# Cloud Security Posture Managment AquilaX CSPM extends the AquilaX platform from code and IaC into your live cloud accounts. It continuously audits AWS, Azure, GCP, and Kubernetes against industry benchmarks, detects drift between your IaC and what's actually deployed, surfaces real attack paths through identity, and streams runtime threats — all correlated into the same finding model and dashboard you already use for code. This document covers what the module does, how it works under the hood, what you need to set up, and how it integrates with the rest of the AquilaX platform. > **Availability.** CSPM is an additional service available exclusively on the **Ultimate** plan. It is **not** included in the base Ultimate subscription and is licensed separately under a dedicated CSPM License Model. It is not available on Free, or Premium plans. Enterprise customers receive CSPM through their custom contract terms. *** ### 1. What problem this solves AquilaX has always scanned your code, dependencies, containers, and IaC before they reach production. That covers a lot — but it doesn't see what's actually running in your cloud account once it's deployed. Three concrete gaps: 1. **Drift.** Someone clicks in the AWS console and opens a security group. Your Terraform still shows it closed. AquilaX IaC scans don't catch this. 2. **Identity risk.** A Lambda role accumulates permissions over six months. No single change is flagged, but the cumulative blast radius is now severe. 3. **Runtime threats.** A container starts a reverse shell, an EC2 instance begins cryptomining, a service principal logs in from a new geography. Static scanners can't see any of this. CSPM closes those gaps. AquilaX CSPM does it without you running six separate tools, six separate dashboards, and six separate severity models. *** ### 2. What's covered | Surface | Provider | Coverage | | ------------------- | ------------------------------------ | -------------------------------------------------------------- | | Cloud config audit | AWS, Azure, GCP | CIS, NIST 800-53, PCI DSS, ISO 27001, HIPAA, SOC 2 controls | | Asset inventory | AWS, Azure, GCP, Kubernetes | Full resource graph, queryable | | Drift detection | All four | Field-level diff between IaC source and live state | | IAM least-privilege | AWS (Azure, GCP in beta) | Privilege escalation paths, unused permissions, risky policies | | Kubernetes posture | EKS, AKS, GKE, self-hosted | NSA/CISA hardening, MITRE ATT\&CK mapping, RBAC analysis | | Runtime threats | Containers, K8s, cloud control plane | eBPF kernel events, CloudTrail/Activity Log/Audit Log streams | | Auto-remediation | AWS, Azure, GCP | Policy-driven, opt-in, fully audited | *** ### 3. Architecture AquilaX CSPM is built on a wrapper-and-correlate model. We don't reinvent scanners that already work; we run best-in-class open-source engines, normalize their output into the AquilaX finding schema, and pass everything through Securitron AI for false-positive elimination — the same pipeline your code findings already use. #### 3.1 The engines under the hood | Engine | What it does in AquilaX | Why we picked it | | ------------------- | -------------------------------------------------- | ------------------------------------------------------------------------- | | **Prowler** | Live cloud config audit across AWS/Azure/GCP/K8s | Broadest control coverage in OSS, native compliance framework mapping | | **Steampipe** | Asset inventory and drift queries | SQL-over-cloud-APIs is the cleanest model for ad-hoc and scheduled checks | | **Cloud Custodian** | Policy-as-code enforcement and remediation actions | Mature, multi-cloud, runs serverless, real production track record | | **Falco** | Runtime threat detection | CNCF graduated, eBPF-based, plugin model covers cloud audit logs too | | **Cloudsplaining** | AWS IAM policy analysis | Identifies least-privilege violations with concrete CWE mapping | | **Kubescape** | Kubernetes posture management | NSA/CISA + MITRE control coverage, in-cluster operator | You don't interact with any of these directly. They're implementation detail. You see findings, scores, and graphs in the AquilaX dashboard. #### 3.2 The correlation model Every cloud finding lands in the same resource graph as your code and IaC findings. ``` ┌──────────────────┐ │ IaCDefinition │ (your Terraform / Helm / CFN) └────────┬─────────┘ │ defined_by ▼ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │Identity │───▶│ Resource │◀────│ RuntimeEvent │ └─────────┘ └────┬─────┘ └──────────────┘ can_assume │ has_finding ▼ ┌─────────┐ │ Finding │ (from any source: IaC, Prowler, Falco, etc.) └─────────┘ ``` Concretely, this means: * An IaC finding from a PR scan and a Prowler finding on the same live S3 bucket merge into **one finding** with `sources: [iac, prowler]` — not two duplicate alerts. * A Falco runtime alert on a pod links back to the Helm chart that defined the pod and to the Kubescape posture findings on the same workload. * A Cloudsplaining IAM finding combines with a Prowler "publicly exposed RDS" finding to produce an attack path: `compromised_role → assume_admin → access_db`. Resources are matched in this order: cloud-native ID (ARN, resourceId, self-link) → AquilaX tag → name+region+account fallback. #### 3.3 False positive elimination Cloud findings go through Securitron AI before they reach your dashboard, exactly like code findings. Two reasons this matters: 1. **Cross-finding context.** Prowler may flag an internet-facing load balancer as critical. If Securitron sees that the upstream service has no sensitive data, no privileged IAM, and is documented as a public endpoint, it deprioritizes. Standalone Prowler can't do this. 2. **Per-tenant learning.** Findings you mark as accepted-risk teach the model. Over weeks, your noise floor drops without you writing a single suppression rule. Industry-standard CSPMs typically generate large volumes of findings; AquilaX's review layer cuts that aggressively, in line with the \~93.5% false-positive elimination rate Securitron achieves on code. *** ### 4. The four sub-views The Cloud section in the AquilaX dashboard has four tabs. #### 4.1 Posture Score per cloud account, broken down by compliance framework. Pick CIS AWS 1.5.0, ISO 27001:2022, SOC 2, NIST 800-53, PCI DSS, DORA, NIS2 — same framework picker as the rest of the platform. For each control, you see pass/fail, affected resources, and a one-click drill-down into the underlying findings. Posture data updates after every scheduled scan (default 24h, configurable down to 1h). #### 4.2 Resources Full live inventory of everything in your connected accounts. Search by type, region, tag, or property. Click any resource to see: * Findings on it (from any source, deduplicated) * The IaC definition that created it (if any) — clickable through to your repo * Identities that can act on it * Recent runtime events This view is built on Steampipe's queryable cloud data, but you don't write SQL — the platform does. #### 4.3 Attack Paths Graph visualization of identity-and-exposure chains. The engine looks for paths like: ``` external_user → (compromise) → assume role with iam:PassRole → pass to lambda with admin policy → access internet-exposed RDS with PII ``` Top 10 paths per account by length × max severity, ranked. You fix the *node* that breaks the most paths first — the UI tells you which one. #### 4.4 Runtime Live stream of Falco events from your clusters and cloud control planes. Filterable by severity, namespace, account, rule. Each event links to the resource node in the graph and to any pre-deployment findings on that workload. For cloud-only customers (no K8s), this view shows CloudTrail/Activity Log/Audit Log threat detections via Falco's plugin system — anomalous IAM changes, console logins from new geos, suspicious API call patterns. *** ### 5. Licensing and availability CSPM is **not** part of the standard AquilaX scanner suite. It is a separately licensed add-on, governed by its own License Model, and only available to customers on the Ultimate plan or above. #### 5.1 Plan eligibility | Plan | CSPM access | | ------------ | ----------------------------------------------------------- | | Free | Not available | | Premium | Not available | | **Ultimate** | **Available as a paid add-on** under the CSPM License Model | | Enterprise | Included or negotiated under custom contract terms | Existing AquilaX scanners (SAST, SCA, Secrets, IaC, Container, DAST, API, PII, Malware, Vibe Code, Compliance) continue to work on every plan as before. CSPM is purely additive — it does not change the entitlements of your base subscription. #### 5.2 The CSPM License Model CSPM is sold under a **dedicated license** distinct from your AquilaX seat-based subscription. Key terms: * **Unit of licensing.** Per connected cloud account (AWS account, Azure subscription, GCP project) and per Kubernetes cluster. * **Tiering.** Volume tiers apply once you connect more than 5, 25, or 100 accounts/clusters. Multi-cloud organizations get a blended rate. * **Term.** Annual commitment, monthly or quarterly billing. No month-to-month option for CSPM. * **Runtime add-on.** Falco-based runtime detection is licensed separately within the CSPM License Model — you can take the posture-only tier and add runtime later. * **Auto-remediation.** Included in all CSPM tiers; no additional cost for the Cloud Custodian-driven action engine. * **On-premises.** Same License Model applies; on-prem deployments receive the CSPM container images via the same private registry as the rest of the platform. The license is governed by a separate Order Form referencing the AquilaX Master Subscription Agreement. The CSPM-specific addendum covers data handling for cloud telemetry, runtime event retention, and the elevated-privilege scenarios required for auto-remediation. #### 5.3 How to activate 1. Confirm you are on Ultimate (or above). If not, upgrade first. 2. Contact your AquilaX account manager or `sales@aquilax.ai` to scope the number of accounts/clusters and select posture-only vs. posture+runtime. 3. Sign the CSPM Order Form. 4. The Cloud section appears in your dashboard within one business day of activation. 5. Proceed to setup Section 6. Trial licenses are available for evaluation — typically 30 days, scoped to up to 3 cloud accounts. Trial activations skip the Order Form step. *** ### 6. Setup CSPM is enabled per tenant once the license is active. The base Ultimate subscription does not provision the Cloud section; only a valid CSPM license entitlement does. #### 6.1 Connecting a cloud account Each cloud needs read-only access. AquilaX never gets write access unless you explicitly opt into auto-remediation. **AWS.** Cross-account IAM role. AquilaX provides a CloudFormation template; you deploy it in each account you want scanned. The role grants the AWS-managed `SecurityAudit` and `ViewOnlyAccess` policies plus a small set of additional read permissions Prowler needs. **Azure.** Service principal with `Reader` and `Security Reader` at the management group or subscription level. AquilaX provides a Terraform module and a manual portal walkthrough. **GCP.** Service account with `roles/iam.securityReviewer` and `roles/viewer`, granted at the organization or project level. Workload Identity Federation supported — no static keys needed. **Kubernetes.** A read-only `ClusterRole` plus the AquilaX scanner manifest. For runtime detection, Falco is deployed as a DaemonSet via the AquilaX Helm chart. Both are bundled in a single `aquilax-cspm` chart you install once per cluster. Connection takes about 5 minutes per cloud. First scan completes within 15 minutes for typical accounts. Note: each connected account/cluster counts against your CSPM license entitlement. If you exceed your contracted volume, additional accounts move into a read-only "license pending" state until your Order Form is updated — they are not silently scanned and billed. #### 6.2 Linking IaC repos If you already use AquilaX for code scanning, your IaC scans are automatically correlated with cloud findings — nothing extra to configure. The matching uses ARN/resourceId/self-link from Terraform state outputs, with tag-based fallback. If you use IaC tools we don't directly scan (Pulumi in some languages, CDK), enable the optional `aquilax:resource-id` tag pattern in your code. The setup guide in your dashboard generates the snippet. #### 6.3 Auto-remediation (optional) Off by default. To enable: 1. Pick which finding types are eligible (e.g., "public S3 buckets", "security groups open to 0.0.0.0/0"). 2. Pick the action policy — alert-only, auto-tag, auto-remediate after N hours, or auto-remediate immediately. 3. Approve the elevated IAM role grant. AquilaX uses a separate, narrower role for remediation than for scanning, scoped to the specific actions you authorized. Every remediation action is logged with full context: which finding triggered it, what the policy was, what changed, who in your org enabled the rule. Exportable to your SIEM. *** ### 7. How findings are delivered Same channels as the rest of AquilaX: * Dashboard — primary view, with filters, severity, status workflow * Pull request comments — for IaC-rooted findings, AquilaX opens AI-generated fix PRs against the source repo * SARIF, JSON, CSV, PDF export — same formats as code findings * SIEM and ticketing — webhook-based, with mapping to the standard finding schema * Slack / Teams / email — configurable per severity threshold Severity uses the existing AquilaX scale (Critical/High/Medium/Low/Info) with CVSS where applicable. Compliance framework mapping (CIS control ID, NIST control number, etc.) is on every finding. *** ### 8. What's *not* in CSPM Worth being explicit about. CSPM in AquilaX covers configuration, identity, and runtime threats. It does **not** cover: * **Data classification** (DSPM) — what's in your S3 buckets, what's PII, what's regulated. This is a separate AquilaX module on the roadmap. * **Agent-based workload scanning** — we use snapshot and runtime telemetry, not agents inside VMs. If you need deep in-VM CVE scanning, pair AquilaX CSPM with your existing endpoint tooling. * **SaaS posture** (SSPM) — Okta, Google Workspace, M365 config. Not in scope. * **Network traffic analysis** — we read VPC Flow Log misconfigurations but don't do behavioral network anomaly detection. We'd rather do a smaller scope well than a larger scope poorly. These boundaries will move in future releases. *** ### 9. Deployment options CSPM is available in all three AquilaX deployment modes: * **Cloud SaaS (multi-tenant)** — easiest to start; AquilaX hosts everything except the Falco DaemonSet (which runs in your cluster) and the Cloud Connector roles (which live in your cloud accounts). * **Dedicated Cloud (single-tenant)** — fully isolated AquilaX instance, useful for regulated industries. * **On-premises** — full self-hosted via Docker Compose or Kubernetes Helm. CSPM containers ship via the AquilaX private registry once your CSPM license is active. No data leaves your environment. In all modes, the underlying OSS engines (Prowler, Steampipe, Cloud Custodian, Falco, Cloudsplaining, Kubescape) are bundled and version-pinned by AquilaX. You don't install or update them yourself. *** ### 10. Compliance reporting The CSPM module produces audit-ready reports for: * CIS Benchmarks (AWS, Azure, GCP, Kubernetes) * NIST 800-53 Rev 5 * ISO 27001:2022 * SOC 2 Type II * PCI DSS 4.0 * HIPAA Security Rule * DORA, NIS2 (EU) * GDPR (control-mapped) Reports are exportable as PDF and CSV, with control-by-control evidence. The same compliance reporting framework that exists for code findings extends to cloud findings — one report covers both. *** ### 11. Frequently asked questions **Does AquilaX get write access to my cloud account?** No, unless you explicitly enable auto-remediation, in which case a separate, narrower role is granted, scoped only to the actions you authorized. The default scan role is read-only. **How often does CSPM scan?** Default 24h for full audits, 1h for inventory refresh, real-time for runtime events. All configurable. **Will CSPM findings flood my dashboard?** Securitron AI filters before findings reach you. In practice, customers see 10–50 cloud findings per account after filtering, not the thousands raw Prowler output produces. **Can I write custom rules?** Yes — custom Steampipe queries and Cloud Custodian policies are supported via your AquilaX dashboard. Custom Falco rules are on the roadmap. **What if I already use Wiz / Orca / Defender CSPM?** You probably don't need both. The case for AquilaX CSPM specifically is when you also want code-to-cloud correlation in one platform — AquilaX shows the IaC line that caused the live misconfiguration, the AI fix PR, and the runtime evidence in one finding. Standalone CSPMs don't do that side. **Where do I see the underlying tools?** Each finding shows its source engine in the metadata (`source_tool: prowler`, etc.). If you want raw output for a specific scan, the JSON is exportable per scan run. *** ### 12. Getting started 1. Confirm you are on the Ultimate plan and have an active CSPM license - Section 5. 2. Open the AquilaX dashboard, navigate to **Cloud** in the left nav. The section is only visible once your CSPM license is active. 3. Click **Connect a cloud account**, pick your provider, follow the setup wizard. 4. Wait for the first scan (≈15 min). 5. Review findings, set up your notification channels, decide on auto-remediation policy. Full per-cloud setup guides live in the AquilaX docs portal. The platform's standard SLA and support tiers apply to the CSPM module from day one of license activation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.aquilax.ai/products-and-services/cloud-security-posture-managment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.