# Cloud Security Cloud Security in OpsMx Delivery Shield protects the applications, workloads, and infrastructure deployed across cloud environments — ensuring that what was built and tested securely is also **deployed and operated securely** in AWS, Azure, and GCP. Modern cloud environments are highly dynamic — resources are provisioned on demand, configurations change frequently, and multiple services interact across platforms and regions. This introduces a constantly shifting risk landscape where misconfigurations, over-permissioned identities, exposed services, and insecure network paths can emerge at any moment. {% hint style="info" %} Cloud Security in OpsMx acts as the environment-level control layer — continuously assessing cloud posture, enforcing configuration standards, and ensuring compliance as cloud environments evolve. {% endhint %} ## Why Cloud Security Is Used in OpsMx Cloud misconfiguration is the leading cause of cloud security breaches. Unlike application vulnerabilities that require exploitation, misconfigurations are often directly accessible — a public S3 bucket, an open security group, an IAM role with wildcard permissions. OpsMx uses Cloud Security in Delivery Shield to: * **Continuously assess cloud posture** — not just at deployment, but as configurations drift over time * **Surface misconfigurations before exploitation** — detecting risks like exposed storage, overly permissive IAM, and missing encryption * **Enforce compliance standards** automatically — CIS Benchmarks, NIST 800-53, PCI DSS, and HIPAA for cloud resources * **Provide context-aware risk assessment** — context graphs show how a misconfigured resource connects to other services, data stores, and users * **Unify cloud risk with application risk** — CSPM findings appear alongside SAST, SCA, and DAST results in the same Delivery Shield dashboard ## Cloud Security Posture Management (CSPM) Delivery Shield integrates **ScoutSuite** and **Cloud Custodian** to perform comprehensive CSPM across AWS, Azure, and GCP simultaneously. | Capability | Description | | ------------------------------ | ---------------------------------------------------------------- | | **Multi-Cloud Scanning** | Single integration covers AWS, Azure, and GCP | | **Misconfiguration Detection** | IAM, storage, network, database, and logging gaps | | **Context Graphs** | Visualize blast radius of each misconfigured resource | | **Preset Remediations** | Pre-mapped fix steps for every CSPM alert type | | **Policy-as-Code** | Cloud Custodian rules defined in code, version-controlled in Git | | **Continuous Monitoring** | Recurring scheduled scans — not point-in-time audits | | **Exception Management** | Time-bound exceptions tracked with expiry alerts | | **Bulk Export** | CSV and JSON export of all findings with UI filters propagated | **Supported Cloud Platforms:** AWS · Azure · GCP *** ## Kubernetes Security Kubernetes Security in OpsMx Delivery Shield secures the clusters, workloads, and orchestration layer that manages containerized applications — addressing the unique and complex security challenges introduced by Kubernetes at scale. A Kubernetes environment spans multiple components — API servers, etcd, nodes, pods, and networking layers — all of which must be secured. Misconfigurations such as overly permissive RBAC roles, exposed dashboards, insecure pod configurations, and lack of network segmentation create significant vulnerabilities that are often invisible without continuous scanning. ### **Why Kubernetes Security Is Used in OpsMx** OpsMx uses Kubernetes Security in Delivery Shield — powered by **Kubescape** — to: * **Scan Kubernetes manifests, Helm charts, and live clusters** for security misconfigurations and policy violations * **Enforce CIS Benchmarks, NSA-CISA guidelines, and MITRE ATT\&CK** framework controls across all clusters * **Block deployments to insecure clusters** via Deployment Firewall integration — Kubescape results are a direct gate on deployment * **Monitor continuously** — detecting changes in cluster configuration in real time and evaluating each change against security policies * **Enforce RBAC least privilege** — ensuring no service account, role, or user has more access than required ### **Key Focus Areas** | Area | What Gets Secured | | ------------------------- | ----------------------------------------------------- | | **Cluster Configuration** | Secure API access, etcd encryption, audit logging | | **RBAC & Identity** | Least privilege enforcement, service account controls | | **Workload Security** | Secure pod configurations, no privileged containers | | **Network Policies** | East-west traffic controls between services | | **Admission Controls** | Policy enforcement preventing insecure deployments | | **Helm Chart Security** | Scanning both templates and packaged charts | ### **Security Frameworks Supported** CIS Kubernetes Benchmarks · NSA-CISA Kubernetes Hardening · MITRE ATT\&CK · ARMO Best Practices · SOC 2 · NIST 800-53 ### **Benefits for the User** * Every new deployment is automatically evaluated against cluster security policies before proceeding * Framework-aligned findings provide ready-made audit evidence for CIS and NSA compliance * Kubescape integrates natively — no separate cluster scanner installation required --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/cloud-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.