ISS Cloud Security module (Beta) – Help Center

Cloud Security by SecurityScorecard combines traditional Cloud Security Posture Management (CSPM) with SecurityScorecard’s powerful scoring engine. It provides information about issues related to your cloud account assets, and a letter grade ranging from A to F. This grade is visible only to your organization, and it does not affect your overall Scorecard score.

Note: The Cloud Security module currently supports commonly used managed services within Amazon Web Services (AWS). Support for Google Cloud Platform (GCP) and Azure is in development for future releases.

How Cloud Security works

Cloud Security gathers the metadata about the resources currently deployed in your public cloud accounts at least once each day. It only touches high-level information about your cloud resources as provided by the cloud provider’s own public APIs.

Note: Cloud Security does not access or transfer any of your organization’s data.

Once Security Scorecard collects, the data, we process it through a set of policies we developed so that we can quantify and classify the security-relevant configurations of your resources against cloud-provider best practices and industry standards. Configurations that do not meet these standards are assigned high-, medium-, or low-severity values.

We then score the issues resulting from this classification process in a manner similar to other findings in the SecurityScorecard platform.

Set up Cloud Security

Step 1: Install Cloud Security
Step 2: Get the required AWS IDs
Step 3: Create an IAM role
Step 4: Add the role ARN to your Cloud Security configuration

Cloud Security requires access to your AWS Console or APIs and the ability to create IAM policies and roles. Before installing the Cloud Security module create an identity and access management (IAM) role in your AWS account that delegates read-only access to SecurityScorecard’s AWS account for your resources.

Step 1: Install Cloud Security

In SecurityScorecard, select Marketplace from the top menu.
On the Integrate360° Marketplace page, click the InternalSecurity Suite tab and then select Cloud Security to access the installation page.
View a description of the Cloud Security, and click Install.

Installation completes in seconds with no additional prompts or messages.

Step 2: Get the required AWS IDs

In your Scorecard header, click Internal Security Suite and then select Cloud Security.
Click Add and configure cloud accounts.
Note the following IDs, which you will use in the next step to create an AWS identity and access management (IAM) role.

Account ID is SecurityScorecard’s AWS account ID.
External ID is a unique string generated for each configuration of Cloud Security. Do not expose or share this ID. For more information, see How to use an external ID when granting access to your AWS resources to a third party.

Step 3: Create an IAM role

Using the account and external IDs values provided in SecurityScorecard, create an AWS IAM role in the AWS Console:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "",

            "Effect": "Allow",

            "Principal": {

                "AWS": "arn:aws:iam::ACCOUNT_ID:root"

            },

            "Action": "sts:AssumeRole",

            "Condition": {

                "StringEquals": {

                    "sts:ExternalId": "EXTERNAL_ID"

                }

            }

        }

    ]

}

Note: Replace the ACCOUNT_ID and EXTERNAL_ID placeholders with the values provided by the Cloud Security configuration UI.

When prompted for the permissions policy for this role, enter the SecurityAudit policy Amazon resource name (ARN):
```
arn:aws:iam::aws:policy/SecurityAudit
```
Review the permissions granted by the SecurityAudit IAM Policy. AWS uses this policy extensively when granting access to security-focused tools and services such as Cloud Security.
Create any name for the IAM role. The following step uses the name SSCCloudSecurityRole.

For more information about working with IAM roles, see Creating an IAM role.

Step 4: Add the role ARN to your Cloud Security configuration

Once you create the IAM role, copy the resulting Amazon resource name (ARN), such as the following, to your clipboard:
```
arn:aws:iam::XXXXXXXXXX:role/SSCCloudSecurityRole
```
In your Scorecard header, click Internal Security Suite and then select Cloud Security.
Click Add and configure cloud accounts.
Paste the role ARN into the appropriate text box. Add a description if desired. Then click Save Configuration.

Cloud Security collects and processes the resources metadata at least once daily. It begins to show data as of the next collection cycle, typically within 24 hours after you add the AWS account.

Tip: Configure additional AWS accounts anytime as desired.

View Cloud Security score and findings

In your Scorecard header, click Internal Security Suite and then select Cloud Security.

View the following overview information:

Cloud Security Score: A letter-grade rating of your cloud security posture that is visible only to your organization and unrelated to your overall Scorecard score.
Tally and breakdown of assets and events from which the issue types are derived:

Computing infrastructure includes servers, desktops, databases, and other endpoints deployed in your organization.
Password Policy involves mandated practices for password length, complexity, reuse, and more.
Queue includes processes such as patching and updates.
Storage includes devices used to store data.
User activity involves failed logins, document access, email access, and similar events.

Expand the severity categories to view issue types.

Tip: See descriptions of all issue types that Cloud Security finds.

Click any issue to view information about it, and scroll down the issue details page to view findings.