implementing-cloud-vulnerability-posture-management

# Implementing Cloud Vulnerability Posture Management

## Overview

Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This skill covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.


## When to Use

- When deploying or configuring implementing cloud vulnerability posture management capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation

## Prerequisites

- AWS CLI configured with SecurityAudit IAM policy
- Azure CLI with Security Reader role
- Python 3.9+ with `boto3`, `azure-identity`, `azure-mgmt-security`
- Prowler (https://github.com/prowler-cloud/prowler)
- ScoutSuite (https://github.com/nccgroup/ScoutSuite)

## AWS Security Hub

### Enable Security Hub
```bash
# Enable AWS Security Hub with default standards
aws securityhub enable-security-hub \
  --enable-default-standards \
  --region us-east-1

# Enable specific standards
aws securityhub batch-enable-standards \
  --standards-subscription-requests \
    '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
    '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'

# Get findings summary
aws securityhub get-findings \
  --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --max-items 10
```

### Security Hub Standards
| Standard | Description |
|----------|------------|
| AWS Foundational Security Best Practices | AWS-recommended baseline controls |
| CIS AWS Foundations Benchmark 1.4 | CIS hardening requirements |
| PCI DSS v3.2.1 | Payment card industry controls |
| NIST SP 800-53 Rev 5 | Federal security controls |

## Azure Defender for Cloud

### Enable Defender CSPM
```bash
# Enable Defender for Cloud free tier
az security pricing create \
  --name CloudPosture \
  --tier standard

# Check secure score
az security secure-score list \
  --query "[].{Name:displayName,Score:current,Max:max}" \
  --output table

# Get security recommendations
az security assessment list \
  --query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
  --output table

# Get alerts
az security alert list \
  --query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
  --output table
```

## Open-Source: Prowler

### Installation and Execution
```bash
# Install Prowler
pip install prowler

# Run full AWS scan
prowler aws --output-formats json-ocsf,csv,html

# Run specific checks
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet

# Run against specific AWS profile and region
prowler aws --profile production --region us-east-1 --output-formats json-ocsf

# Run CIS Benchmark compliance check
prowler aws --compliance cis_1.5_aws

# Run PCI DSS compliance
prowler aws --compliance pci_3.2.1_aws

# Scan Azure environment
prowler azure --subscription-ids "sub-id-here"

# Scan GCP environment
prowler gcp --project-ids "project-id-here"
```

### Prowler Check Categories
| Category | Examples |
|----------|---------|
| IAM | Root MFA, password policy, access key rotation |
| S3 | Public access, encryption, versioning |
| EC2 | Security groups, EBS encryption, metadata service |
| RDS | Public access, encryption, backup retention |
| CloudTrail | Enabled, encrypted, log validation |
| VPC | Flow logs, default SG restrictions |
| Lambda | Public access, runtime versions |
| EKS | Public endpoint, secrets encryption |

## Open-Source: ScoutSuite

```bash
# Install ScoutSuite
pip install scoutsuite

# Run AWS assessment
scout aws --profile production

# Run Azure assessment
scout azure --cli

# Run GCP assessment
scout gcp --project-id my-project

# Results available as interactive HTML report
# Open scout-report/report.html in browser
```

## Multi-Cloud Aggregation

```python
import json
import subprocess
from datetime import datetime, timezone

def run_prowler_scan(provider, output_dir, compliance=None):
    """Run Prowler scan for a cloud provider."""
    cmd = ["prowler", provider, "--output-formats", "json-ocsf",
           "--output-directory", output_dir]
    if compliance:
        cmd.extend(["--compliance", compliance])
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
    return result.returncode == 0

def aggregate_findings(prowler_dirs):
    """Aggregate findings from multiple Prowler scans."""
    all_findings = []
    for scan_dir in prowler_dirs:
        json_files = list(Path(scan_dir).glob("*.json"))
        for jf in json_files:
            with open(jf, "r") as f:
                for line in f:
                    try:
                        finding = json.loads(line.strip())
                        all_findings.append(finding)
                    except json.JSONDecodeError:
                        continue
    # Sort by severity
    severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
    all_findings.sort(key=lambda f: severity_order.get(
        f.get("severity", "informational").lower(), 5
    ))
    return all_findings

def generate_posture_report(findings, output_path):
    """Generate cloud security posture report."""
    report = {
        "generated_at": datetime.now(timezone.utc).isoformat(),
        "total_findings": len(findings),
        "by_severity": {},
        "by_provider": {},
        "by_service": {},
    }
    for f in findings:
        sev = f.get("severity", "unknown")
        provider = f.get("cloud_provider", "unknown")
        service = f.get("service_name", "unknown")
        report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
        report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
        report["by_service"][service] = report["by_service"].get(service, 0) + 1

    with open(output_path, "w") as f:
        json.dump(report, f, indent=2)
    return report
```

## References

- [AWS Security Hub](https://aws.amazon.com/security-hub/)
- [Azure Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/)
- [Prowler](https://github.com/prowler-cloud/prowler)
- [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks)