Cloud Security — CSPM

Best-of

Palo Alto Cortex · Microsoft Defender for Cloud

Module

nexus_secops/cloud.py

Edition

Pro/Enterprise (advanced-rules gate)

API

/api/v1/cloud/scan · /cloud/findings · /cloud/posture

What it does

Cloud evaluates resource configuration against CIS-derived checks and turns failures into the same alerts and incidents as the rest of the platform. It ties cloud risk to endpoint risk in one place — the core idea behind "cloud security" in Cortex XDR and Defender for Cloud.

How to use it

POST /api/v1/cloud/scan
{
  "provider": "aws", "account": "123456789012",
  "resources": [
    { "type": "s3_bucket", "id": "public-bucket", "public": true },
    { "type": "iam_user", "id": "root", "mfa": false }
  ]
}

POST /api/v1/cloud/scan   { "prowler": <prowler-json> }

GET /api/v1/cloud/posture     # 0-100, overall + per provider
GET /api/v1/cloud/findings

CIS-style checks

• Public storage — a bucket reachable by the world (and unencrypted / no logging).
• Open security group — ingress from 0.0.0.0/0 on all ports or admin ports (22/3389).
• Identity — root without MFA, root access keys, IAM wildcard *:*.
• Database — publicly accessible or unencrypted RDS.
• Compute / account — unencrypted volumes, audit logging (CloudTrail) disabled.

High/critical findings emit a cloud_finding event → alert NEXUS-CLOUD-001 with the CIS reference and a remediation.

How it feeds the pipeline

Cloud findings join the same alert stream, so a misconfiguration sits next to endpoint and network risk. The AI includes them when it triages, and SOAR's PB-CLOUD-NOTIFY alerts the cloud team on the serious ones.

Tips

• Re-scan after every infrastructure change to watch the posture score recover.
• Findings are de-duplicated per (provider, account, check, resource) — no noise on repeat scans.
• Only high/critical findings alert by default; everything is still listed in /cloud/findings.