CSPM (Cloud Security Posture)
CSPM (Cloud Security Posture) is a self-serve, stateless cloud posture check. You provide an asset inventory as JSON, pick the cloud (AWS, Azure, or GCP), and the scan returns prioritized findings. It does not connect to your cloud accounts and does not store the inventory you submit.
Who this is for
Security and cloud engineers in a workspace who want a fast misconfiguration check on an exported cloud asset inventory without standing up a connected scanner. Available on Pro and Enterprise plans.
Role-based start here
- Cloud / platform engineer: export an asset inventory and run a scan to triage misconfigurations before a change goes out.
- Security reviewer: use the findings and severities to prioritize fixes and attach them to a ticket.
- Workspace admin: confirm the capability is enabled on your plan.
Before you start
- Confirm your plan includes CSPM (Pro or Enterprise).
- Have an asset inventory ready as a JSON array. Each asset needs an
id, aresource_type, and apropertiesobject. - Decide which cloud the inventory is for (AWS, Azure, or GCP).
Step-by-step
- Open CSPM (
#/cspm). - On the Assets tab, select the cloud and paste your asset inventory JSON.
- Click Run CSPM scan.
- Open the Findings tab to review each flagged resource, its rule, the message, and the severity.
Day-2 operations
- Re-run the scan after remediating, using an updated inventory export, to confirm findings clear.
- Keep the inventory export current so results reflect live posture.
- Track recurring findings as candidates for guardrails earlier in your pipeline.
Self-check playbook
- Paste the sample inventory (a public-read bucket and an open security group) and confirm you get two findings.
- Submit an inventory with only well-configured assets and confirm zero findings.
- Submit an invalid cloud value and confirm the scan reports
cloud_invalid.
What each button does
- Cloud selector: chooses which cloud rule packs to evaluate against.
- Assets JSON textarea: the inventory the scan evaluates.
- Run CSPM scan: submits the inventory and loads findings.
- Overview / Assets / Findings tabs: posture context, asset input, and the resulting control failures.
Troubleshooting
- "Invalid assets JSON": the textarea must contain a JSON array of assets.
cloud_invalid: the cloud must beaws,azure, orgcp.assets_required_list:assetsmust be a list, even if empty.- No findings on a misconfigured asset: confirm the
resource_typeandpropertiesmatch what the rule packs expect (see the sample).
API and automation
POST /api/cspm/scanwith{ "cloud": "aws|azure|gcp", "assets": [ ... ] }returns{ "cloud": "...", "findings": [ {resource, rule, message, severity} ] }.- Authenticated, licensed workspace access is required.
- The scan is stateless: nothing is stored and no cloud account is contacted.
API error quick reference
| Error | Meaning | What to do now |
|---|---|---|
401 Unauthorized | Session token is missing, expired, or invalid. | Sign out and back in, then retry once. |
403 Forbidden | Your role is authenticated but not allowed to run a posture scan, or your plan does not include CSPM. | Ask your workspace admin to grant access or upgrade the plan. |
404 Not Found | The route was not found in the current workspace context. | Confirm the /api/cspm/scan path and workspace context, then retry. |
429 Too Many Requests | Your rate limit or quota window was exceeded. | Wait for cooldown, then retry with backoff. |
500 Internal Server Error | The backend failed unexpectedly. | Retry after a short wait. If it repeats, escalate with the UTC time. |
Next best actions
- Wire the API into a pre-deploy check so an inventory export is scanned before changes ship.
- Route high-severity findings to TicketBridge for follow-up.
FAQ
- Does this connect to my AWS/Azure/GCP account? No. You provide the inventory; the scan is stateless and stores nothing.
- Which clouds are supported? AWS, Azure, and GCP rule packs.
- Is my inventory retained? No. It is evaluated and discarded.