Sign in


Getting the right people involved during an incident is probably the most important factor in how fast the incident gets resolved. However, as cloud environments sprawl across multiple providers, accounts, subscriptions and as cloud providers add more services, tapping into the right resources can become a challenge.

The events from monitoring tools such as NewRelic, Datadog, etc. that enter PagerDuty, often have little or no structured data that would allow us to fully exploit all of the PagerDuty’s awesome features such as:

  • Filtering
  • Routing
  • Grouping
  • Escalating
  • Response Plays


Instead of sending events signals into PagerDuty directly, consider passing them through…


There is no shortage of cloud security compliance tools. Many, like Cloudaware, DivvyCloud, CloudHealth support all three leading cloud providers: AWS, GCE and Azure. These tools come shipped with compliance policies that will evaluate your cloud infrastructure against best practices laid out by the cloud providers themselves. Cloudaware supports CIS Benchmarks for AWS, Azure and GCE. AWS offers Trusted Advisor and Security Hub which also supports CIS benchmarks. Point is compliance checking should be a continuous, daily process. Not something you hire contractors to do annually.

Deploy Checks and Balances

Compliance program will not be successful without accountability and proper management structure. For example…

Increasing number of companies find themselves in the multi-cloud environment. Some get there intentionally by building cloud agnostic applications. Others, more frequently, simply inherit environments that are dispersed across multiple cloud providers such as AWS, GCP and Azure.

Below is a list of tools that simplify deployment and management tasks in multi-cloud environments.

Docker and Kubernetes

A docker container is a standard unit of software that packages up code and all its dependencies so the application runs predictably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an…

Managing large GCP deployments is a challenging task because all GCP management APIs are project specific. Cloudaware CMDB is a nifty multi-cloud management tool. It not only supports GCP but also AWS, Azure. As far as support for GCP, Cloudaware CMDB discovers all key GCP services like Compute, Big Query, Dataflow and others.

Single Pane Of Glass

Cloudaware CMDB presents unified view of all GCP infrastructure as if it were part of a single project.

API and CLI Access

Cloudaware CMDB provides both REST API and CMDB CLI to query data in CMDB.

1. They are great to start with.

CIS Foundation Benchmarks for Amazon Web Services, Microsoft Azure and Google Cloud Platform are indeed available for you to download. If you’re just getting started with cloud security and compliance CIS benchmarks are great way to start. They are comprehensive with 50–100 policies per cloud provider, covering not just basic services such as compute and storage but for example AWS VPC, Azure SQL Database, or GCP Kubernetes.

2. You can be up and running with security and compliance posture assessment in few hours.

Many vendors including Cloudaware offer support for CIS Benchmarks out of the box. Cloudaware offers customers ability to deploy all policies within a benchmark using a single click.

Cloudaware Compliance Engine

Once benchmark is deployed, compliance…

CloudTrail is undoubtably powerful source of audit data for all AWS user level and API level activities. However building any kind of security optics dashboard with CloudTrail is not easy for several reasons:

  1. Cannot differentiate read-only from destructive API calls.
  2. Over 800 different unique event names. Which ones are important?
  3. 50 or so different error codes
  4. Some API calls can be critical from security perspective but not from configuration impact angle and vice versa. How do we differentiate?

Cloudaware Conflux assesses each Cloudtrail Event and assigns 3 separate scores for each event:

  • ConfigImpactLevel [0–10] indicates potential configuration impact of a…

Discovery operates large scale AWS and Azure environments with over 100 AWS accounts and Azure Subscriptions. These accounts and subscriptions contain more than 1,000,000 configurable assets.

Discovery Cloud Security team developed an in-house solution similar to Scout2 and Cloud Custodian to perform AWS and Azure compliance check verifications. Discovery’s solution avoided mistakes of many other commonly in-house developed compliance solutions. It not only identified gaps in configuration and compliance but also actively routed, escalated and most importantly very well communicated policy violations to the stakeholders that were responsible for remediation. Stakeholder would receive their policy violations from a bot named…

Citrix operates large scale AWS and Azure environments with over 100 AWS accounts and Azure Subscriptions. These accounts and subscriptions contain more than 1,000,000 configurable assets.

Citrix Cloud Security team relied on several open source frameworks to perform AWS compliance verification. Namely Cloud Custodian and Scout2. For Azure, Citrix created their in-house tools. As the cloud compliance program was maturing, certain challenges began to emerge.

● Each product division wanted to customize policies slightly to fit their risk profile

● Lack of exception handling process

● Some tools caused API throttling issues for production application during scanning

● Developer who…


GuardDuty is not just a replacement for Snort or similar NIDS. GuardDuty analyzes network traffic via VPC Flow Logs but also digs deeper by inspecting AWS CloudTrail and Route53 logs as well.

GuardDuty has a very simple user interface that does not overwhelm even when dealing with tens of thousands of findings. However if you want to be able to see GuardDuty findings across multiple AWS accounts, you will need a platform like Cloudaware. Especially if you’re looking to make GuardDuty findings routable and actionable.

Ease of deployment and non-intrusiveness. Just like about everything else at AWS, GuardDuty is…

Nessus, Qualys, Rapid7 licenses are expensive and pricing rages from $2.50/host/month up to $18/host/month.

Most organizations scan their infrastructure on a weekly basis. Single host scan lasts under an hour. The remaining 23 hours in the day that scanning license does absolutely nothing. This idling actually costs a lot of money and is not necessary.

At 15,000 hosts, Citrix was dropping close $40,000 for vulnerability scanning licenses alone. Using Cloudaware scanning automation, they reduced the cost of scanning licenses to $4,000 per month. How? Short answer is floating licenses but if you want the long answer, keep reading.

Step 1. Cloudaware SPOT CMDB

Citrix uses…


The Most Complete Cloud Management Platform

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store