Cloud Posture
Plexicus provides cloud security capabilities to assess and monitor your cloud infrastructure on AWS, Azure, and GCP. This guide covers Cloud Security Posture Management (CSPM), Cloud Infrastructure Entitlement Management (CIEM), and Cloud Workload Protection (CWPP).
Prerequisites
Scaleplan or above (cloud posture features are Scale+ features).- Connected cloud account credentials (AWS IAM role, Azure credentials, or GCP service account).
Cloud Security Posture Management (CSPM)
plexicus-cloud scans your AWS, Azure, and GCP accounts for misconfigurations in:
- IAM policies — overly permissive roles, unused service accounts, public access
- Storage — unencrypted S3 buckets, misconfigured blob storage, exposed Cloud Storage
- Networking — exposed security groups, public databases, firewall rules
- Compute — missing encryption, insecure Kubernetes configurations
- Compliance — CIS benchmarks, best practices
Connecting a Cloud Account
AWS
- Go to Settings → Cloud Integrations (or Connectors).
- Click Add Cloud or select AWS.
- Choose an authentication method:
- IAM Role (Recommended) — create a cross-account IAM role in your AWS account that Plexicus assumes. This is the most secure method.
- Access Key — provide an AWS Access Key and Secret Access Key (less secure; credentials stored in Plexicus).
- Follow the prompts to complete the connection.
- Once connected, Plexicus queues a cloud scan automatically.
Azure
- Go to Settings → Cloud Integrations.
- Click Add Cloud or select Azure.
- Provide your Azure subscription ID and tenant ID.
- Authenticate using Azure CLI or provide credentials.
- Plexicus queues a cloud scan automatically.
GCP
- Go to Settings → Cloud Integrations.
- Click Add Cloud or select GCP.
- Upload a GCP service account JSON key file (or paste the key).
- Confirm the project ID.
- Plexicus queues a cloud scan automatically.
Running a Cloud Posture Scan
Once you've connected a cloud account:
- The platform queues an automatic scan immediately after connection.
- You can trigger additional scans from Assets by selecting the cloud account and clicking Scan Now.
- Scans run asynchronously and can take several minutes depending on account size.
- When complete, findings appear on the Findings dashboard, filtered by "Cloud" source.
Interpreting Cloud Posture Findings
Each finding shows:
- Resource — the AWS resource (e.g., S3 bucket name), Azure resource (storage account), or GCP resource.
- Severity — critical, high, medium, low, or info.
- Policy — the specific check that failed (e.g., "S3 bucket is public").
- Remediation — step-by-step fix instructions.
You can filter findings by cloud provider, severity, policy category, or resource type.
CSPM Parameters
When you configure plexicus-cloud, you can tune:
- Severity — minimum severity to report (info, low, medium, high, critical).
- Compliance frameworks — select which frameworks to audit against (CIS AWS, CIS Azure, CIS GCP, PCI DSS, etc.).
Cloud Infrastructure Entitlement Management (CIEM)
CIEM is in early access. Capabilities and UI are subject to change. This section documents current functionality.
CIEM (Cloud Infrastructure Entitlement Management) analyzes your cloud infrastructure's entitlements and permissions. The page shows:
- Effective Permissions — what each identity (user, role, service account) can actually do (considering role assumptions, inheritance, etc.).
- Risky Permissions — overly broad grants (e.g., "admin" roles assigned to developers).
- Unused Entitlements — identities that haven't been used in 90 days but still have broad permissions.
CIEM Page Features (Current)
On Assets → CIEM, you can:
- View a summary of your cloud entitlements by provider.
- Browse permissions by principal (user, service account, role).
- Filter by cloud provider (AWS, Azure, GCP).
- Identify risky entitlements and unused access.
CIEM findings are recommendations, not enforcement — you control remediation via cloud provider consoles.
Future CIEM Capabilities
The roadmap includes:
- Deeper permission path analysis (transitive permissions via role assumption chains).
- Just-in-Time (JIT) access recommendations.
- Entitlement lifecycle management (automatic revocation of unused access).
Cloud Workload Protection (CWPP)
CWPP is in early access. Capabilities and UI are subject to change. This section documents current functionality.
CWPP (Cloud Workload Protection Platform) monitors your cloud workloads (EC2 instances, App Service VMs, Compute Engine VMs) for runtime threats.
CWPP Page Features (Current)
On Assets → CWPP, you can:
- View a summary of protected workloads by cloud provider.
- Monitor workload compliance against CIS benchmarks.
- Track vulnerability trends in running instances.
CWPP findings correlate instance metadata (OS, packages, processes) with CVE databases to surface vulnerabilities.
Future CWPP Capabilities
The roadmap includes:
- Real-time anomaly detection (unusual process behavior, privilege escalation attempts).
- Automated incident response (isolate compromised workloads).
- Integration with cloud provider security services (AWS Security Hub, Azure Defender, GCP Security Command Center).
Compliance Frameworks
Cloud posture findings can be mapped to compliance frameworks. See Compliance for how to view findings by framework (CIS, PCI DSS, ISO 27001, etc.).
See Also
- Compliance — map cloud findings to compliance controls
- Finding Triage — manage cloud security findings
- Cloud Integrations, Azure, GCP — detailed setup guides for each cloud provider