Overview
The Cloud Security Posture Management (CSPM) module in DeepTraQ helps identify security risks, misconfigurations, and compliance gaps across cloud environments.
What this scanner does
The CSPM scanner analyzes cloud configurations to detect:
- Misconfigured cloud resources (storage, networking, compute, databases)
- Excessive IAM permissions and insecure access policies
- Publicly exposed resources
- Compliance violations against security frameworks
- Configuration drift and risky changes
It continuously audits cloud environments and correlates findings with security best practices and threat intelligence.
When to use this scanner
Use the CSPM module when you want to monitor and secure cloud infrastructure configurations.
Common use cases include:
- Auditing cloud security posture
- Detecting misconfigurations in cloud services
- Monitoring IAM users, roles, and permissions
- Ensuring compliance with security frameworks
- Tracking configuration changes across cloud environments
What you get
After the scan completes, DeepTraQ provides:
- Detected cloud misconfigurations and risks
- IAM and access control security findings
- Public exposure detection
- Compliance assessment scores
- Risk prioritization and remediation guidance
These insights help security and DevOps teams maintain a secure and compliant cloud environment.
Supported Cloud Platforms
DeepTraQ CSPM supports security monitoring across major cloud providers.
| Cloud Platform |
|---|
| Amazon Web Services (AWS) |
| Microsoft Azure |
| Google Cloud Platform (GCP) |
| Oracle Cloud Infrastructure (OCI) |
Cloud Resources Analyzed
The scanner evaluates multiple cloud services and configurations across your environment.
For a detailed breakdown of supported services and coverage, refer to CSPM Coverage.
| Resource Type |
|---|
| Storage Buckets |
| Compute Instances |
| Databases |
| Virtual Networks |
| Security Groups |
| IAM Users |
| IAM Roles |
| IAM Policies |
| Cloud Services |
Supported Compliance Frameworks
| Cloud Provider | Supported Frameworks |
|---|---|
| AWS | AWS-Account-Security-Onboarding, AWS-Audit-Manager-Control-Tower, AWS-Foundational-Security-Best-Practices, AWS-Foundational-Technical-Review, AWS-Well-Architected-Framework-Security, C5-2025, CCC, CIS-1.4, CIS-1.5, CIS-2.0, CIS-3.0, CIS-4.0.1, CIS-5.0, CISA, ENS-RD2022, FFIEC, FedRAMP-20x-KSI-Low-25.05C, FedRAMP-Low-Revision-4, FedRAMP-Moderate-Revision-4, GDPR, GxP-21-CFR-Part-11, GxP-EU-Annex-11, HIPAA, ISO27001-2013, ISO27001-2022, KISA-ISMS-P-2023, KISA-ISMS-P-2023 (Korean), MITRE-ATTACK, NIS2, NIST-800-171-Revision-2, NIST-800-53-Revision-4, NIST-800-53-Revision-5, NIST-CSF-1.1, NIST-CSF-2.0, PCI-3.2.1, PCI-4.0, ProwlerThreatScore-1.0, RBI-Cyber-Security-Framework, SOC2 |
| GCP | C5-2025, CCC, CIS-2.0, CIS-3.0, CIS-4.0, ENS-RD2022, FedRAMP-20x-KSI-Low-25.05C, HIPAA, ISO27001-2022, MITRE-ATTACK, NIS2, PCI-4.0, ProwlerThreatScore-1.0, SOC2 |
| Azure | C5-2025, CCC, CIS-2.0, CIS-2.1, CIS-3.0, CIS-4.0, CIS-5.0, ENS-RD2022, FedRAMP-20x-KSI-Low-25.05C, ISO27001-2022, MITRE-ATTACK, NIS2, PCI-4.0, ProwlerThreatScore-1.0, RBI-Cyber-Security-Framework, SOC2 |
| Oracle | CIS-3.0 |
Limitations
| Limitation | Description |
|---|---|
| Cloud account access required | Cloud accounts must be connected through supported integrations |
| Read-only scanning | CSPM primarily analyzes configurations and does not modify resources directly |
| Provider coverage varies | Some cloud services may have limited coverage depending on provider APIs |
| Scan scope depends on permissions | Insufficient IAM permissions may limit visibility into certain resources |
| Real-time monitoring requires integration | Continuous monitoring works only after cloud account integration |
| Compliance coverage varies by provider | Compliance framework coverage is limited for Oracle and GCP, while Azure has partial coverage compared to AWS |