Reduce your attack surface and prevent risk of cloud data security breaches by assessing the overall security posture of your entire cloud environment against best practices and compliance standards using our Cloud Security Posture Management (CSMP).
Cloud Security Posture Management (CSPM) is a cybersecurity approach that focuses on continuously monitoring and improving the security of cloud resources and configurations. CSPM tools automate the process of assessing cloud environments, verifying that cloud configurations follow security best practices and compliance standards such as ISO, CIS AWS, SOC 2, PCI, and HIPAA frameworks. This provides organizations with real-time visibility, proactive risk mitigation, and the ability to maintain a strong security posture across their cloud deployments. As companies increasingly move to the cloud, CSPM has become a necessary aspect of security insights.
Our CSPM solution is based on an agent that runs in the customer’s cloud environment. The CSPM agent performs tests to assess the security posture – checking if the current cloud setting is aligned with the recommended best practice or not. The test results are then sent to Coralogix to be displayed in the Coralogix Security UI.
In order to set up CSPM, you will be required to take the following steps:
Below you can find a list of the services that we currently support.
Create roles to grant relevant permissions to scan resources necessary for the CSPM agent.
STEP 1. In each AWS account containing resources to scan, go to AWS IAM and create a role with these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CSPM", "Effect": "Allow", "Action": [ "access-analyzer:Get*", "access-analyzer:List*", "acm:Describe*", "apigateway:Get*", "application-autoscaling:Describe*", "autoscaling-plans:Describe*", "autoscaling-plans:GetScalingPlanResourceForecastData", "autoscaling:Describe*", "autoscaling:GetPredictiveScalingForecast", "cloudformation:BatchDescribeTypeConfigurations", "cloudformation:Describe*", "cloudformation:DetectStack*", "cloudformation:EstimateTemplateCost", "cloudformation:Get*", "cloudformation:List*", "cloudformation:ValidateTemplate", "cloudfront:DescribeFunction", "cloudfront:Get*", "cloudfront:List*", "cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*", "cloudtrail:LookupEvents", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "dms:Describe*", "ec2:Describe*", "ec2:ExportClientVpn*", "ec2:Get*", "ec2:List*", "ec2:Search*", "ec2messages:Get*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:Get*", "elasticmapreduce:List*", "elasticmapreduce:ViewEventsFromAllClustersInConsole", "emr-containers:Describe*", "emr-containers:List*", "emr-serverless:Get*", "emr-serverless:List*", "es:Describe*", "es:Get*", "es:List*", "iam:Generate*", "iam:Get*", "iam:List*", "iam:Simulate*", "imagebuilder:Get*", "imagebuilder:List*", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:Get*", "lambda:List*", "network-firewall:Describe*", "network-firewall:List*", "organizations:Describe*", "organizations:List*", "rds:Describe*", "redshift:Describe*", "redshift:List*", "redshift:ViewQueries*", "rolesanywhere:Get*", "rolesanywhere:list*", "route53:Get*", "route53:List*", "route53:TestDNSAnswer", "route53domains:CheckDomain*", "route53domains:Get*", "route53domains:List*", "route53domains:ViewBilling", "s3:Describe*", "s3:List*", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:GetEncryptionConfiguration", "s3:GetAccountPublicAccessBlock", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicy", "servicequotas:Get*", "servicequotas:List*", "ses:Describe*", "ses:Get*", "ses:List*", "sqs:Get*", "sqs:List*", "ssm:Describe*", "ssm:Get*", "ssm:List*", "sts:Get*", "tag:Get*", "waf-regional:Get*", "waf-regional:List*", "waf:Get*", "waf:List*", "wafv2:Describe*", "wafv2:Get*", "wafv2:List*", "elasticfilesystem:List*", "elasticfilesystem:Get*", "backup:List*", "backup:Get*", "redshift:Describe*", "redshift:ViewQueriesInConsole" ], "Resource": "*" } ] }
STEP 2. If the CSPM agent will be deployed in a different AWS account than your resources, follow this step.
1. In the AWS account where the CSPM agent is deployed:
a. Go to AWS IAM and create a role with this permission. In the “Resource” field, specify the Role ARN of all roles created in STEP 1 above.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CSPM", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::111222333444:role/MyRole1", "arn:aws:iam::111222333455:role/MyRole2" ] } ] }
b. Copy the Role ARN to be used below.
2. In each of the AWS accounts where resources to scan exist (including the account where the CSPM agent will be deployed, if it contains resources to be scanned):
a. Go to AWS IAM and select the role created in STEP 1 above.
b. In the Trust Relationships tab, add this section while pasting the Role ARN copied from STEP 2.1.b above into the “AWS” field:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111222333444:role/MyRole" }, "Action": "sts:AssumeRole" } ] }
c. Copy the Role ARN of this role to be used in the CSPM agent configuration file below.
STEP 1. Create a service account with the following permissions in the Google organization, folder, or project in which you have resources to scan.
apikeys.keys.list bigquery.datasets.get cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.keyRings.list cloudsql.instances.get cloudsql.instances.list compute.firewalls.list compute.instances.list compute.networks.list compute.projects.get compute.regions.get compute.regions.list compute.sslPolicies.get compute.subnetworks.list compute.targetHttpsProxies.list container.clusters.list dns.managedZones.get dns.managedZones.list iam.serviceAccountKeys.list iam.serviceAccounts.list logging.logMetrics.list monitoring.alertPolicies.list monitoring.notificationChannels.get monitoring.notificationChannels.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list compute.zones.list
STEP 2. Copy the email addresses of the service accounts you created, to be used in the CSPM agent configuration file.
STEP 1. Define a user as the owner for all of the organizations you wish to scan, while following this procedure.
STEP 2. Create a personal access token (classic) for this user. Grant the the following scopes to this new token:
`read:audit_log` `read:enterprise` `read:gpg_key` `read:org` `read:project` `read:public_key` `read:repo_hook` `read:ssh_signing_key` `read:user` `repo` `user:email`
The following are minimum hardware requirements:
STEP 1. Access a virtual machine (such as an AWS EC2 instance) sized according to the guidelines in the prerequisites. Obtain terminal access (for example via SSH).
STEP 2. Install Docker.
STEP 3. This step will vary depending on whether you are using AWS or GCP.
For AWS:
For GCP:
STEP 4. Save the default configuration file as local.yaml
in a local directory in the EC2.
STEP 5. Run the following command in a terminal from the folder within which the local.yaml
file is located:
docker run -d -v ./local.yaml:/cxa/config/local.yaml -e RUST_LOG=info coralogixrepo/cspm-agent:latest
Notes:
local-myaccount.yaml
, local-myaccount1.yaml
, local-myaccount2.yaml
, etc.)STEP 1. Install kubectl.
STEP 2. Save this file as cspm-agent.yaml
in the current directory:
STEP 3. This step will vary depending on whether you are using AWS or GCP.
For AWS:
Attach the role to the cluster by following these steps.
For GCP:
Create a GKE node pool and attach the service account by following these steps.
STEP 4. Save the default configuration file as local.yaml
in the same directory in which the cspm-agent.yaml
file is saved. Configure the local.yaml
file as follows:
STEP 5. Run the following commands from the directory where the cspm-agent.yaml
and local.yaml
files are saved:
kubectl create configmap cspm-config --from-file=./local.yaml kubectl apply -f cspm-agent.yaml
STEP 6. To stay up to date with the latest agent version, use a script to automatically rerun these commands periodically. It will automatically update the running agent when a newer version is released.
Notes:
local-myaccount.yaml
).A configuration file is used to define scanning and environment settings essential for the CSPM agent. Download the default configuration file and save it locally as instructed above. The configuration will vary depending on whether AWS, GCP, or GitHub is used. Once complete, configure the Coralogix section to send the scanning results to be displayed in your Coralogix dashboard.
Unmark the AWS section and configure the relevant keys:
# AWS aws: # Default region region: "eu-west-1" # Retries in case the AWS API fails retries: 100 # Optional role to use for querying the data iam_role: "my-role" # Regions to include for testers include_regions: [ "sa-east-1", "us-east-2", "us-west-1", "us-west-2" ] # In cross account access settings, test results from this master account are going to be skipped master_account_id: 123456789012
Key | Description |
---|---|
region | Fill in the AWS region where the CSPM agent is deployed (even if the agent is not expected to scan the AWS account where it is deployed) |
retries | Select the number of scan retries in case of failure. |
iam_role | Optional: for scanning resources in a different AWS account, fill in the Role ARN copied in [STEP 2.2.c in the Create Roles > AWS section above]. |
include_regions | [Optional] List all AWS regions of resources to scan, in addition to the “region” specified above, if any. |
master_account_id | [Optional] For scanning resources in a different AWS account, fill in the AWS account ID where the CSPM agent is deployed. |
Unmark the GCP section and configure the relevant keys:
# GCP gcp: organization_configs: - organization_id: my-org-id organization_number: 123456789123 client_email: "***" folder_configs: - folder_id: my-folder-id folder_number: 123456789123 client_email: "***" project_configs: - project_id: my-project-id project_number: 123456789123 client_email: "***" postgres_max_connections: "100" sql_server_user_connections: "100" # Your organization's email domain organization_email_domain: "coralogix.com" # Duration in seconds storage_bucket_retention_period: 86400
organization_id
/ folder_id
/ project_id
organization_number
/ folder_number
/ project_number
client_email
: the email identifier of the service accountpostgres_max_connections
: For scanning Postgres DB resource, set the maximum number of connections that the CSPM agent would initiate to a Postgres DB in parallel.sql_server_user_connections
: For scanning SQL Server resource, set the maximum number of connections that the CSPM agent would initiate to an SQL Server in parallel.organization_email_domain
: Fill in the organization’s email domain. The CSPM tests will use this to identify external users.storage_bucket_retention_period
: Fill in the expected retention period in seconds for storage buckets. The CSPM tests will verify that this retention period is enforced.Unmark the GitHub section and configure the relevant keys:
# GitHub github: # GitHub (classic) private access token. The required permissions are: # read:audit_log, read:enterprise, read:gpg_key, read:org, read:project, read:public_key, read:repo_hook, read:ssh_signing_key, read:user, repo, user:email token: "ghp_99eiK0RNNRgYwLK8UT34PZybr1nDZoR" # Which (GitHub) organizations to include in the testing. Note that the account has to have "owner" permissions for some testers. orgs: ["my-org"]
Key | Description |
---|---|
token | Fill in the token created in STEP 2 in the Create Roles > GitHub section above. |
orgs | Fill in all the organization names you wish to scan. |
Configure the Coralogix section to send the scanning results to be displayed in Coralogix:
### CORALOGIX # Coralogix connection configuration ### coralogix: # gRPC endpoint of the Coralogix cluster. Check the docs <https://coralogix.com/docs/cloud-security-posture-cspm/> grpc_endpoint: https://ng-api-grpc.<coralogix-domain> # logs endpoint of the Coralogix cluster. Check the docs <https://coralogix.com/docs/coralogix-domain/> logs_endpoint: https://ingress.<coralogix-domain> # Your Coralogix private key api_key: 877E1EB0-EBE2-4EEF-9170-9B418F98F654 # Meta data application name for Coralogix application_name: MyApplication # Meta data subsystem name for Coralogix subsystem_name: MySubsystem # If true doesn't actually send the data dry_run: true
Key | Description |
---|---|
grpc_endpoint | Update the <coralogix-domain> in the URL using your Coralogix domain. |
logs_endpoint | Update the <coralogix-domain> in the URL using your Coralogix domain. The CSPM agent sends the scanning results to this URL. |
api_key | Your Coralogix Send-Your-Data API key |
application_name / subsystem_name | Metadata fields that will be added to the results displayed in your Coralogix dashboard and will allow you to filter. |
dry_run | false: Results sent to Coralogix true: For debugging mode, scan the resources without sending the logs to Coralogix. |
Coralogix triggers a scan, referred to as a run, by default every 24 hours. You can change this setting by navigating to Security in your Coralogix toobar, after logging into your Coralogix instance. Click on SCAN SETTINGS in the upper right-hand corner.
Documentation | Downloading Your Security Report |
Need help?
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].