--- name: cloud-security-posture-management description: Manage cloud security posture with CSPM tools, misconfiguration detection, compliance monitoring, identity governance, encryption verification, network security assessment, and automated remediation. Use when assessing cloud security posture, detecting cloud misconfigurations, monitoring cloud compliance, managing cloud identity risks, verifying encryption, assessing network security, or automating cloud security remediation. Triggers on phrases like "CSPM", "cloud security posture", "cloud misconfiguration", "cloud compliance", "cloud identity risk", "encryption verification", "cloud network security", "cloud security assessment", "cloud security remediation", "CIS benchmarks cloud", "cloud security score", "cloud risk assessment", "public exposure", "cloud security dashboard". --- # Cloud Security Posture Management Continuously monitor, assess, and remediate security posture across multi-cloud environments. ## Workflow 1. Discover all cloud resources: automated inventory across AWS, Azure, GCP, and on-premises. 2. Establish security baselines: CIS benchmarks, organizational policies, compliance frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS). 3. Scan for misconfigurations: public S3 buckets, open security groups, unencrypted databases, overly permissive IAM, exposed management ports. 4. Assess identity risks: unused credentials, overly permissive roles, missing MFA, shared accounts, stale service accounts. 5. Verify encryption: data at rest, data in transit, key management, certificate validity, weak cipher suites. 6. Evaluate network security: VPC/VNet configuration, NACLs, security groups, internet gateways, peering, DNS security. 7. Monitor compliance: continuous checks against regulatory frameworks, evidence collection, audit preparation. 8. Remediate automatically: policy enforcement, auto-remediation playbooks, drift detection, change notification. ## Cloud Security Architecture ### Multi-Cloud Security Posture Architecture ``` CLOUD SECURITY POSTURE — MULTI-CLOUD ARCHITECTURE =================================================== CSPM Platform: Wiz (primary) + Prisma Cloud by Palo Alto (secondary) + Custom AWS Security Hub + Azure Security Center Cloud Environments: AWS (3 accounts), Azure (2 subscriptions), GCP (1 project), OCI (1 compartment) Resources Monitored: 2,847 total resources across all clouds Scan Frequency: Continuous (event-driven) + Full scan every 6 hours Data Retention: 90 days (findings), 1 year (compliance evidence) RESOURCE INVENTORY: ┌──────────────────────────┬────────────┬────────────┬────────────┬────────────────────┐ │ Resource Type │ AWS │ Azure │ GCP │ Total │ ├──────────────────────────┼────────────┼────────────┼────────────┼────────────────────┤ │ Compute (EC2/VM/Instance)│ 142 │ 68 │ 34 │ 244 │ │ Containers (EKS/AKS/GKE) │ 24 pods │ 18 pods │ 12 pods │ 54 pods │ │ Storage (S3/Blob/Storage)│ 86 buckets │ 42 containers│ 28 buckets│ 156 │ │ Databases │ 34 │ 16 │ 12 │ 62 │ │ Load Balancers │ 28 │ 14 │ 8 │ 50 │ │ IAM Users/Roles │ 156 │ 72 │ 48 │ 276 │ │ Network (VPC/VNet) │ 18 │ 8 │ 6 │ 32 │ │ Serverless (Lambda/Fn) │ 89 │ 34 │ 22 │ 145 │ │ KMS/Key Vault │ 24 │ 12 │ 8 │ 44 │ │ CDN (CloudFront/CDN) │ 8 │ 4 │ 2 │ 14 │ │ Other managed services │ 124 │ 56 │ 38 │ 218 │ └──────────────────────────┴────────────┴────────────┴────────────┴────────────────────┘ Total resources: 2,847 | New resources last 30 days: 128 | Decommissioned: 42 SECURITY POSTURE SCORE (Real-Time): Overall Score: 78/100 (IMPROVING — was 72 last month) By Cloud: AWS: 82/100 ✓ GOOD — strong IAM, good encryption, some network gaps Azure: 74/100 ⚠ FAIR — identity improvements needed, compliance gaps GCP: 71/100 ⚠ FAIR — newer environment, security baseline still maturing OCI: 85/100 ✓ GOOD — minimal footprint, well-configured By Category: Identity & Access: 76/100 ⚠ — 12 findings (3 critical, 5 high, 4 medium) Network Security: 82/100 ✓ — 8 findings (0 critical, 2 high, 6 medium) Data Protection: 88/100 ✓ — 5 findings (0 critical, 1 high, 4 medium) Compute Security: 74/100 ⚠ — 14 findings (2 critical, 6 high, 6 medium) Compliance: 71/100 ⚠ — 18 findings (1 critical, 4 high, 13 medium) Monitoring: 84/100 ✓ — 6 findings (0 critical, 1 high, 5 medium) SECURITY FINDINGS DISTRIBUTION (Last 30 Days): ┌──────────────────────────┬────────────┬────────────┬────────────┬────────────┐ │ Severity │ Critical │ High │ Medium │ Low │ ├──────────────────────────┼────────────┼────────────┼────────────┼────────────┤ │ Open (active) │ 6 │ 18 │ 34 │ 42 │ │ Acknowledged (reviewed) │ 0 │ 4 │ 12 │ 8 │ │ In Progress (remediating)│ 2 │ 6 │ 18 │ 24 │ │ Remediated (resolved) │ 14 │ 32 │ 56 │ 68 │ │ Accepted (risk accepted) │ 0 │ 2 │ 6 │ 12 │ │ Suppressed (false +) │ 0 │ 0 │ 4 │ 8 │ └──────────────────────────┴────────────┴────────────┴────────────┴────────────┘ Total findings: 342 (last 30 days) Mean time to remediate: Critical: 4.2h, High: 18.5h, Medium: 48h, Low: 120h CLOUD SECURITY POLICIES: Active policies: 156 (across all clouds) CIS Benchmarks: 68 policies (CIS AWS 1.5, CIS Azure 1.4, CIS GCP 2.0) Organizational policies: 42 policies (custom security standards) Compliance policies: 34 policies (SOC 2, ISO 27001, HIPAA, PCI DSS) Cost protection policies: 8 policies (prevent runaway costs — security adjacent) Custom detection rules: 4 policies (business-specific security requirements) Policy enforcement modes: Advisory (alert only): 28 policies (new policies, testing phase) Enforced (auto-remediate): 98 policies (mature, validated) Block on creation: 30 policies (prevent misconfiguration at source) ``` ### Identity & Access Risk Assessment ``` CLOUD IDENTITY & ACCESS — RISK ASSESSMENT ============================================ Identity Management Platform: AWS IAM + Azure AD + GCP IAM + Okta (SSO federation) Total cloud identities: 384 (across all clouds) Human users: 156 (developers, ops, security, management) Service accounts: 128 (applications, CI/CD, automation, monitoring) Role mappings: 100 (cross-cloud, cross-account roles) Federated identities: 44 (SSO via Okta, temporary access) IDENTITY RISK FINDINGS: ┌───────────────────────────────────────┬──────────┬──────────────────────────┬────────────────────┐ │ Risk Type │ Count │ Affected Resources │ Risk Level │ ├───────────────────────────────────────┼──────────┼──────────────────────────┼────────────────────┤ │ Unused credentials (> 90 days) │ 28 │ 22 human, 6 service accts│ HIGH │ │ Missing MFA │ 8 │ 6 human, 2 service accts │ CRITICAL │ │ Overly permissive IAM policies │ 18 │ 14 roles, 4 users │ HIGH │ │ Root account usage (last 30 days) │ 2 │ 2 AWS root accounts │ CRITICAL │ │ Shared access keys │ 5 │ 5 service accounts │ HIGH │ │ Expired but still active roles │ 12 │ 12 cross-account roles │ MEDIUM │ │ Public-facing admin consoles │ 3 │ 3 Azure management endpoints│ CRITICAL │ │ Service accounts with admin access │ 6 │ 6 service accounts │ HIGH │ │ Long-lived access tokens (> 30 days) │ 14 │ 14 service accounts │ MEDIUM │ │ Cross-account access without logging │ 4 │ 4 role mappings │ HIGH │ └───────────────────────────────────────┴──────────┴──────────────────────────┴────────────────────┘ IAM BEST PRACTICE COMPLIANCE: ┌───────────────────────────────────────┬──────────┬──────────┬──────────────────┐ │ Practice │ AWS │ Azure │ GCP │ ├───────────────────────────────────────┼──────────┼──────────┼──────────────────┤ │ MFA enforced on all human users │ 96% │ 92% │ 100% │ │ No root account usage (30 days) │ 78% │ 88% │ 95% │ │ Password rotation (< 90 days) │ 85% │ 90% │ 92% │ │ Least privilege (no wildcard *) │ 72% │ 68% │ 78% │ │ Access keys rotated (< 90 days) │ 65% │ 72% │ 80% │ │ unused credentials removed │ 58% │ 62% │ 70% │ │ Service accounts use roles (not keys) │ 68% │ 58% │ 75% │ │ Audit logging enabled │ 100% │ 96% │ 100% │ │ Cross-account uses roles (not keys) │ 82% │ 78% │ 88% │ │ Permission boundaries in place │ 45% │ 32% │ 50% │ └───────────────────────────────────────┴──────────┴──────────┴──────────────────┘ PRIVILEGED ACCESS MANAGEMENT: Admin accounts: 24 (5 human, 12 service, 7 emergency/break-glass) Break-glass accounts: 3 (per cloud, sealed in Vault, require dual approval to unlock) Just-in-Time access: 18 accounts (approvals via SSO, time-limited: 2-4 hours) Emergency access: 2 accounts per cloud (used 0 times in last 90 days) Admin access audit (last 30 days): Total admin sessions: 142 Approved JIT sessions: 98 (69%) — standard admin tasks Emergency sessions: 0 (no emergencies) Suspicious sessions: 2 (flagged for review — off-hours access, resolved as planned maintenance) Session recording: 100% (all admin sessions recorded for audit) ACCESS REVIEW SCHEDULE: Quarterly access review: All identities (Q1: Jan 15, Q2: Apr 15, Q3: Jul 15, Q4: Oct 15) Monthly service account review: All non-human identities Weekly privileged access review: Admin and break-glass accounts On-demand review: Triggered by role change, termination, security incident Last review (Q4 2024): Total identities reviewed: 384 Access confirmed: 342 (89.1%) Access revoked: 38 (9.9%) — employees left company, role changes, unused accounts Access escalated: 4 (1.0%) — disputed, resolved by manager Access pending: 0 (all completed within 14-day window) ``` ## Misconfiguration Detection ### Cloud Misconfiguration Analysis ``` CLOUD MISCONFIGURATION — ACTIVE FINDINGS ========================================== Misconfiguration Scan Results (Last 24 Hours): Total resources scanned: 2,847 Resources with misconfigurations: 186 (6.5%) Auto-remediated: 42 (22.6% of findings) Requires manual remediation: 144 (77.4% of findings) TOP MISCONFIGURATIONS BY CATEGORY: ┌───────────────────────────────────────┬──────────┬────────────────────┬──────────────────────────────┐ │ Misconfiguration │ Count │ Cloud │ Risk Level │ ├───────────────────────────────────────┼──────────┼────────────────────┼──────────────────────────────┤ │ S3 bucket publicly accessible │ 4 │ AWS │ CRITICAL │ │ Security group allows 0.0.0.0/0 SSH │ 3 │ AWS (2), GCP (1) │ CRITICAL │ │ Unencrypted EBS volumes │ 12 │ AWS │ HIGH │ │ Unencrypted Azure Blob containers │ 6 │ Azure │ HIGH │ │ Database publicly accessible │ 2 │ AWS (1), Azure (1) │ CRITICAL │ │ CloudTrail logging disabled │ 1 │ AWS │ HIGH │ │ Missing VPC flow logs │ 8 │ AWS (5), GCP (3) │ MEDIUM │ │ No encryption on managed disks │ 10 │ Azure │ HIGH │ │ Overly permissive IAM role │ 14 │ AWS (8), GCP (6) │ HIGH │ │ Missing WAF on ALB/NLB │ 6 │ AWS │ MEDIUM │ │ Public load balancer without WAF │ 3 │ AWS (2), Azure (1) │ HIGH │ │ Unencrypted RDS snapshots │ 8 │ AWS │ MEDIUM │ │ Missing backup policy on RDS │ 5 │ AWS │ MEDIUM │ │ EC2 instances without detailed monitoring│ 18 │ AWS │ LOW │ │ Azure Key Vault soft delete disabled │ 2 │ Azure │ HIGH │ │ GCP bucket uniform ACL not enforced │ 4 │ GCP │ MEDIUM │ │ Missing resource tagging policy │ 24 │ AWS (12), Azure (8), GCP (4)│ LOW │ │ EC2 instances without IMDSv2 enforced │ 14 │ AWS │ MEDIUM │ │ Azure VM diagnostic settings missing │ 8 │ Azure │ LOW │ │ GCP project without VPC Service Controls│ 1 │ GCP │ HIGH │ └───────────────────────────────────────┴──────────┴────────────────────┴──────────────────────────────┘ PUBLIC EXPOSURE ASSESSMENT: Publicly accessible resources: 23 (0.8% of total — target: < 1%) CRITICAL (immediate remediation required): 1. S3 bucket "company-analytics-data" — publicly readable (contains CSV exports) Impact: 2.4 GB of analytical data (anonymized, no PII) — LOW data risk Action: Auto-remediated (block all public access, restrict to VPC endpoint) 2. RDS instance "orders-db-prod" — security group allows 0.0.0.0/0 on port 5432 Impact: Production database exposed (2.4M records, includes PII) Action: CRITICAL — security group updated (restrict to app subnet only) Verification: nmap scan confirms port 5432 no longer reachable from internet 3. Azure Blob container "app-uploads" — anonymous read access enabled Impact: User-uploaded files accessible without authentication Action: Auto-remediated (disable anonymous access, require SAS tokens) HIGH (remediation within 24 hours): 4-8. Five security groups allowing 0.0.0.0/0 on port 22 (SSH) Impact: SSH brute force exposure (mitigated by key-only auth, no password login) Action: Restrict to VPN IP ranges + bastion host access only 9-14. Six EC2 instances without IMDSv2 enforced Impact: Potential metadata API abuse (role assumption via SSRF) Action: Enable IMDSv2 required on all instances (via SSM document) ENCRYPTION COMPLIANCE: Data at rest encryption: EBS volumes: 94% encrypted (8 unencrypted — 6 development, 2 legacy) RDS instances: 100% encrypted ✓ S3 buckets: 96% encrypted (3 buckets — 2 dev, 1 legacy logs) Azure managed disks: 88% encrypted (10 unencrypted — 8 dev, 2 staging) Azure Blob containers: 92% encrypted (6 unencrypted — 5 dev, 1 temp) GCP persistent disks: 95% encrypted (2 unencrypted — dev environment) GCP Cloud Storage: 100% encrypted ✓ Data in transit encryption: TLS enforced on load balancers: 100% ✓ Database connections require TLS: 92% (5 databases — legacy, migration in progress) API endpoints require HTTPS: 100% ✓ Internal service-to-service: 78% mTLS (22% still using standard TLS — service mesh rollout pending) Key Management: KMS keys: 44 total (24 AWS, 12 Azure, 8 GCP) Customer-managed keys: 28 (64%) — rotated every 90 days AWS-managed keys: 16 (36%) — automatic rotation Key usage: 38 actively used, 6 unused (scheduled for deletion) Key policy compliance: 100% (all keys restrict access to authorized principals only) AUTO-REMEDIATION PLAYBOOKS: ┌───────────────────────────────────────┬────────────────────┬──────────────────────────────┐ │ Misconfiguration │ Remediation Action │ Success Rate │ ├───────────────────────────────────────┼────────────────────┼──────────────────────────────┤ │ Public S3 bucket │ Block public access│ 98% (2 exceptions — false +)│ │ Security group 0.0.0.0/0 SSH │ Restrict to VPN CIDR│ 95% (3 manual reviews) │ │ Unencrypted EBS │ Snapshot + encrypt │ 92% (development instances) │ │ CloudTrail disabled │ Enable CloudTrail │ 100% │ │ Missing VPC flow logs │ Create flow log │ 96% (4 VPCs — permission fix)│ │ EC2 without IMDSv2 │ Enforce IMDSv2 │ 94% (legacy app exceptions) │ │ Missing resource tags │ Apply default tags │ 100% │ │ Public database │ Restrict SG │ 90% (requires app update) │ └───────────────────────────────────────┴────────────────────┴──────────────────────────────┘ Total auto-remediation attempts: 186 (last 30 days) Successful: 158 (84.9%) Failed: 14 (7.5%) — permission issues, resource locked, manual review required Suppressed: 14 (7.5%) — false positives, accepted risk, documented exception ``` ## Compliance Monitoring ### Continuous Compliance Framework ``` COMPLIANCE MONITORING — MULTI-FRAMEWORK ========================================= Compliance Frameworks Monitored: SOC 2 Type II, ISO 27001, HIPAA, PCI DSS v4.0, GDPR Compliance Engine: CSPM platform (Wiz) + AWS Security Hub + Azure Policy + Custom compliance checks Scan Frequency: Continuous (event-driven checks on resource changes) + Full compliance scan daily Evidence Collection: Automated (screenshots, configuration snapshots, log samples) COMPLIANCE SCORECARD: ┌────────────────────────┬────────────┬────────────┬────────────┬──────────────────────┐ │ Framework │ Controls │ Passing │ Failing │ Compliance Score │ ├────────────────────────┼────────────┼────────────┼────────────┼──────────────────────┤ │ SOC 2 Type II │ 128 │ 122 │ 6 │ 95.3% ✓ │ │ ISO 27001 │ 93 │ 88 │ 5 │ 94.6% ✓ │ │ HIPAA │ 54 │ 50 │ 4 │ 92.6% ⚠ │ │ PCI DSS v4.0 │ 78 │ 72 │ 6 │ 92.3% ⚠ │ │ GDPR │ 36 │ 34 │ 2 │ 94.4% ✓ │ └────────────────────────┴────────────┴────────────┴────────────┴──────────────────────┘ Overall compliance: 93.8% (target: > 95% for SOC 2, ISO 27001; > 90% for others) COMPLIANCE GAPS (requiring remediation): SOC 2 (6 failing controls): CC6.1 — Logical access security: 2 service accounts with admin access (should be JIT) CC6.3 — Role-based access: 4 roles with overly broad permissions CC7.2 — Security monitoring: Missing WAF on 3 load balancers CC7.4 — Incident response: No documented runbook for cloud-specific incidents CC8.1 — Change management: 2 unapproved config changes detected in last 30 days CC9.1 — Disaster recovery: DR test not performed in last 6 months (due Q1 2025) HIPAA (4 failing controls): 164.312(a)(1) — Access control: 3 databases without access logging 164.312(c)(1) — Integrity: Missing file integrity monitoring on 8 EC2 instances 164.312(e)(1) — Transmission security: 2 legacy databases without TLS 164.312(e)(2) — Encryption: 6 unencrypted Azure managed disks (dev, but still flagged) PCI DSS v4.0 (6 failing controls): 1.3.4 — Restrict inbound traffic: 2 security groups overly permissive 2.2.8 — Implement TLS: 2 legacy databases without TLS 6.2.4 — Patch critical vulnerabilities: 4 instances with unpatched high-severity CVEs 10.2 — Audit trail: Missing VPC flow logs on 3 VPCs 11.3 — External vulnerability scanning: Last external scan 45 days ago (requirement: 30 days) 12.3.2 — Security awareness training: 12 employees not trained in last 12 months GDPR (2 failing controls): Article 32 — Security of processing: 6 unencrypted storage containers (dev data) Article 33 — Breach notification: No automated breach detection workflow (manual process) EVIDENCE COLLECTION (for upcoming SOC 2 audit — March 2025): Evidence items required: 342 Evidence collected automatically: 312 (91.2%) Evidence requiring manual collection: 30 (8.8%) — policy documents, interview notes, management reports Evidence status: Complete and verified: 298 (87.1%) In progress: 18 (5.3%) — being collected Missing: 26 (7.6%) — need manual action Audit preparation checklist: [✓] All technical evidence collected and organized [✓] Compliance reports generated (SOC 2, ISO 27001) [✓] Remediation plans documented for failing controls [ ] Management interview preparation — scheduled Feb 15, 2025 [ ] Policy document review — due Feb 20, 2025 [ ] Sample testing preparation — due Feb 28, 2025 COMPLIANCE TRENDING (Last 6 Months): Month SOC 2 ISO 27001 HIPAA PCI DSS GDPR Oct 2024 91.2% 92.5% 89.8% 88.5% 93.1% Nov 2024 92.8% 93.1% 90.4% 90.2% 93.8% Dec 2024 93.5% 93.6% 91.2% 90.8% 94.1% Jan 2025 94.1% 94.0% 91.8% 91.5% 94.2% Feb 2025 94.7% 94.3% 92.2% 92.0% 94.3% Mar 2025 95.3% 94.6% 92.6% 92.3% 94.4% Trend: IMPROVING (+4.1 percentage points in 6 months) Target for Q2 2025: All frameworks > 95% ``` ## Integration Points - CSPM platforms: Wiz, Prisma Cloud (Palo Alto), Aqua Security, Orca Security, Lacework, Sysdig, Checkov - Cloud native: AWS Security Hub, AWS Config, Azure Security Center, Azure Policy, GCP Security Command Center - IAM: AWS IAM, Azure AD, GCP IAM, Okta, Ping Identity, Auth0, HashiCorp Vault (secrets) - SIEM: Splunk, Azure Sentinel, Sumo Logic, Datadog SIEM, IBM QRadar - Vulnerability scanning: Qualys, Tenable, Rapid7, AWS Inspector, Trivy (containers), Snyk - Cloud infrastructure: Terraform, CloudFormation, Pulumi, Crossplane (IaC integration for remediation) - Configuration management: Ansible, Puppet, Chef (auto-remediation playbooks) - Container security: Trivy, Clair, Snyk Container, Aqua, Sysdig Falco, Twistlock - API security: Salt, 42Crunch, Noname Security, Salt Security, Salt - Compliance automation: Vanta, Drata, Secureframe, Sprinto, Laika - Ticketing: ServiceNow, Jira Service Management (remediation task creation) - Collaboration: Slack, Microsoft Teams (alert notifications, remediation updates) ## Edge Cases - **Multi-cloud policy drift**: Same security policy enforced differently across AWS, Azure, and GCP due to platform differences. Resolution: (1) abstract policies into cloud-agnostic rules (OPA Rego), (2) cloud-specific implementation adapters (translate abstract rule to native policy), (3) regular cross-cloud drift detection (alert when implementations diverge), (4) quarterly policy review (validate all implementations meet original intent). - **Break-glass access without compromising security**: Emergency access needed during incident, but MFA device unavailable. Resolution: (1) break-glass accounts with hardware MFA tokens (YubiKey, stored in physical safe), (2) dual approval required (two people must unlock), (3) all sessions recorded and logged (real-time alert to security team), (4) automatic credential rotation after use (credential invalidated post-session), (5) post-incident review (was the emergency justified, were proper procedures followed). - **Shadow IT cloud accounts**: Employee creates personal AWS account for side project, uses corporate credit card. Resolution: (1) AWS Organization invite enforcement (all accounts must be in organization), (2) credit card monitoring (flag unknown cloud charges), (3) CASB integration (detect unauthorized cloud service usage), (4) security awareness training (report shadow IT, use approved services), (5) regular cloud account discovery (scan for unknown accounts linked to corporate domain). - **Compliance false positives from development environments**: Dev environments flagged for compliance violations (no encryption, public access) but shouldn't be in scope. Resolution: (1) environment tagging (dev, staging, production — compliance rules scoped to prod only), (2) compliance scope definition (document which environments are in-scope for each framework), (3) separate compliance dashboards per environment (dev: security only, prod: security + compliance), (4) automated suppression rules (suppress dev findings that don't apply to production patterns). - **CSPM platform blind spots**: CSPM tool doesn't cover all cloud services (new services, niche services, custom configurations). Resolution: (1) monthly review of CSPM coverage (compare against cloud provider service list), (2) custom detection rules for uncovered services (AWS Config rules, Azure Policy custom definitions), (3) manual spot checks for uncovered resources (quarterly audit), (4) engage CSPM vendor for roadmap (request coverage for missing services), (5) multi-tool strategy (primary CSPM + secondary tool for coverage gaps). - **Encryption key compromise detection**: How to detect if a KMS key has been compromised (key material extracted). Resolution: (1) key usage monitoring (alert on unusual usage patterns — new region, new service, unusual volume), (2) key policy enforcement (restrict key usage to authorized accounts/services only), (3) CloudTrail logging for all key operations (alert on key deletion, policy changes, new grants), (4) regular key rotation (90-day rotation limit, limits exposure window), (5) incident response plan for key compromise (re-encrypt all data with new key, investigate access logs). - **Cross-account security group inheritance**: Child AWS accounts inherit security group settings from organization, but local admins can override. Resolution: (1) AWS Service Control Policies (SCPs) to restrict security group modifications, (2) AWS Config rules to detect overly permissive security groups, (3) automated remediation (Lambda function to restrict security groups that allow 0.0.0.0/0), (4) organization-wide security group templates (standardized, approved configurations only), (5) change approval workflow (security group changes require security team approval). - **Compliance evidence tampering**: Evidence collected by CSPM platform could be altered before audit. Resolution: (1) evidence stored in immutable storage (S3 Object Lock, WORM compliance), (2) cryptographic signatures on evidence files (HMAC-SHA256, verified at audit time), (3) evidence collection timestamps (server-side, not client-side), (4) evidence chain of custody (log who accessed evidence, when, why), (5) independent evidence verification (auditor collects sample evidence independently). - **Auto-remediation breaks production**: Automated remediation action disrupts running application (e.g., restricts security group needed by application). Resolution: (1) remediation dry-run mode (test action without applying), (2) application impact assessment (check dependent services before remediation), (3) staged remediation (apply to non-production first, validate, then production), (4) emergency rollback capability (revert remediation within 60 seconds), (5) human-in-the-loop for high-risk remediations (auto-detect + alert + human approve + auto-execute). - **Cloud resource sprawl overwhelming CSPM**: Thousands of resources across multiple accounts make findings difficult to triage. Resolution: (1) resource grouping (by team, project, environment — findings aggregated by group), (2) risk-based prioritization (focus on critical/high findings in production first), (3) ownership tagging (every resource has an owner — findings routed to owner), (4) automated noise reduction (suppress known acceptable risks, focus on new findings), (5) weekly security posture review meetings (team leads review findings, assign remediation).