What is CSPM: Cloud Security Posture Management for AWS, Azure, GCP

CSPM (Cloud Security Posture Management) is the category of tools that continuously scans cloud environments to detect insecure configurations, drift against benchmarks and risks derived from how the infrastructure is set up, not from the applications running on top. It covers AWS, Azure, GCP, Oracle Cloud, Alibaba and, in modern versions, also managed Kubernetes clusters (EKS, AKS, GKE). It's a mature category that emerged around 2018, consolidated between 2020 and 2022 and from 2023 has been absorbed by the broader CNAPP (Cloud Native Application Protection Platform) category.

This guide explains what a CSPM actually does, what problems it detects, the frameworks it maps to, the current vendor landscape, how it fits into a realistic cloud security program and where its limits lie.

A CSPM doesn't protect the application: it protects the configuration posture the application sits on top of. If your IAM, your network or your storage are misconfigured, no upper layer makes up for that failure.

Why the CSPM category appeared

The cloud changed three basic rules compared to the traditional datacenter, and that forced the invention of a product category that didn't exist before:

1. Infrastructure became configuration. What used to be cabling, racks and physical firewalls is now a Terraform file, a CloudFormation template or a click in a console. Each resource is a configuration object with hundreds of parameters, and any one of those parameters set wrong leaves an asset exposed.
2. Scale exploded. A medium-sized organisation in AWS can have dozens of accounts, thousands of S3 buckets, hundreds of Lambda functions and thousands of IAM roles. Auditing this manually once a year is not viable.
3. Change is continuous. Every commit can create, modify or destroy infrastructure. A point-in-time audit is obsolete within hours. The only way to keep a real view of the state is to scan continuously.

Before CSPM, the answer was internal scripts, manual audits with printed CIS Benchmarks and one-off projects with external consultancies. It worked badly and out of sync. The CSPM category was born to automate exactly that cycle: inventory everything, evaluate against known rules, prioritise the critical and alert when something changes.

What a CSPM typically detects

The catalogue of any serious CSPM covers the same groups of findings, with variations by hyperscaler:

• Exposed storage. S3 buckets with Block Public Access disabled, Azure Storage Containers with anonymous access, GCS without uniform bucket-level access, EBS snapshots or managed disks marked as public.
• IAM with excessive permissions. Policies with * in Action or Resource, roles with AdministratorAccess assumable from external accounts, IAM users with active access keys unrotated for more than 90 days, missing MFA on the root account and on privileged users.
• Open networks. Security Groups with 0.0.0.0/0 on SSH, RDP, databases or admin protocols. NSGs with Internet as source, GCP firewall rules far too broad.
• Encryption disabled. Databases without encryption at rest, EBS volumes unencrypted, KMS keys without automatic rotation, secrets stored in environment variables instead of Secrets Manager or Key Vault.
• Incomplete logging. CloudTrail not enabled in all regions, missing data events, Azure Activity Logs not shipped to Log Analytics, GCP Audit Logs without Data Access layer for sensitive services.
• Account configuration. Missing root MFA, security contacts not defined, support without an incident plan, organisation without Service Control Policies.
• Exposed snapshots, images and backups. Publicly shared AMIs, RDS snapshots with open permissions, Compute Engine images accessible from other projects.
• Poorly exposed services. Lambda functions invokable without auth, API Gateway with NONE as authorizer, Cloud Functions with allUsers.

The point of a CSPM is not detecting an isolated finding, it's doing it continuously, across all accounts and all services, and keeping the inventory updated as the team ships.

Frameworks a CSPM maps to

Any serious CSPM maps its rules against a standard set of frameworks. This serves two purposes: communicating findings in a language auditors and CISOs understand, and reusing the CSPM output as compliance evidence.

• CIS Benchmarks. The de facto standard. There are specific benchmarks for AWS, Azure, GCP, Kubernetes and specific services like EKS or GKE. Every CSPM ships these benchmarks out of the box.
• AWS Well-Architected Framework. In particular the security pillar. Some vendors (Wiz, Prisma, AWS Security Hub) offer automated reviews aligned with this framework.
• Azure Security Benchmark / Cloud Adoption Framework. The Microsoft equivalent, natively integrated in Defender for Cloud.
• Google Cloud Architecture Framework. The equivalent security chapter for GCP.
• NIST 800-53. Common mapping for clients with federal requirements or that extend NIST as a corporate baseline.
• PCI DSS v4.0. Rules that cover the controls applicable to cloud infrastructure (segmentation, encryption, logging, key management).
• ISO 27001:2022. Mapping to relevant Annex A controls for cloud, in particular A.5.23 (use of cloud services), A.8.9 (configuration management) and A.8.16 (monitoring activities).
• SOC 2. Mapping to the Trust Service Criteria, particularly CC6 (logical access) and CC7 (system operations).
• HIPAA, GDPR, NIS2. Mappings available from enterprise vendors for sector or regional regulations.

The real value of these mappings is not academic: the CSPM goes from being "another tool" to being the evidence source the auditor asks for when it shows up on screen.

CSPM vs CNAPP vs CIEM vs CWPP vs CDR

The cloud security ecosystem produces a new acronym every year. The five categories that matter today:

• CSPM (Cloud Security Posture Management). Detects insecure configurations at cloud infrastructure level. The focus of this article.
• CWPP (Cloud Workload Protection Platform). Protects the workload itself: VMs, containers, serverless. Includes package vulnerabilities, runtime protection, OS hardening. Classic examples: CrowdStrike, SentinelOne, Aqua.
• CIEM (Cloud Infrastructure Entitlement Management). Specialised in analysing cloud identities and effective permissions. Detects over-permissioning, unused access, escalation paths. Started as an independent category (Ermetic, Sonrai) and is being absorbed by CNAPPs.
• CNAPP (Cloud Native Application Protection Platform). The umbrella that joins CSPM + CWPP + CIEM + IaC scanning + container protection + sometimes application security. The direction the market is going since 2022. Wiz, Prisma Cloud, Orca and Lacework are CNAPPs.
• CDR (Cloud Detection and Response). Runtime detection and response layer over cloud events. Conceptually the "EDR for cloud control plane". Vendors like Sweet Security, Gem Security and modules inside Wiz Defend.

The takeaway: buying "a pure CSPM" in 2026 is the exception. Most organisations end up with a CNAPP that includes CSPM as one of its modules.

Vendor landscape 2026

The market splits into three clear blocks:

Enterprise CNAPP (CSPM integrated)

• Wiz. Recent leader of the CNAPP quadrant. Agentless model based on snapshots, strong on attack path visualisation and prioritisation by toxic combinations.
• Palo Alto Prisma Cloud. Veteran, very complete platform (CSPM, CWPP, CIEM, IaC, WAF). More complex to operate.
• CrowdStrike Falcon Cloud Security. Combines the Falcon agent with a CSPM/CNAPP module. Attractive if Falcon is already deployed on endpoints and workloads.
• Lacework. Pioneer in behavior baselines. Acquired by Fortinet in 2024.
• Orca Security. Agentless with SideScanning. Direct competitor to Wiz.
• Tenable Cloud Security (formerly Ermetic). Particularly strong on CIEM.

Hyperscaler native

• Microsoft Defender for Cloud (Defender CSPM). Multicloud version (AWS, GCP, on-prem) integrated with M365 and Sentinel. The Defender CSPM premium plan adds attack path analysis, agentless scanning and data-aware posture.
• AWS Security Hub. Native AWS service to consolidate findings (Inspector, GuardDuty, Macie, partners). Includes CIS, AWS Foundational Best Practices and PCI DSS.
• Google Cloud Security Command Center. The GCP equivalent. Premium edition includes Security Health Analytics.

Open source

For teams with technical capacity and a tight budget:

• Prowler. Open source CSPM for AWS, Azure, GCP and Kubernetes. Covers CIS, NIST, PCI, HIPAA, GDPR. SaaS version since 2024 (Prowler Cloud).
• ScoutSuite. NCC Group. Multicloud, single snapshot.
• Cloudsplaining. Salesforce. IAM policy analysis in AWS.
• CloudQuery and Steampipe. Asset inventory queryable with SQL, flexible for custom detection.
• Trivy. Aqua. Image scanner with basic CSPM for AWS and K8s.

The realistic combination for a technical SME is usually Prowler + Trivy + manual CIS benchmarks from a pipeline. For enterprise, Wiz, Prisma or Defender CSPM solve the full cycle with less operational effort.

CSPM operational workflow

The typical operating cycle of a CSPM in production has five phases:

1. Discovery. The CSPM connects to the accounts/subscriptions/projects (typically via IAM role, service principal or service account) and builds the full inventory of resources. In a medium multicloud environment this can be tens to hundreds of thousands of objects.
2. Assess. Evaluates each resource against active rules (CIS benchmarks, custom rules, framework mappings). Generates a massive volume of findings, especially on first run.
3. Prioritize. The phase that separates a useful CSPM from a useless one. Serious prioritisation combines technical severity, real exposure (is it public? is it encrypted?), asset criticality and, in modern CNAPPs, attack paths that lead from a minor finding to a critical compromise. Tools that stay at pure CVSS generate unmanageable alert fatigue.
4. Remediate. This is where organisations get stuck. Effective remediation requires clear ownership (who owns this bucket? who approves the change?), ticketing integration (Jira, ServiceNow, Linear), guardrails to avoid breaking production and SLAs by severity.
5. Continuous monitoring. The CSPM runs 24/7 and alerts on new drift. Ideally integrated with SIEM (Sentinel, Splunk, Elastic) and with a human review channel periodically (typically weekly) to validate trends.

Honest limitations of CSPM

Three limitations any rational buyer should know before signing the contract:

• Brutal alert fatigue in the first month. A medium organisation can see thousands of findings the first time it connects a CSPM. Without a dedicated team and a clear triage process, the tool ends up ignored within 90 days.
• Lack of business context. The CSPM knows that a bucket is public; it doesn't know whether it contains marketing photos (irrelevant) or database backups with PII (critical). Rigorous tagging and CMDB integration are prerequisites for prioritisation to work.
• Limited coverage of runtime and exploit. The CSPM detects that something is misconfigured, not that it's being exploited. For active detection of malicious activity you need a CDR/CWPP layer on top. An integrated CNAPP covers this; a pure CSPM does not.

CSPM and compliance reporting

The most profitable use of a CSPM in most organisations is not "finding vulnerabilities" (although it does that too), it's generating auditable evidence for certifications and regulations:

• SOC 2 Type II. The CSPM evidences controls CC6 (logical access), CC7 (monitoring) and CC8 (change management) continuously and auditably. The CSPM report, exported periodically, is the evidence the auditor asks for.
• ISO 27001:2022. Covers technical evidence for control A.5.23 (cloud), A.8.9 (configuration), A.8.16 (monitoring) and A.8.32 (change management).
• GDPR. Allows documenting the technical and organisational measures of article 32, especially for cloud processors.
• NIS2 art 21. Risk management measures require "policies and procedures to assess the effectiveness of measures". Continuous CSPM is exactly that assessment.
• DORA. For financial entities, evidence of continuous ICT risk management over cloud providers (ICT third party risk) relies on CSPM output.

The operational trick is configuring periodic exports and framework-specific dashboards from day one. When the auditor arrives, it's not a project: it's a PDF that already exists.

Realistic implementation in SME and mid-market

Five steps to deploy a CSPM without derailing the project:

1. Pilot in a single account or subscription. Before connecting the whole organisation, test the CSPM in a bounded environment (ideally real production, but with a dedicated team). Measure volume of findings, noise and usefulness.
2. Define ownership before enabling alerts. Each account/subscription must have an identified technical owner. Without that, findings drop into a shared mailbox and nobody touches them.
3. Integrate ticketing from day one. Jira, ServiceNow or Linear. The finding that doesn't become a ticket doesn't get remediated.
4. Define SLA by severity. Critical: 48 hours. High: 7 days. Medium: 30 days. Low: quarterly or formally accepted. Without SLA, everything stays "in backlog".
5. Weekly human review. A 30 minute meeting of the cloud security team to review trends, new critical findings and approved exceptions. Keeps the tool alive.

Frequently asked questions about CSPM

Is hyperscaler-native CSPM enough?

To start, yes. AWS Security Hub, Defender for Cloud (free tier) and Security Command Center (Standard) cover obvious findings and CIS mappings. The difference with a commercial CNAPP is unified multicloud coverage, attack path analysis, smart prioritisation, CIEM and CWPP integration. If the organisation lives in a single hyperscaler with low volume, native is enough. With multicloud or compliance demand, you need commercial CNAPP.

Wiz, Prisma Cloud or Defender CSPM, which one to pick?

Depends on context. Wiz usually wins on user experience and attack path visualisation. Prisma covers more functional breadth but demands more operations. Defender CSPM is the natural choice if the organisation already lives in the Microsoft ecosystem (Entra ID, Sentinel, M365) and wants to consolidate licensing. The three are valid; context drives the choice, not technology.

CSPM with agent or agentless?

Most modern CSPMs are agentless (Wiz, Orca, Defender CSPM in agentless mode). They connect via API and, for deep analysis, take snapshots. Instant deployment, zero performance impact. For runtime protection (CWPP) an agent is needed, but pure CSPM works better without one.

Does a CNAPP fully replace CSPM?

Functionally yes: a CNAPP includes CSPM as one of its modules. Most RFPs in 2026 directly ask for CNAPP, not pure CSPM.

Does an SME with cloud need CSPM?

If the SME has productive infrastructure on AWS, Azure or GCP and handles personal or sensitive data, yes. The forgotten public bucket or the IAM role with * get discovered after the incident, not before. Reasonable options: Defender CSPM per user, open source Prowler from an in-house pipeline, or Wiz with mid-market plans.

Is CSPM ROI measurable?

Yes, on three axes: reduction of the mean time to detection of insecure configurations (from months to hours), saving on manual audit hours prior to SOC 2/ISO 27001, and incidents avoided. The useful metric for leadership is usually number of critical findings closed per month and mean time to remediation.

Related resources

• Cloud penetration testing (AWS, Azure and GCP): the offensive audit that complements CSPM with human judgement and chained findings.
• Cloud misconfiguration errors in AWS and Azure: the catalogue of findings a CSPM detects over and over.
• Kubernetes pentesting and cluster security: the container layer that modern CSPMs include.
• Serverless pentesting on AWS Lambda: the serverless angle that also falls under CSPM scope.
• What is Zero Trust: architecture and implementation: the identity and access model that modern cloud posture leans on.

Cloud security posture with Secra

At Secra we integrate CSPM output (Wiz, Prisma, Defender CSPM, Prowler) with offensive cloud audits to deliver a cloud posture view that's actually actionable: the CSPM covers breadth and continuity, the pentest validates which findings are truly exploitable. If you want a posture review on your AWS accounts, Azure subscriptions or GCP projects, or help deploying and operating a CSPM in an SME or mid-market organisation, reach us through contact and we'll come back with a first assessment.