Reduce your attack surface and prevent risk of cloud data security breaches by assessing the overall security posture of your entire cloud environment against best practices and compliance standards using our CloudSecurity Posture Management (CSMP).
What is CSPM?
Cloud Security Posture Management (CSPM) is a cybersecurity approach that focuses on continuously monitoring and improving the security of cloud resources and configurations. CSPM tools automate the process of assessing cloud environments, verifying that cloud configurations follow security best practices and compliance standards such as ISO, CIS AWS, SOC 2, PCI, and HIPAA frameworks. This provides organizations with real-time visibility, proactive risk mitigation, and the ability to maintain a strong security posture across their cloud deployments. As companies increasingly move to the cloud, CSPM has become a necessary aspect of security insights.
How It Works
Our CSPM solution is based on an agent that runs in the customer’s cloud environment. The CSPM agent performs tests to assess the security posture – checking if the current cloud setting is aligned with the recommended best practice or not. The test results are then sent to Coralogix to be displayed in the Coralogix Security UI.
In order to set up CSPM, you will be required to take the following steps:
Configure settings, including scanning and environment settings, as well as those designed to send scanning results to Coralogix for visualization in your dashboard.
Supported Services
Below you can find a list of the services that we currently support.
2. In each of the AWS accounts where resources to scan exist (including the account where the CSPM agent will be deployed, if it contains resources to be scanned):
a. Go to AWS IAM and select the role created in STEP 1 above.
b. In the Trust Relationships tab, add this section while pasting the Role ARN copied from STEP 2.1.b above into the “AWS” field:
4 GiB RAM (To scan large cloud environments with 1000+ resources, use 8 GiB RAM or more.)
2+ CPU cores
Installation
STEP 1. Access a virtual machine (such as an AWS EC2 instance) sized according to the guidelines in the prerequisites. Obtain terminal access (for example via SSH).
STEP 3. This step will vary depending on whether you are using AWS or GCP.
For AWS:
Select the EC2 instance. Click Actions > Security > Modify IAM role.
To scan resources in the same account as the EC2 instance, select the role created in STEP 1 in Create Roles > AWS section above.
To only scan resources in an account other than where the EC2 instance is deployed, select the role created in STEP 2.2 in the Create Roles > AWS section above.
STEP 5. Run the following command in a terminal from the folder within which the local.yaml file is located:
docker run -d -v ./local.yaml:/cxa/config/local.yaml -e RUST_LOG=info coralogixrepo/cspm-agent:latest
Notes:
For AWS, if the same CSPM agent is used for scanning resources in multiple AWS accounts, repeat STEP 4 and STEP 5 for each AWS account you wish to scan.
Use a different name for the configuration file for each AWS account (e.g. local-myaccount.yaml, local-myaccount1.yaml, local-myaccount2.yaml, etc.)
STEP 3. This step will vary depending on whether you are using AWS or GCP.
ForAWS:
Attach the role to the cluster by following these steps.
Open the Amazon EKS console and select your cluster.
Select Configuration in the left-hand navigation pane.
Select Security in the cluster details page.
Under Service account settings, select Add or remove IAM roles from service accounts.
Select the relevant namespace and service account.
Choose Add IAM role and select this role:
To scan resources in the same account as the cluster, select the role created in STEP 1 in the Create Roles > AWS section above.
To only scan resources in an account other than where the cluster is deployed, select the role created in STEP 2.2 in the Create Roles > AWS section above.
Save the changes.
For GCP:
Create a GKE node pool and attach the service account by following these steps.
Configure other settings for the node pool as per your requirements.
Click Create to create the node pool.
STEP 4. Save the default configuration file as local.yaml in the same directory in which the cspm-agent.yaml file is saved. Configure the local.yaml file as follows:
Configure the relevant sections for the resources you wish to scan:
STEP 6. To stay up to date with the latest agent version, use a script to automatically rerun these commands periodically. It will automatically update the running agent when a newer version is released.
We recommend verifying each new version in a staging environment before updating it in production.
Run the above script daily as a cron job or use your favorite CI/CD platform to only update minor versions.
For AWS, if the same CSPM agent is used for scanning resources in multiple AWS accounts, repeat STEP 4 and STEP 5 for each AWS account you wish to scan.
Use a different name for the configuration file for each AWS account (e.g. local-myaccount.yaml).
Configuration
A configuration file is used to define scanning and environment settings essential for the CSPM agent. Download the default configuration file and save it locally as instructed above. The configuration will vary depending on whether AWS, GCP, or GitHub is used. Once complete, configure the Coralogix section to send the scanning results to be displayed in your Coralogix dashboard.
AWS Configuration
Unmark the AWS section and configure the relevant keys:
# AWS
aws:
# Default region
region: "eu-west-1"
# Retries in case the AWS API fails
retries: 100
# Optional role to use for querying the data
iam_role: "my-role"
# Regions to include for testers
include_regions: [ "sa-east-1", "us-east-2", "us-west-1", "us-west-2" ]
# In cross account access settings, test results from this master account are going to be skipped
master_account_id: 123456789012
Key
Description
region
Fill in the AWS region where the CSPM agent is deployed (even if the agent is not expected to scan the AWS account where it is deployed)
retries
Select the number of scan retries in case of failure.
iam_role
Optional: for scanning resources in a different AWS account, fill in the Role ARN copied in [STEP 2.2.c in the Create Roles > AWS section above].
include_regions
[Optional] List all AWS regions of resources to scan, in addition to the “region” specified above, if any.
master_account_id
[Optional] For scanning resources in a different AWS account, fill in the AWS account ID where the CSPM agent is deployed.
GCP Configuration
Unmark the GCP section and configure the relevant keys:
For each service account created in Create Roles > GCP section above, fill in the relevant section according to the level where the service account was created (Google organization, folder or project):
client_email : the email identifier of the service account
For multiple service accounts in the same level (Google organization, folder or project), duplicate the section starting with “-”. Make sure to keep the same structure and spaces.
Remove the redundant sections with no service accounts in that level.
postgres_max_connections : For scanning Postgres DB resource, set the maximum number of connections that the CSPM agent would initiate to a Postgres DB in parallel.
sql_server_user_connections : For scanning SQL Server resource, set the maximum number of connections that the CSPM agent would initiate to an SQL Server in parallel.
organization_email_domain : Fill in the organization’s email domain. The CSPM tests will use this to identify external users.
storage_bucket_retention_period : Fill in the expected retention period in seconds for storage buckets. The CSPM tests will verify that this retention period is enforced.
GitHub Configuration
Unmark the GitHub section and configure the relevant keys:
# GitHub
github:
# GitHub (classic) private access token. The required permissions are:
# read:audit_log, read:enterprise, read:gpg_key, read:org, read:project, read:public_key, read:repo_hook, read:ssh_signing_key, read:user, repo, user:email
token: "ghp_99eiK0RNNRgYwLK8UT34PZybr1nDZoR"
# Which (GitHub) organizations to include in the testing. Note that the account has to have "owner" permissions for some testers.
orgs: ["my-org"]
Fill in all the organization names you wish to scan.
Coralogix Configuration
Configure the Coralogix section to send the scanning results to be displayed in Coralogix:
### CORALOGIX
# Coralogix connection configuration
###
coralogix:
# gRPC endpoint of the Coralogix cluster. Check the docs <https://coralogix.com/docs/cloud-security-posture-cspm/>
grpc_endpoint: https://ng-api-grpc.<coralogix-domain>
# logs endpoint of the Coralogix cluster. Check the docs <https://coralogix.com/docs/coralogix-domain/>
logs_endpoint: https://ingress.<coralogix-domain>
# Your Coralogix private key
api_key: 877E1EB0-EBE2-4EEF-9170-9B418F98F654
# Meta data application name for Coralogix
application_name: MyApplication
# Meta data subsystem name for Coralogix
subsystem_name: MySubsystem
# If true doesn't actually send the data
dry_run: true
Key
Description
grpc_endpoint
Update the <coralogix-domain> in the URL using your Coralogix domain.
logs_endpoint
Update the <coralogix-domain> in the URL using your Coralogix domain. The CSPM agent sends the scanning results to this URL.
Metadata fields that will be added to the results displayed in your Coralogix dashboard and will allow you to filter.
dry_run
false: Results sent to Coralogix true: For debugging mode, scan the resources without sending the logs to Coralogix.
Scanning
Coralogix triggers a scan, referred to as a run, by default every 24 hours. You can change this setting by navigating to Security in your Coralogix toobar, after logging into your Coralogix instance. Click on SCAN SETTINGS in the upper right-hand corner.
Oh no!We didn’t find anything for “”,
