Cloud Security Posture Management

CloudGuard Cloud Security Posture Management (CSPM) checks your cloud environments' compliance with industry standards and best practices or your organization's security policies. Its engine uses the rules that you define or sets of rules (rulesets) developed by CloudGuard and available out-of-the-box. CloudGuard provides a comprehensive set of rulesets that have many of the same standards, such as PCI-DSS and HIPAA, for cloud security, which you can run immediately on your environments. In addition, you can build and test new rules or change existing rules with an intuitive graphical rule builder, to tailor policies to your organization's specific needs and compliance goals.

Posture Management enables you to manage resources across multiple clouds, flows, and settings on one management platform. You can check your environments and receive notifications when it detects issues. Detailed results of tests and summary reports are available for your review.

Posture Management accesses your environments directly through cloud platform APIs and CloudGuard policies that you set up on these environments. It works with all cloud providers, and you can check compliance even when your cloud presence is distributed on multiple cloud platforms.


  • At-a-glance dashboard view of organizational compliance across the full cloud presence, on all cloud platforms

  • Check compliance with cloud security standards

  • Clear reports to indicate non-compliant issues

  • Easily build modified rules based on requirements with the graphical GSL builder

  • Preconfigured (built-in) rulesets developed by CloudGuard have a wide range of standards and best practices

Use Cases

  • Enforce environments compliance with standards - see Rules and Rulesets

  • Enforce compliance with organizational policies across the estate - see Configuring CloudGuard Policies

  • Review the security and compliance posture across the estate with a unified dashboard - see Dashboards

  • Analyze compliance of a proposed cloud design (CloudFormation Template) before actual deployment - see Onboarding AWS Environments

  • Customize the Posture Management dashboard based on your needs, to put effort into the more sensitive and interesting environments

  • Review latest assessment results and apply remediation - Automatic Remediation with CloudBots

  • Review assessments on a specific environment from a specific point in time - Assessment History

  • Create customized compliance or organizational policy rules - see Rules and Rulesets

CloudGuard GSL (Governance Specification Language)

Rules used by Posture Management are defined with the CloudGuard Governance Specification Language (GSL). This is an intuitive user-readable language that describes the test. For example, the rule

S3Bucket should have logging.enabled=true

checks that logging is enabled for AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. S3 bucketsClosed A bucket is a container for objects stored in Amazon S3 (Amazon Simple Storage Service)..

See Governance Specification Language (GSL) for details and examples of the GSL syntax. See GSL Builder to learn how to build a rule with the graphical interface.

Cloud Entity Domain Model

CloudGuard Posture Management is based on Governance Specification Language (GSL), which defines the syntax for compliance rules. In addition, it includes cloud entities, which are the targets to which the rules apply. These entities represent the real entities in the supported cloud platforms, such as instances or S3 buckets.

Entities have attributes, some unique to specific entities. Some attributes are simple, for example, strings or numbers, while some are compound: usually, sub-entities that are related to the entity. For example, the VPC in which an instance is located. In addition, the attributes can contain list attributes.

GSL includes entities for the cloud platforms that CloudGuard supports. Each platform lists its supported entities.


Posture Management includes these pages:

  • Rulesets - Shows your rulesets and rules, preconfigured rulesets, and custom ones that you define.

  • Continuous Posture - Lists the policies that continuously assess your environments for compliance.

  • Remediation - Lists the environments where automatic remediation with CloudBots is enabled.

  • Exclusions - Lists the environments that have rule exclusions.

  • Assessment History - Shows a list of previously run assessments, with summary details for each. You can filter the view by account, rulesets, and time to show specific assessments of interest.

  • GSL Builder - Lets you build and test GSL rules.

  • Posture Overview - Presents a summary view of the compliance assessments run on your environments.