Posture management
Cloud Service Posture Management (CSPM) encompasses a set of practices aimed at safeguarding the security and compliance of cloud environments. This involves the ongoing assessment and monitoring of cloud workloads to pinpoint misconfigurations, vulnerabilities, and potential threats. CSPM also offers actionable remediation steps for addressing security risks, ultimately bolstering the overall security posture of cloud environments.
ThreatLockDown provides security and compliance monitoring for various cloud platforms, including Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. We leverage ThreatLockDown for CSPM across the platforms listed below.
Google Cloud Platform
ThreatLockDown connects with GCP through the Google Cloud publisher and subscriber services, also known as GCP Pub/Sub. These messaging services facilitate the transmission of log data from a GCP workload to a ThreatLockDown instance. The image below shows the integration between GCP and Wazuh.
You can configure your ThreatLockDown instance to receive GCP logs using the Pub/Sub service. Once configured, you can enable the Google Cloud Platform module via the ThreatLockDown dashboard to view logs related to your GCP services. We provide detailed guidelines on configuring ThreatLockDown to receive GCP logs using the Pub/Sub service in our using ThreatLockDown to monitor GCP services documentation.
The image below shows an example log received from a monitored GCP instance on the ThreatLockDown dashboard.
Amazon Web Services
ThreatLockDown provides CSPM to your AWS workloads by monitoring the AWS services and instances. Monitoring your AWS services includes collecting and analyzing log data about your AWS infrastructure using the ThreatLockDown module for AWS.
You can enable the Amazon AWS module via your ThreatLockDown dashboard to view logs related to AWS services.
Follow the AWS prerequisite documentation to set up your ThreatLockDown instance for AWS log collection. The documentation shows a list of the supported AWS services that ThreatLockDown can monitor. The image below shows an Amazon Security Hub log received using the CloudWatch service.
This control is designed to assess the security configuration of S3 buckets by verifying that user permissions are not granted through access control lists (ACLs). It is recommended to use AWS Identity and Access Management (IAM) policies rather than S3 bucket ACLs for managing user permissions.
Microsoft Azure
ThreatLockDown integrates with Azure using the Log Analytics Workspace. The Azure Log Analytics workspace is a service that facilitates storing log data from Azure Monitor and other Azure services, such as Microsoft Defender for Cloud. ThreatLockDown provides a native integration module for Azure that retrieves logs from the Log Analytics Workspace.
We provide detailed guidelines on configuring ThreatLockDown to receive Azure Cloud logs using the Log Analytics Workspace in our Azure Log Analytics documentation. Once configured, you can set up your ThreatLockDown deployment to retrieve Recommendations, Security alerts, and Regulatory compliance logs for your Azure cloud infrastructure.
The image below shows Azure security posture management logs received on Wazuh.