Loading

Quickstart: Secure your cloud assets with cloud security posture management

Serverless

In this quickstart guide, you'll learn how to get started with Elastic Security for Cloud Security so you can monitor, detect, and investigate anomalous activity within cloud environments.

  • Access to an Elastic Security Serverless project. If you don't have one yet, refer to Create a Security project to learn how to create one.
  • An admin account for the cloud service provider (CSP) you want to use.

The Cloud Security Posture Management (CSPM) integration helps you identify and remediate configurations risks that could potentially undermine the confidentiality, integrity, and availability of your data in the cloud.

To add the CSPM integration:

  1. On the Get Started home page, in the Ingest your data section, select the Cloud tab.
  2. Select Cloud Security Posture Management (CSPM), then click Add Cloud Security Posture Management (CSPM). The integration configuration page displays.
  3. For this guide, we'll be using AWS single account for configuration. Select these options in the configuration integration section.
  4. Give the integration a name and enter an optional description.
  5. Next, choose your deployment option. An agent-based deployment requires you to deploy and manage Elastic Agent in the cloud account you want to monitor, whereas an agentless deployment allows you to collect cloud posture data without having to manage the Elastic Agent deployment in your cloud. For simplicity, select Agentless.
  6. Next, in the Setup Access section, choose your preferred authentication method—direct access keys (recommended) or temporary keys. For this guide, we'll use direct access keys.
  7. Expand the Steps to Generate AWS Account Credentials, and follow the instructions.
  8. Once you've generated an access key ID and secret access key and pasted the credentials, click Save and continue to complete deployment. Your data should start to appear within a few minutes.
Cloud Security Posture management integration
Note

Consider also adding the Cloud Native Vulnerability Management (CNVM) integration, which identifies vulnerabilities in your cloud workloads.

The Cloud Posture dashboard summarizes your cloud infrastructure's overall performance against security guidelines defined by the Center for Internet Security (CIS). It shows configuration risk metrics for all of your monitored cloud accounts and Kubernetes clusters and groups them by specific parameters. All configuration risks the integration identifies are called benchmark rules, and are listed on the Findings page.

The dashboard also shows your overall compliance score, and your compliance score for each CIS section. Use these scores to determine how securely configured your overall cloud environment is. To learn more, refer to our documentation.

Cloud Security Posture dashboard

To access the Cloud Security Posture dashboard, go to DashboardsCloud Security Posture.

After you install the CSPM integration, it evaluates the configuration of resources in your environment every 24 hours. It lists the results and whether a given resource passed or failed evaluation against a specific security guideline on the Findings page, which you can access from the navigation menu. By default, the Findings page lists all findings without any grouping or filtering. However, we recommend filtering the data for failed findings. You can also customize the table to control which columns appear.

To remediate a failed finding, click the arrow to the left of a failed finding to open the findings flyout, then follow the steps under Remediation.

Findings flyout
Tip

On the Cloud Security Posture dashboard, click one of the "View all failed findings" links to display a filtered view.

To monitor your configuration more closely, we recommend creating detection rules to detect specific failed findings, which if found, generates an alert.

You can create detection rule directly from the Findings page:

  1. Click the arrow to the left of a finding to open the findings flyout.
  2. Click Take action, then Create a detection rule. This creates a detection rule that creates alerts when the associated benchmark rule generates a failed finding.
  3. To review or customize the new rule, click View rule. For example, you may want to set up a rule action—like an email or Slack notification—when alerts are generated. To learn more about rule actions, refer to Create a detection rule > Set up rule actions (optional).

Now that you've configured CSPM, check out these other Cloud Security resources: