Cloud Security Posture Management (CSPM) continuously scans live cloud environments to detect misconfigurations, risky IAM permissions, and compliance gaps. Unlike IaC scanning which catches issues pre-deployment, CSPM monitors what's actually running. Key checks include public S3 buckets, over-permissive IAM roles, network misconfigurations, and missing logging. Tools can be agentless (API-based) or agent-based, each with trade-offs. Open-source options like Prowler offer quick CLI-based audits, while commercial platforms add multi-cloud support, dashboards, and compliance reporting. A practical checklist covers scoping accounts, choosing deployment models, running baseline scans, and integrating findings into triage workflows. CSPM has limitations — it finds misconfigurations but not all runtime attacks — and works best combined with IaC scanning, runtime monitoring, and incident response.
Table of contents
Why CSPM matters (and how it differs from IaC scanning)What CSPM tools look forAgent vs agentless: deployment models and trade-offsTools in the wild: open source and commercial optionsFrom assets to action: visibility, search, and custom rulesPractical checklist: getting started with CSPMLimitations and what CSPM won’t doFinal thoughtsSort: