Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Cloud Security

Cloud Security in OpsMx Delivery Shield protects the applications, workloads, and infrastructure deployed across cloud environments — ensuring that what was built and tested securely is also deployed and operated securely in AWS, Azure, and GCP.

Modern cloud environments are highly dynamic — resources are provisioned on demand, configurations change frequently, and multiple services interact across platforms and regions. This introduces a constantly shifting risk landscape where misconfigurations, over-permissioned identities, exposed services, and insecure network paths can emerge at any moment.

Cloud Security in OpsMx acts as the environment-level control layer — continuously assessing cloud posture, enforcing configuration standards, and ensuring compliance as cloud environments evolve.

Why Cloud Security Is Used in OpsMx

Cloud misconfiguration is the leading cause of cloud security breaches. Unlike application vulnerabilities that require exploitation, misconfigurations are often directly accessible — a public S3 bucket, an open security group, an IAM role with wildcard permissions. OpsMx uses Cloud Security in Delivery Shield to:

  • Continuously assess cloud posture — not just at deployment, but as configurations drift over time

  • Surface misconfigurations before exploitation — detecting risks like exposed storage, overly permissive IAM, and missing encryption

  • Enforce compliance standards automatically — CIS Benchmarks, NIST 800-53, PCI DSS, and HIPAA for cloud resources

  • Provide context-aware risk assessment — context graphs show how a misconfigured resource connects to other services, data stores, and users

  • Unify cloud risk with application risk — CSPM findings appear alongside SAST, SCA, and DAST results in the same Delivery Shield dashboard

Cloud Security Posture Management (CSPM)

Delivery Shield integrates ScoutSuite and Cloud Custodian to perform comprehensive CSPM across AWS, Azure, and GCP simultaneously.

Capability
Description

Multi-Cloud Scanning

Single integration covers AWS, Azure, and GCP

Misconfiguration Detection

IAM, storage, network, database, and logging gaps

Context Graphs

Visualize blast radius of each misconfigured resource

Preset Remediations

Pre-mapped fix steps for every CSPM alert type

Policy-as-Code

Cloud Custodian rules defined in code, version-controlled in Git

Continuous Monitoring

Recurring scheduled scans — not point-in-time audits

Exception Management

Time-bound exceptions tracked with expiry alerts

Bulk Export

CSV and JSON export of all findings with UI filters propagated

Supported Cloud Platforms: AWS · Azure · GCP

Kubernetes Security

Kubernetes Security in OpsMx Delivery Shield secures the clusters, workloads, and orchestration layer that manages containerized applications — addressing the unique and complex security challenges introduced by Kubernetes at scale.

A Kubernetes environment spans multiple components — API servers, etcd, nodes, pods, and networking layers — all of which must be secured. Misconfigurations such as overly permissive RBAC roles, exposed dashboards, insecure pod configurations, and lack of network segmentation create significant vulnerabilities that are often invisible without continuous scanning.

Why Kubernetes Security Is Used in OpsMx

OpsMx uses Kubernetes Security in Delivery Shield — powered by Kubescape — to:

  • Scan Kubernetes manifests, Helm charts, and live clusters for security misconfigurations and policy violations

  • Enforce CIS Benchmarks, NSA-CISA guidelines, and MITRE ATT&CK framework controls across all clusters

  • Block deployments to insecure clusters via Deployment Firewall integration — Kubescape results are a direct gate on deployment

  • Monitor continuously — detecting changes in cluster configuration in real time and evaluating each change against security policies

  • Enforce RBAC least privilege — ensuring no service account, role, or user has more access than required

Key Focus Areas

Area
What Gets Secured

Cluster Configuration

Secure API access, etcd encryption, audit logging

RBAC & Identity

Least privilege enforcement, service account controls

Workload Security

Secure pod configurations, no privileged containers

Network Policies

East-west traffic controls between services

Admission Controls

Policy enforcement preventing insecure deployments

Helm Chart Security

Scanning both templates and packaged charts

Security Frameworks Supported

CIS Kubernetes Benchmarks · NSA-CISA Kubernetes Hardening · MITRE ATT&CK · ARMO Best Practices · SOC 2 · NIST 800-53

Benefits for the User

  • Every new deployment is automatically evaluated against cluster security policies before proceeding

  • Framework-aligned findings provide ready-made audit evidence for CIS and NSA compliance

  • Kubescape integrates natively — no separate cluster scanner installation required

PreviousHow to do a Model ScanNextCSPM

Last updated