> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/cloud-security/cspm.md). # CSPM Cloud Security Posture Management (CSPM) continuously monitors and evaluates the security configuration of your cloud infrastructure — identifying misconfigurations, compliance violations, and exposure risks across AWS, Azure, and GCP environments before they are exploited. OpsMx Delivery Shield integrates ScoutSuite with Cloud Custodian to perform comprehensive Cloud Security Posture Management. This enables security scanning of public cloud infrastructure, ensuring compliance and risk mitigation. CSPM refers to the tools and practices designed to help organizations secure their cloud environments by managing and enhancing the security posture of cloud infrastructure, services, and configurations. The goal is to identify and remediate potential security risks, misconfigurations, and vulnerabilities in cloud environments. Activities include Identity and Access Management (IAM) analysis, continuous monitoring, and compliance management. ## How CSPM Works in OpsMx Delivery Shield ScoutSuite integration with Cloud Custodian performs comprehensive cloud security posture scans across your public cloud infrastructure. Vulnerabilities identified through CSPM policies can be added to the exception list, preventing them from generating repeated alerts. [OpsMX](https://www.opsmx.com/blog/how-devsecops-ci-cd-pipeline-secures-the-software-supply-chain/) The CSPM workflow in Delivery Shield: ``` Cloud Account Connected (AWS / Azure / GCP) ↓ ScoutSuite scans cloud resources and configurations ↓ Cloud Custodian evaluates findings against security policies ↓ Results appear in the CSPM Analysis page with: ├── Resource-level findings by severity ├── Context graphs showing affected services ├── Preset remediations per alert type └── Export-ready reports (CSV / JSON) ↓ Alerts routed to JIRA / Slack / Email for remediation tracking ↓ Exceptions managed within Delivery Shield — tracked & time-bound ``` ## Supported Cloud Platforms | Cloud Provider | Coverage | | ------------------------------- | ----------------------------------------------------------------------- | | **Amazon Web Services (AWS)** | EC2, S3, RDS, IAM, VPC, CloudTrail, Lambda, EKS, ECS, and more | | **Microsoft Azure** | Storage, Virtual Machines, IAM, Network Security Groups, Key Vault, AKS | | **Google Cloud Platform (GCP)** | Compute Engine, GCS, IAM, GKE, Cloud SQL, BigQuery | ## Supported Tools | Tool | Role | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | **ScoutSuite** | Multi-cloud security auditing — scans cloud account configurations and generates structured findings across all major cloud providers | | **Cloud Custodian** | Policy-as-code enforcement engine — evaluates ScoutSuite findings against defined security policies and triggers actions (alert, block, remediate) | ## Setting Up CSPM in Delivery Shield 1. Navigate to **Setup → Integrations** in Delivery Shield 2. In the **Cloud Security** panel, select your cloud provider — **AWS**, **Azure**, or **GCP** 3. Connect the cloud account using read-access credentials (IAM role for AWS, Service Principal for Azure, Service Account for GCP) 4. Configure ScoutSuite with the connected account and set a **scan schedule** (daily, weekly, or on-demand) 5. Define Cloud Custodian **security policies** — use pre-packaged CIS/NIST rules or define custom rules 6. Enable **notifications** — route CSPM alerts to Slack, Email, or Jira 7. View results in the **CSPM Analysis page** and **Context Graph** within Delivery Shield ## Viewing CSPM Results in Delivery Shield CSPM findings are surfaced in the following locations within Delivery Shield: * **CSPM Analysis page** — full findings list organized by severity, resource type, cloud account, and region; filterable and exportable in CSV or JSON * **Cloud Security section** — entry point with direct redirect to the CSPM Analysis page * **Context Graph** — visual mapping of affected cloud resources, their connections, and impact radius * **View Open Security Issues page** — CSPM findings listed alongside application-level vulnerabilities for unified risk view * **Artifact pages** — CSPM findings tied to specific deployed services and artifacts --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/cloud-security/cspm.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.