Security Posture Management
Comparison of CSPM tools: AWS Security Hub, Microsoft Defender for Cloud, GCP Security Command Center, and OCI Cloud Guard with compliance frameworks, auto-remediation, and multi-cloud strategies.
Prerequisites
- Understanding of cloud security fundamentals
- Familiarity with compliance frameworks (CIS, NIST, PCI DSS)
Cloud Security Posture Management Across Providers
Cloud Security Posture Management (CSPM) tools continuously monitor your cloud environments for misconfigurations, compliance violations, and security risks. Every major cloud provider offers a native CSPM service: AWS Security Hub, Microsoft Defender for Cloud, Google Security Command Center (SCC), and OCI Cloud Guard. These services aggregate findings from multiple security sources, benchmark against frameworks like CIS and NIST, and provide remediation guidance.
This guide compares the native security posture management services across all four major cloud providers. We cover feature sets, pricing models, compliance framework support, automated remediation capabilities, and integration options. For organizations operating in multi-cloud environments, we also discuss third-party CSPM solutions and strategies for unified security visibility across providers.
Understanding your cloud provider's native security tools is essential even if you use a third-party CSPM product, because native tools often have deeper integration, lower latency for detection, and no additional data egress costs.
Service Comparison Overview
| Feature | AWS Security Hub | Microsoft Defender | GCP SCC | OCI Cloud Guard |
|---|---|---|---|---|
| Free Tier | 30-day trial | Free (basic), CSPM Free | Standard tier free | Free (included) |
| Premium Cost | $0.0010/check/account/region | ~$15/server/month (Defender for Servers) | Premium: custom pricing | Free |
| Multi-Cloud Support | Limited (via 3rd party) | Yes (AWS + GCP connectors) | Limited | No |
| Auto-Remediation | Yes (via custom actions) | Yes (built-in remediations) | Yes (via Cloud Functions) | Yes (responder recipes) |
| Compliance Frameworks | CIS, PCI DSS, NIST, SOC 2, HIPAA | CIS, PCI DSS, NIST, ISO, SOC, HIPAA | CIS, PCI DSS, NIST, ISO, HIPAA | CIS, PCI DSS, NIST |
| Vulnerability Scanning | Inspector (separate) | Built-in (Qualys or MDVM) | Web Security Scanner | VSS (Vulnerability Scanning) |
| Threat Detection | GuardDuty (separate) | Built-in threat detection | Event Threat Detection | Threat Detector |
OCI Cloud Guard is Free
OCI Cloud Guard is the only fully free native CSPM among the four providers. It includes detector recipes, responder recipes, automated remediation, and compliance monitoring at no additional cost. AWS Security Hub charges per compliance check, Microsoft Defender for Cloud charges per protected resource for premium features, and GCP SCC Premium requires custom pricing for advanced capabilities.
AWS Security Hub
AWS Security Hub aggregates security findings from multiple AWS services (GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager) and third-party tools into a single dashboard. It runs automated compliance checks against security standards and provides a security score for each standard.
# Enable Security Hub
aws securityhub enable-security-hub \
--enable-default-standards
# Enable specific compliance standards
aws securityhub batch-enable-standards --standards-subscription-requests '[
{"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/3.0.0"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/nist-800-53/v/5.0.0"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"}
]'
# View findings summary
aws securityhub get-findings \
--filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}' \
--max-items 10 \
--query 'Findings[].{Title:Title,Resource:Resources[0].Id,Severity:Severity.Label}' \
--output table
# Get compliance status
aws securityhub get-insight-results \
--insight-arn "arn:aws:securityhub:::insight/securityhub/default/1"
# Enable GuardDuty for threat detection
aws guardduty create-detector --enable
# Enable Inspector for vulnerability scanning
aws inspector2 enable --resource-types EC2 ECR LAMBDA
# Create an automated action (remediate public S3 buckets)
aws securityhub create-action-target \
--name "RemediatePublicS3" \
--description "Block public access on S3 buckets" \
--id "RemediatePublicS3"Microsoft Defender for Cloud
Microsoft Defender for Cloud is the most comprehensive native CSPM, offering built-in multi-cloud support with connectors for AWS and GCP environments. It combines CSPM (configuration assessment) with CWPP (Cloud Workload Protection Platform) for runtime threat detection on VMs, containers, databases, and storage.
# Check Defender for Cloud status
az security pricing list --output table
# Enable Defender for specific resource types
az security pricing create --name VirtualMachines --tier Standard
az security pricing create --name SqlServers --tier Standard
az security pricing create --name Containers --tier Standard
az security pricing create --name StorageAccounts --tier Standard
# View secure score
az security secure-score list --output table
# List security recommendations
az security assessment list \
--output table \
--query "[?status.code=='Unhealthy'].{Name:displayName,Status:status.code,Severity:metadata.severity}"
# View compliance assessment
az security regulatory-compliance-standards list \
--output table
# Get details for a specific standard
az security regulatory-compliance-controls list \
--standard-name "CIS-Microsoft-Azure-Foundations-Benchmark-v2.0.0" \
--output table \
--query "[?state=='Failed'].{Control:id,Description:description}"
# Enable multi-cloud connector for AWS
az security connector create \
--name aws-connector \
--resource-group security-rg \
--environment-name AWS \
--hierarchy-identifier AWS_ACCOUNT_ID \
--offerings "[{offeringType:CspmMonitorAws}]"
# List security alerts
az security alert list \
--output table \
--query "[].{Name:alertDisplayName,Severity:severity,Status:status}"Defender CSPM Free Tier
Microsoft Defender for Cloud includes a free CSPM tier (Foundational CSPM) that provides security recommendations, secure score, and basic compliance assessment at no cost. The paid Defender CSPM plan adds attack path analysis, agentless scanning, governance rules, and advanced compliance dashboards. For many organizations, the free tier provides sufficient visibility. The paid workload protection plans (Defender for Servers, Containers, etc.) are where costs add up.
Google Security Command Center
Google SCC provides a centralized dashboard for security findings across your GCP organization. The Standard tier (free) includes Security Health Analytics for misconfiguration detection, Web Security Scanner for web application vulnerabilities, and anomaly detection. The Premium tier adds Event Threat Detection, Container Threat Detection, and Virtual Machine Threat Detection.
# Enable Security Command Center API
gcloud services enable securitycenter.googleapis.com
# List active findings (high severity)
gcloud scc findings list organizations/ORG_ID \
--filter='severity="HIGH" AND state="ACTIVE"' \
--format="table(finding.category,finding.severity,finding.resourceName,finding.description)" \
--limit=20
# List misconfiguration findings
gcloud scc findings list organizations/ORG_ID \
--source=organizations/ORG_ID/sources/SECURITY_HEALTH_ANALYTICS_SOURCE_ID \
--filter='state="ACTIVE"' \
--format="table(finding.category,finding.severity,finding.resourceName)"
# Mute a finding (known false positive)
gcloud scc findings set-mute \
organizations/ORG_ID/sources/SOURCE_ID/findings/FINDING_ID \
--mute=MUTED
# Create a mute rule (suppress known patterns)
gcloud scc muteconfigs create \
--organization=ORG_ID \
--mute-config-id=mute-dev-findings \
--filter='resource.projectDisplayName="dev-project"' \
--description="Suppress findings from dev project"
# Export findings to BigQuery for analysis
gcloud scc findings list organizations/ORG_ID \
--filter='state="ACTIVE"' \
--format=json > scc-findings.json
# Enable Event Threat Detection (Premium)
# Detects: cryptomining, malware, brute force, data exfiltration
# Set up notifications via Pub/Sub
gcloud scc notifications create scc-critical-alerts \
--organization=ORG_ID \
--pubsub-topic=projects/MY_PROJECT/topics/scc-alerts \
--filter='severity="CRITICAL" AND state="ACTIVE"'OCI Cloud Guard
OCI Cloud Guard monitors your tenancy for security misconfigurations and suspicious activities using detector recipes (rules that identify problems) and responder recipes (automated actions to fix them). Cloud Guard is free and enabled at the tenancy level.
# Enable Cloud Guard
oci cloud-guard cloud-guard-configuration update \
--reporting-region us-ashburn-1 \
--status ENABLED
# Create a target (scope of monitoring)
oci cloud-guard target create \
--compartment-id TENANCY_OCID \
--display-name "production-guard" \
--target-resource-id COMPARTMENT_OCID \
--target-resource-type COMPARTMENT \
--description "Monitor production compartment"
# List active problems
oci cloud-guard problem list \
--compartment-id TENANCY_OCID \
--lifecycle-state ACTIVE \
--risk-level CRITICAL \
--output table \
--query "data[].{Name:"detector-rule-id",Resource:"resource-name",Risk:"risk-level"}"
# List detector recipes (built-in detection rules)
oci cloud-guard detector-recipe list \
--compartment-id TENANCY_OCID \
--output table
# Create a responder recipe for auto-remediation
oci cloud-guard responder-recipe list \
--compartment-id TENANCY_OCID \
--output table
# Resolve a problem
oci cloud-guard problem update-problem \
--problem-id PROBLEM_OCID \
--lifecycle-detail RESOLVED \
--comment "Fixed: disabled public access on bucket"Multi-Cloud CSPM Strategy
For organizations running workloads across multiple clouds, relying solely on native CSPM tools creates visibility silos. You need a strategy that combines native tools (for deep integration and speed) with a unified view across all environments.
Approaches to Multi-Cloud Security
| Approach | Pros | Cons | Best For |
|---|---|---|---|
| Native tools only | Free/cheap, deepest integration | Siloed views, different UIs | Single-cloud or cloud-dominant orgs |
| Defender for Cloud (multi-cloud) | Unified view, no extra vendor | Azure-centric, limited depth for AWS/GCP | Azure-primary with AWS/GCP workloads |
| Third-party CSPM | Unified, cloud-agnostic, advanced features | Additional cost, data egress | True multi-cloud organizations |
| Hybrid (native + aggregation) | Best depth + unified view | More complex to manage | Enterprise with mature security |
Third-Party CSPM Options
| Tool | Clouds Supported | Key Strength | Pricing Model |
|---|---|---|---|
| Wiz | AWS, Azure, GCP, OCI, Ali | Agentless scanning, attack paths | Per-cloud resource |
| Prisma Cloud | AWS, Azure, GCP, OCI, Ali | CSPM + CWPP + CNAPP | Credits-based |
| Orca Security | AWS, Azure, GCP, Ali | Agentless, side-scanning | Per-asset |
| Lacework | AWS, Azure, GCP | Anomaly detection, polygraph | Per-resource |
| Prowler (OSS) | AWS, Azure, GCP | Free, CLI-based, CIS checks | Free (open source) |
# Prowler: Open-source security assessment across clouds
# Install Prowler
pip install prowler
# Run AWS security assessment
prowler aws --compliance cis_2.0_aws
# Run Azure security assessment
prowler azure --compliance cis_2.1_azure
# Run GCP security assessment
prowler gcp --compliance cis_2.0_gcp
# Generate HTML report
prowler aws --output-formats html --output-directory ./reports/
# Run specific checks only
prowler aws --checks s3_bucket_public_access iam_root_mfa_enabled \
ec2_security_group_default_restrict_trafficCompliance is Not Security
Passing all CIS benchmark checks does not mean your environment is secure. CSPM compliance checks verify configuration against known best practices, but they cannot detect zero-day vulnerabilities, insider threats, or sophisticated attack chains. Use CSPM as one layer of your security program alongside runtime threat detection, vulnerability management, incident response planning, and security training.
Key Takeaways
- 1OCI Cloud Guard is the only fully free native CSPM; all others charge for premium features.
- 2Microsoft Defender for Cloud has the best native multi-cloud support with connectors for AWS and GCP.
- 3All four providers support CIS, PCI DSS, and NIST compliance frameworks with automated compliance checks.
- 4Auto-remediation is available on all platforms: custom actions (AWS), built-in remediations (Azure), Cloud Functions (GCP), responder recipes (OCI).
- 5For true multi-cloud visibility, combine native tools with a third-party CSPM like Wiz, Prisma Cloud, or Prowler (OSS).
- 6Compliance passing does not equal security; CSPM is one layer alongside runtime protection and incident response.
Frequently Asked Questions
Do I need a third-party CSPM if I use native tools?
How much does CSPM cost?
What is the difference between CSPM and CWPP?
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.