CG
SkillsImplementing Cloud Vulnerability Posture Management
Start Free
Back to Skills Library
Vulnerability Management🟡 Intermediate

Implementing Cloud Vulnerability Posture Management

Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection.

3 min read5 code examples

Prerequisites

  • AWS CLI configured with SecurityAudit IAM policy
  • Azure CLI with Security Reader role
  • Python 3.9+ with `boto3`, `azure-identity`, `azure-mgmt-security`
  • Prowler (https://github.com/prowler-cloud/prowler)
  • ScoutSuite (https://github.com/nccgroup/ScoutSuite)

Implementing Cloud Vulnerability Posture Management

Overview

Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks. Unlike traditional vulnerability scanning, CSPM focuses on cloud-native risks: IAM over-permissions, exposed storage buckets, unencrypted data, missing network controls, and service misconfigurations. This guide covers multi-cloud CSPM using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite.

Prerequisites

  • AWS CLI configured with SecurityAudit IAM policy
  • Azure CLI with Security Reader role
  • Python 3.9+ with boto3, azure-identity, azure-mgmt-security
  • Prowler (https://github.com/prowler-cloud/prowler)
  • ScoutSuite (https://github.com/nccgroup/ScoutSuite)

AWS Security Hub

Enable Security Hub

# Enable AWS Security Hub with default standards
aws securityhub enable-security-hub \
  --enable-default-standards \
  --region us-east-1

# Enable specific standards
aws securityhub batch-enable-standards \
  --standards-subscription-requests \
    '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
    '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"}'

# Get findings summary
aws securityhub get-findings \
  --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --max-items 10

Security Hub Standards

StandardDescription
AWS Foundational Security Best PracticesAWS-recommended baseline controls
CIS AWS Foundations Benchmark 1.4CIS hardening requirements
PCI DSS v3.2.1Payment card industry controls
NIST SP 800-53 Rev 5Federal security controls

Azure Defender for Cloud

Enable Defender CSPM

# Enable Defender for Cloud free tier
az security pricing create \
  --name CloudPosture \
  --tier standard

# Check secure score
az security secure-score list \
  --query "[].{Name:displayName,Score:current,Max:max}" \
  --output table

# Get security recommendations
az security assessment list \
  --query "[?status.code=='Unhealthy'].{Name:displayName,Severity:metadata.severity,Resource:resourceDetails.id}" \
  --output table

# Get alerts
az security alert list \
  --query "[?status=='Active'].{Name:alertDisplayName,Severity:severity,Time:timeGeneratedUtc}" \
  --output table

Open-Source: Prowler

Installation and Execution

# Install Prowler
pip install prowler

# Run full AWS scan
prowler aws --output-formats json-ocsf,csv,html

# Run specific checks
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled ec2_sg_open_to_internet

# Run against specific AWS profile and region
prowler aws --profile production --region us-east-1 --output-formats json-ocsf

# Run CIS Benchmark compliance check
prowler aws --compliance cis_1.5_aws

# Run PCI DSS compliance
prowler aws --compliance pci_3.2.1_aws

# Scan Azure environment
prowler azure --subscription-ids "sub-id-here"

# Scan GCP environment
prowler gcp --project-ids "project-id-here"

Prowler Check Categories

CategoryExamples
IAMRoot MFA, password policy, access key rotation
S3Public access, encryption, versioning
EC2Security groups, EBS encryption, metadata service
RDSPublic access, encryption, backup retention
CloudTrailEnabled, encrypted, log validation
VPCFlow logs, default SG restrictions
LambdaPublic access, runtime versions
EKSPublic endpoint, secrets encryption

Open-Source: ScoutSuite

# Install ScoutSuite
pip install scoutsuite

# Run AWS assessment
scout aws --profile production

# Run Azure assessment
scout azure --cli

# Run GCP assessment
scout gcp --project-id my-project

# Results available as interactive HTML report
# Open scout-report/report.html in browser

Multi-Cloud Aggregation

import json
import subprocess
from datetime import datetime, timezone

def run_prowler_scan(provider, output_dir, compliance=None):
    """Run Prowler scan for a cloud provider."""
    cmd = ["prowler", provider, "--output-formats", "json-ocsf",
           "--output-directory", output_dir]
    if compliance:
        cmd.extend(["--compliance", compliance])
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
    return result.returncode == 0

def aggregate_findings(prowler_dirs):
    """Aggregate findings from multiple Prowler scans."""
    all_findings = []
    for scan_dir in prowler_dirs:
        json_files = list(Path(scan_dir).glob("*.json"))
        for jf in json_files:
            with open(jf, "r") as f:
                for line in f:
                    try:
                        finding = json.loads(line.strip())
                        all_findings.append(finding)
                    except json.JSONDecodeError:
                        continue
    # Sort by severity
    severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "informational": 4}
    all_findings.sort(key=lambda f: severity_order.get(
        f.get("severity", "informational").lower(), 5
    ))
    return all_findings

def generate_posture_report(findings, output_path):
    """Generate cloud security posture report."""
    report = {
        "generated_at": datetime.now(timezone.utc).isoformat(),
        "total_findings": len(findings),
        "by_severity": {},
        "by_provider": {},
        "by_service": {},
    }
    for f in findings:
        sev = f.get("severity", "unknown")
        provider = f.get("cloud_provider", "unknown")
        service = f.get("service_name", "unknown")
        report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
        report["by_provider"][provider] = report["by_provider"].get(provider, 0) + 1
        report["by_service"][service] = report["by_service"].get(service, 0) + 1

    with open(output_path, "w") as f:
        json.dump(report, f, indent=2)
    return report

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC7.1 (Monitoring), CC8.1 (Change Management)
  • ISO 27001: A.12.6 (Technical Vulnerability Management)
  • NIST 800-53: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), CM-6 (Configuration Settings)
  • NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add implementing-cloud-vulnerability-posture-management

# Or load dynamically via MCP
grc.load_skill("implementing-cloud-vulnerability-posture-management")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

  • AWS Security Hub
  • Azure Defender for Cloud
  • Prowler
  • ScoutSuite
  • CIS Benchmarks

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add implementing-cloud-vulnerability-posture-management
// Or via MCP
grc.load_skill("implementing-cloud-vulnerability-posture-management")

Tags

cspmcloud-securityaws-security-hubazure-defenderprowlerscoutsuitemisconfigurationcnapp

Related Skills

Cloud Security

Implementing Cloud Security Posture Management

6m·intermediate
Cloud Security

Performing AWS Account Enumeration with Scout Suite

3m·intermediate
Vulnerability Management

Performing Agentless Vulnerability Scanning

7m·intermediate
Cloud Security

Implementing AWS Security Hub

5m·intermediate
Cloud Security

Implementing AWS Security Hub Compliance

6m·intermediate
Cloud Security

Implementing Azure Defender for Cloud

6m·intermediate

Skill Details

Domain
Vulnerability Management
Difficulty
intermediate
Read Time
3 min
Code Examples
5

On This Page

OverviewPrerequisitesAWS Security HubAzure Defender for CloudOpen-Source: ProwlerOpen-Source: ScoutSuiteMulti-Cloud AggregationReferencesVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →