Cloud Security Posture Management (CSPM)

Secure your AWS, GCP, and Azure environments with automated scanning and one-click remediation.

Overview

CVSEEYOU's CSPM module provides continuous security monitoring for your cloud infrastructure. It automatically detects misconfigurations, compliance violations, and security risks across multiple cloud providers.

Multi-Cloud
AWS, Google Cloud, and Azure support
SOC 2 Mapped
Findings linked directly to SOC 2 controls
Auto-Remediation
Fix issues with a single click

Connecting Cloud Accounts

Amazon Web Services (AWS)

We use a cross-account IAM role to securely scan your AWS environment. This ensures we have read-only access without needing long-term access keys.

  1. Create a new IAM Role in your AWS account.
  2. Attach the SecurityAudit managed policy.
  3. Attach the ViewOnlyAccess managed policy.
  4. Configure the trust relationship to allow our scanner account.
  5. Enter the Role ARN and External ID in CVSEEYOU.

Google Cloud Platform (GCP)

Connection is established via a Service Account with specific viewer roles.

  1. Create a Service Account in your GCP project.
  2. Grant the Viewer and Security Reviewer roles.
  3. Generate and download a JSON key for the service account.
  4. Paste the JSON content into the CVSEEYOU connection form.

Microsoft Azure

We connect using an App Registration (Service Principal) with Reader access.

  1. Register a new App in Azure Active Directory.
  2. Assign the Reader role to the app on your Subscription.
  3. Create a Client Secret for the app.
  4. Provide the Subscription ID, Tenant ID, Client ID, and Client Secret.

Automated Remediation

CVSEEYOU includes a powerful "One-Click Fix" capability powered by Cloud Custodian. When a finding is detected that has a safe, automated fix available, you will see a One-Click Fix button.

Supported Remediations

  • Enable S3 Bucket Encryption
  • Block S3 Public Access
  • Enable CloudTrail Logging
  • Remove Open SSH (0.0.0.0/0)
  • Remove Open RDP (0.0.0.0/0)
  • Enable RDS Storage Encryption

Note: Remediation actions make real changes to your cloud environment. While designed to be safe (e.g., enabling encryption), always review the action before confirming.

SOC 2 Compliance Mapping

Every finding is automatically mapped to relevant SOC 2 Trust Services Criteria. This helps auditors understand how your technical controls satisfy compliance requirements.

Control Description Example Checks
CC6.1 Logical Access MFA on Root, Access Keys Rotated, Strong Password Policy
CC6.6 Boundary Protection Security Groups (SSH/RDP), WAF Enabled, Public S3 Buckets
CC6.8 Change Detection CloudTrail Enabled, Config Recording, Log File Validation
CC7.1 Detection Systems GuardDuty Enabled, Vulnerability Scanning