CoursesAdvanced cloud securityPosture, compliance & workloads

CSPM & continuous compliance

Config rules, CIS benchmarks, and drift as a security signal.

Advanced30 min · lesson 13 of 15

A cloud estate is a moving target: thousands of resources changing every day, any one of which can drift into a misconfiguration that opens a hole. A point-in-time audit tells you the posture on the day of the audit and nothing about the 364 other days. Cloud security posture management makes the assessment continuous, so a public bucket or an open security group is caught minutes after it appears, not at the next review.

Posture management, continuously

CSPM continuously evaluates live configuration against a library of rules — provider best practices, CIS benchmarks, and your own organizational policy — and raises a finding the moment a resource violates one. The same rules can run earlier, as IaC scanning in the pipeline, so the misconfiguration is blocked in review before it ever reaches the cloud. Shift-left plus continuous runtime evaluation gives you two chances to catch the same class of mistake.

the same rule, in the pipeline and at runtime
# Pipeline (pre-deploy): a policy check fails the build on a public bucket.
package terraform.s3
deny[msg] {
r := input.resource_changes[_]
r.type == "aws_s3_bucket_public_access_block"
not r.change.after.block_public_acls
msg := sprintf("bucket %v does not block public ACLs", [r.address])
}
# Runtime (continuous): an AWS Config managed rule flags any bucket that
# becomes public after deploy, and can auto-remediate.
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "s3-no-public-access",
"Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" }
}'

Drift is a security signal

When live configuration diverges from the approved, version-controlled baseline, that drift is meaningful: it is either a mistake that weakened a control or an attacker quietly loosening one. Treat an out-of-band change to a security-relevant resource — a security group opened, logging disabled, a policy widened — as an event to investigate, not just a compliance number. Baseline the desired state, alert on divergence, and reconcile deliberately.

Continuous posture loop
1live resources
changing constantly
2continuous evaluation
against benchmarks + policy
3finding on violation
minutes after it appears
4remediate or alert
auto-fix or route to owners
The gap between a misconfiguration appearing and being caught shrinks from months (next audit) to minutes (next evaluation).
A yearly audit is not a control
Compliance snapshots prove posture on one day; attackers operate on the other 364. Without continuous evaluation, every misconfiguration between audits is invisible. Make the benchmark run all the time, and make its findings actionable — a passing audit with silent daily drift is a false sense of security.