Armor Anywhere with cloud security posture management (CSPM) enables users to monitor the security posture of their public cloud infrastructure and helps them remain compliant against major mandates such as PCI, HIPAA and CIS Benchmarks. Users can quickly identify and get direction to remediate accidental risks through the Armor Management Portal.
CSPM currently supports the following three public cloud environments:
Ease of Use
Immediate setup with no workload interference
CSPM can be set up in minutes and does not require an Armor Anywhere agent. CSPM uses cloud connectors to establish connection into a user's public cloud account. Cloud connectors use APIs to aggregate data from user accounts without interfering with their public cloud service. It builds an inventory of the cloud account with detailed metadata and relationship mapping used for subsequent analysis.
Comprehensive workload visibility
Armor Anywhere with CSPM delivers a single-pane-of-glass view across all deployments from the Armor Management Portal. CSPM discovers and aggregates a user’s assets and resources from one or multiple cloud providers.
Mandate based assessments
Users can view the compliance posture of their environment against selected compliance mandate(s). Example report views include HIPAA and PCI.
Supported report generation of policies and mandates aligns with the supported cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Remediation and Resources
Each report pulled contains both resources and remediation steps for each control group. Compliance status of the assessment can be viewed for each resource.
Pricing is on a per connector basis. You are billed for each connector that was active during the month.
Compliance In AMP
In the Armor Management Portal (AMP), clicking the COMPLIANCE section link in the left hand navigation will take you to Compliance > Cloud-Posture. From here, CSPM provides a series of dashboards visible under three tabs:
The Overview screen displays a list of reports configured for the various enterprise cloud environments. Users can view results and details for a report by clicking a report link in the list provided. Each report is associated with a particular cloud connection. Multiple reports can be configured per connection. The New Report button is used for configuring new reports.
Duplicate reports cannot be configured for a connector.
The Export link allows the full or filtered list of reports to be exported to a csv file. The csv file will contain all the columns, regardless of the settings set for the page.
Created reports without finished pass/fail data will display a grey pass/fail. Once complete, the bar will appear using green and red for pass and fail, respectively.
Hovering over the Pass/Fail bar displays the current percentages.
By default, the Name, Pass/Fail, Last Run On and Mandate columns for each report are displayed. In the Filters and Settings menu Pass/Fail, Mandate or Last Run On can be removed if desired.
Users can also filter by provider type if a connector has been configured for that particular provider.
The Connectors tab is where you configure the connection to your cloud (AWS, Azure or GCP) environment. Each type works a little differently and the modal will guide you on setting up a new connector. Here you can see all the connectors you have created, the type, when they were last refreshed and their current status. You also have the option of refreshing the connector state, viewing the details or deleting the connector.
There are four columns on the page that show the name of the connector, the type (AWS, Azure, or GCP), when it was last refreshed and the current state.
The connector can be in one of three states.
Online - The connector is working.
Pending - The connector was just created and we are waiting for a status update.
Offline - the The connection is not working. This could be because the permission was removed on the cloud environment side or a service interruption.
The policies page displays the various policies that exist and what controls those policies contain. Mandates may include one or more policies and thus the controls in each of those policies. Policies are not editable and there is no configuration done on this page.
Creating a report for PCI DSS using the API
Example workflow for setting up a report to do PCI scanning for an AWS cloud environment via the API. Example calls are available in the API docs.
- Create the ARN role for AWS that allows for doing a security audit on the environment.
- Armor’s AWS account number and an external id will be needed. Both are used in creating the ARN Role. Hit the following endpoint to get the account number and external id
- The external id and Role ARN will be needed for the next step as well.
- POST Create a connector - /cspm/connector
- GET List connectors - /cspm/connector
- Validate that the connector shows in the list and was successfully added.
- Ensure the connector is On (This may take a few minutes after creation).
- Get the connector id or ids for use in the next step.
- POST Create report configuration - Create the desired report for the cloud environment.
- GET Report details - Get the report data (results)