecting the configuration evidence auditors need, rather than scrambling to gather it when an audit is scheduled.
How does CSPM help with HIPAA compliance? #
The HIPAA Security Rule requires technical safeguards protecting electronic protected health information (ePHI). CSPM contributes by continuously monitoring for HIPAA-relevant misconfigurations: unencrypted storage, databases without audit logging, publicly accessible servers in ePHI environments, or missing access controls. This monitoring generates the evidence needed for HIPAA risk assessments and simplifies audits from the HHS Office for Civil Rights.
What cloud providers does CSPM typically cover? #
Most enterprise CSPM tools support AWS, Microsoft Azure, and Google Cloud Platform. Many also cover Kubernetes (including EKS, AKS, GKE), and some extend to SaaS applications like Okta and GitHub. Coverage depth varies by vendor - verify that your specific services and regional clouds are fully supported before committing.
How often does a CSPM scan? #
Most CSPM platforms use a combination of API polling (typically every few minutes to hours) and cloud provider event streams (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for near-real-time detection. The goal is to minimize the window between when a misconfiguration is introduced and when it's detected. Event-driven detection can surface findings within minutes of a change.
Can CSPM detect insider threats? #
CSPM is not designed for insider threat detection - it monitors configurations, not behavior. If an authorized employee deliberately creates a misconfiguration (opens an S3 bucket, creates an overprivileged IAM role), CSPM will flag the resulting misconfiguration but won't attribute it to insider intent. For behavioral detection - unusual access patterns, privilege escalation attempts, suspicious data exfiltration - CIEM and cloud-native SIEM tools (AWS CloudTrail anomaly detection, Microsoft Sentinel, Splunk) are better suited. CSPM catches the outcome of insider misuse (the misconfiguration), while behavioral tools catch the activity leading to it.
What is attack path analysis in CSPM? #
Attack path analysis identifies chains of connected misconfigurations and excessive permissions that an attacker could exploit in sequence - even if no single finding in the chain would trigger an alert on its own. Modern CSPM tools model your cloud environment as a graph (resources, identities, and their relationships) and search for paths from external entry points to sensitive targets. This is how platforms like Wiz identify "toxic combinations" - a misconfigured internet-facing instance connected to an overprivileged IAM role connected to a sensitive S3 bucket - that individually generate low-severity findings but together represent a critical risk.
What is the difference between CSPM and DSPM? #
CSPM (Cloud Security Posture Management) monitors cloud infrastructure configurations - security groups, encryption settings, IAM policies, and other resource-level settings. DSPM (Data Security Posture Management) focuses specifically on where sensitive data lives, who has access to it, and whether that access is appropriately controlled. CSPM might tell you a storage bucket has public access; DSPM tells you that bucket contains PII. The two are complementary: CSPM gives you infrastructure visibility, DSPM gives you data-layer context. Many CNAPP platforms now bundle both capabilities.
