IaaS Scanning via API

Also known as:

  • Cloud Security Posture Management (CSPM)
  • Cloud Infrastructure Entitlement Management (CIEM)

What problem does it target?

Cloud Service Providers (CSPs – AWS, Azure, GCP) are used for critical workloads or with sensitive data.
CSP configuration complexity is high, leaving plenty of room for error.
Even simple configuration mistakes have already caused expensive breaches.

What does this solution do?

Scans your Cloud Service Providers (AWS, Azure, GCP, etc) for potential configuration issues using standard APIs.
Sample issues include:

  • Internet-facing storage buckets
  • Lack of MFA
  • High privilege identities

Some tools (e.g., Orca, Wiz) include a “side-scanning” technology that expands the scans into block storage used by virtual machines (e.g., EC2). This allows the identification of vulnerable software and on-disk malware using signatures.

Who is this for?

  • Organizations that use the Cloud for critical workloads or sensitive data
  • Organizations with a large, unmanageable Cloud footprint
  • Multi-cloud organizations

Who might not benefit from this?

  • Organizations with a small Cloud footprint manageable manually
  • Teams that find built-in Cloud Service Provider tools sufficient

Pitfalls and remedies

Pitfall Remedy
Coverage – not all Cloud subscriptions are scanned Ensure all Cloud subscriptions are managed centrally (e.g., using AWS Organizations).

Integrate centrally (e.g., at the Organization level), not at the subscription level.

Stay in touch with IT and engineering departments from across the company to ensure coverage.
Permissions – scans are partially or not functional due to missing permissions or deny policies Periodically review and fix errors reported by the CSPM tool.

Ensure errors are automatically sent to your centralized monitoring functions.
Capacity/priority – issues are identified but remain unhandled Focus on critical severity issues before all else.

Train engineering teams to fix issues directly (aka “shift left”) without waiting for a security person.

Sample products

  • Wiz Cloud
  • Orca
  • Palo Alto Networks Prisma Cloud

All trademarks are property of their respective owners.
Copyright © 2025 Deepblue Consulting – All rights reserved.