Cloud Security Posture Managment

AquilaX CSPM extends the AquilaX platform from code and IaC into your live cloud accounts. It continuously audits AWS, Azure, GCP, and Kubernetes against industry benchmarks, detects drift between your IaC and what's actually deployed, surfaces real attack paths through identity, and streams runtime threats — all correlated into the same finding model and dashboard you already use for code.

This document covers what the module does, how it works under the hood, what you need to set up, and how it integrates with the rest of the AquilaX platform.

Availability. CSPM is an additional service available exclusively on the Ultimate plan. It is not included in the base Ultimate subscription and is licensed separately under a dedicated CSPM License Model. It is not available on Free, or Premium plans. Enterprise customers receive CSPM through their custom contract terms.

1. What problem this solves

AquilaX has always scanned your code, dependencies, containers, and IaC before they reach production. That covers a lot — but it doesn't see what's actually running in your cloud account once it's deployed.

Three concrete gaps:

1. Drift. Someone clicks in the AWS console and opens a security group. Your Terraform still shows it closed. AquilaX IaC scans don't catch this.

2. Identity risk. A Lambda role accumulates permissions over six months. No single change is flagged, but the cumulative blast radius is now severe.

3. Runtime threats. A container starts a reverse shell, an EC2 instance begins cryptomining, a service principal logs in from a new geography. Static scanners can't see any of this.

CSPM closes those gaps. AquilaX CSPM does it without you running six separate tools, six separate dashboards, and six separate severity models.

2. What's covered

3. Architecture

AquilaX CSPM is built on a wrapper-and-correlate model. We don't reinvent scanners that already work; we run best-in-class open-source engines, normalize their output into the AquilaX finding schema, and pass everything through Securitron AI for false-positive elimination — the same pipeline your code findings already use.

3.1 The engines under the hood

You don't interact with any of these directly. They're implementation detail. You see findings, scores, and graphs in the AquilaX dashboard.

3.2 The correlation model

Every cloud finding lands in the same resource graph as your code and IaC findings.

Concretely, this means:

• An IaC finding from a PR scan and a Prowler finding on the same live S3 bucket merge into one finding with sources: [iac, prowler] — not two duplicate alerts.

• A Falco runtime alert on a pod links back to the Helm chart that defined the pod and to the Kubescape posture findings on the same workload.

• A Cloudsplaining IAM finding combines with a Prowler "publicly exposed RDS" finding to produce an attack path: compromised_role → assume_admin → access_db.

Resources are matched in this order: cloud-native ID (ARN, resourceId, self-link) → AquilaX tag → name+region+account fallback.

3.3 False positive elimination

Cloud findings go through Securitron AI before they reach your dashboard, exactly like code findings. Two reasons this matters:

1. Cross-finding context. Prowler may flag an internet-facing load balancer as critical. If Securitron sees that the upstream service has no sensitive data, no privileged IAM, and is documented as a public endpoint, it deprioritizes. Standalone Prowler can't do this.

2. Per-tenant learning. Findings you mark as accepted-risk teach the model. Over weeks, your noise floor drops without you writing a single suppression rule.

Industry-standard CSPMs typically generate large volumes of findings; AquilaX's review layer cuts that aggressively, in line with the ~93.5% false-positive elimination rate Securitron achieves on code.

4. The four sub-views

The Cloud section in the AquilaX dashboard has four tabs.

4.1 Posture

Score per cloud account, broken down by compliance framework. Pick CIS AWS 1.5.0, ISO 27001:2022, SOC 2, NIST 800-53, PCI DSS, DORA, NIS2 — same framework picker as the rest of the platform.

For each control, you see pass/fail, affected resources, and a one-click drill-down into the underlying findings. Posture data updates after every scheduled scan (default 24h, configurable down to 1h).

4.2 Resources

Full live inventory of everything in your connected accounts. Search by type, region, tag, or property. Click any resource to see:

• Findings on it (from any source, deduplicated)

• The IaC definition that created it (if any) — clickable through to your repo

• Identities that can act on it

• Recent runtime events

This view is built on Steampipe's queryable cloud data, but you don't write SQL — the platform does.

4.3 Attack Paths

Graph visualization of identity-and-exposure chains. The engine looks for paths like:

Top 10 paths per account by length × max severity, ranked. You fix the node that breaks the most paths first — the UI tells you which one.

4.4 Runtime

Live stream of Falco events from your clusters and cloud control planes. Filterable by severity, namespace, account, rule. Each event links to the resource node in the graph and to any pre-deployment findings on that workload.

For cloud-only customers (no K8s), this view shows CloudTrail/Activity Log/Audit Log threat detections via Falco's plugin system — anomalous IAM changes, console logins from new geos, suspicious API call patterns.

5. Licensing and availability

CSPM is not part of the standard AquilaX scanner suite. It is a separately licensed add-on, governed by its own License Model, and only available to customers on the Ultimate plan or above.

5.1 Plan eligibility

Existing AquilaX scanners (SAST, SCA, Secrets, IaC, Container, DAST, API, PII, Malware, Vibe Code, Compliance) continue to work on every plan as before. CSPM is purely additive — it does not change the entitlements of your base subscription.

5.2 The CSPM License Model

CSPM is sold under a dedicated license distinct from your AquilaX seat-based subscription. Key terms:

• Unit of licensing. Per connected cloud account (AWS account, Azure subscription, GCP project) and per Kubernetes cluster.

• Tiering. Volume tiers apply once you connect more than 5, 25, or 100 accounts/clusters. Multi-cloud organizations get a blended rate.

• Term. Annual commitment, monthly or quarterly billing. No month-to-month option for CSPM.

• Runtime add-on. Falco-based runtime detection is licensed separately within the CSPM License Model — you can take the posture-only tier and add runtime later.

• Auto-remediation. Included in all CSPM tiers; no additional cost for the Cloud Custodian-driven action engine.

• On-premises. Same License Model applies; on-prem deployments receive the CSPM container images via the same private registry as the rest of the platform.

The license is governed by a separate Order Form referencing the AquilaX Master Subscription Agreement. The CSPM-specific addendum covers data handling for cloud telemetry, runtime event retention, and the elevated-privilege scenarios required for auto-remediation.

5.3 How to activate

1. Confirm you are on Ultimate (or above). If not, upgrade first.

2. Contact your AquilaX account manager or [email protected] to scope the number of accounts/clusters and select posture-only vs. posture+runtime.

3. Sign the CSPM Order Form.

4. The Cloud section appears in your dashboard within one business day of activation.

5. Proceed to setup Section 6.

Trial licenses are available for evaluation — typically 30 days, scoped to up to 3 cloud accounts. Trial activations skip the Order Form step.

6. Setup

CSPM is enabled per tenant once the license is active. The base Ultimate subscription does not provision the Cloud section; only a valid CSPM license entitlement does.

6.1 Connecting a cloud account

Each cloud needs read-only access. AquilaX never gets write access unless you explicitly opt into auto-remediation.

AWS. Cross-account IAM role. AquilaX provides a CloudFormation template; you deploy it in each account you want scanned. The role grants the AWS-managed SecurityAudit and ViewOnlyAccess policies plus a small set of additional read permissions Prowler needs.

Azure. Service principal with Reader and Security Reader at the management group or subscription level. AquilaX provides a Terraform module and a manual portal walkthrough.

GCP. Service account with roles/iam.securityReviewer and roles/viewer, granted at the organization or project level. Workload Identity Federation supported — no static keys needed.

Kubernetes. A read-only ClusterRole plus the AquilaX scanner manifest. For runtime detection, Falco is deployed as a DaemonSet via the AquilaX Helm chart. Both are bundled in a single aquilax-cspm chart you install once per cluster.

Connection takes about 5 minutes per cloud. First scan completes within 15 minutes for typical accounts.

Note: each connected account/cluster counts against your CSPM license entitlement. If you exceed your contracted volume, additional accounts move into a read-only "license pending" state until your Order Form is updated — they are not silently scanned and billed.

6.2 Linking IaC repos

If you already use AquilaX for code scanning, your IaC scans are automatically correlated with cloud findings — nothing extra to configure. The matching uses ARN/resourceId/self-link from Terraform state outputs, with tag-based fallback.

If you use IaC tools we don't directly scan (Pulumi in some languages, CDK), enable the optional aquilax:resource-id tag pattern in your code. The setup guide in your dashboard generates the snippet.

6.3 Auto-remediation (optional)

Off by default. To enable:

1. Pick which finding types are eligible (e.g., "public S3 buckets", "security groups open to 0.0.0.0/0").

2. Pick the action policy — alert-only, auto-tag, auto-remediate after N hours, or auto-remediate immediately.

3. Approve the elevated IAM role grant. AquilaX uses a separate, narrower role for remediation than for scanning, scoped to the specific actions you authorized.

Every remediation action is logged with full context: which finding triggered it, what the policy was, what changed, who in your org enabled the rule. Exportable to your SIEM.

7. How findings are delivered

Same channels as the rest of AquilaX:

• Dashboard — primary view, with filters, severity, status workflow

• Pull request comments — for IaC-rooted findings, AquilaX opens AI-generated fix PRs against the source repo

• SARIF, JSON, CSV, PDF export — same formats as code findings

• SIEM and ticketing — webhook-based, with mapping to the standard finding schema

• Slack / Teams / email — configurable per severity threshold

Severity uses the existing AquilaX scale (Critical/High/Medium/Low/Info) with CVSS where applicable. Compliance framework mapping (CIS control ID, NIST control number, etc.) is on every finding.

8. What's not in CSPM

Worth being explicit about. CSPM in AquilaX covers configuration, identity, and runtime threats. It does not cover:

• Data classification (DSPM) — what's in your S3 buckets, what's PII, what's regulated. This is a separate AquilaX module on the roadmap.

• Agent-based workload scanning — we use snapshot and runtime telemetry, not agents inside VMs. If you need deep in-VM CVE scanning, pair AquilaX CSPM with your existing endpoint tooling.

• SaaS posture (SSPM) — Okta, Google Workspace, M365 config. Not in scope.

• Network traffic analysis — we read VPC Flow Log misconfigurations but don't do behavioral network anomaly detection.

We'd rather do a smaller scope well than a larger scope poorly. These boundaries will move in future releases.

9. Deployment options

CSPM is available in all three AquilaX deployment modes:

• Cloud SaaS (multi-tenant) — easiest to start; AquilaX hosts everything except the Falco DaemonSet (which runs in your cluster) and the Cloud Connector roles (which live in your cloud accounts).

• Dedicated Cloud (single-tenant) — fully isolated AquilaX instance, useful for regulated industries.

• On-premises — full self-hosted via Docker Compose or Kubernetes Helm. CSPM containers ship via the AquilaX private registry once your CSPM license is active. No data leaves your environment.

In all modes, the underlying OSS engines (Prowler, Steampipe, Cloud Custodian, Falco, Cloudsplaining, Kubescape) are bundled and version-pinned by AquilaX. You don't install or update them yourself.

10. Compliance reporting

The CSPM module produces audit-ready reports for:

• CIS Benchmarks (AWS, Azure, GCP, Kubernetes)

• NIST 800-53 Rev 5

• ISO 27001:2022

• SOC 2 Type II

• PCI DSS 4.0

• HIPAA Security Rule

• DORA, NIS2 (EU)

• GDPR (control-mapped)

Reports are exportable as PDF and CSV, with control-by-control evidence. The same compliance reporting framework that exists for code findings extends to cloud findings — one report covers both.

11. Frequently asked questions

Does AquilaX get write access to my cloud account? No, unless you explicitly enable auto-remediation, in which case a separate, narrower role is granted, scoped only to the actions you authorized. The default scan role is read-only.

How often does CSPM scan? Default 24h for full audits, 1h for inventory refresh, real-time for runtime events. All configurable.

Will CSPM findings flood my dashboard? Securitron AI filters before findings reach you. In practice, customers see 10–50 cloud findings per account after filtering, not the thousands raw Prowler output produces.

Can I write custom rules? Yes — custom Steampipe queries and Cloud Custodian policies are supported via your AquilaX dashboard. Custom Falco rules are on the roadmap.

What if I already use Wiz / Orca / Defender CSPM? You probably don't need both. The case for AquilaX CSPM specifically is when you also want code-to-cloud correlation in one platform — AquilaX shows the IaC line that caused the live misconfiguration, the AI fix PR, and the runtime evidence in one finding. Standalone CSPMs don't do that side.

Where do I see the underlying tools? Each finding shows its source engine in the metadata (source_tool: prowler, etc.). If you want raw output for a specific scan, the JSON is exportable per scan run.

12. Getting started

1. Confirm you are on the Ultimate plan and have an active CSPM license - Section 5.

2. Open the AquilaX dashboard, navigate to Cloud in the left nav. The section is only visible once your CSPM license is active.

3. Click Connect a cloud account, pick your provider, follow the setup wizard.

4. Wait for the first scan (≈15 min).

5. Review findings, set up your notification channels, decide on auto-remediation policy.

Full per-cloud setup guides live in the AquilaX docs portal. The platform's standard SLA and support tiers apply to the CSPM module from day one of license activation.