Skip to main content
SANDWORMSECURITY

CloudGuard

Cloud-native application protection across AWS, Azure, and GCP.

What is CloudGuard?

CloudGuard is a Cloud-Native Application Protection Platform (CNAPP) that continuously audits your cloud estate for misconfigurations, excessive entitlements, and exploitable attack paths. It is built for cloud and platform engineering teams that need unified posture visibility across AWS, Azure, and GCP without deploying agents inside workloads.

  • Combines CSPM, CIEM, and attack-path analysis in a single read-only integration.
  • Findings are mapped to CIS Benchmarks, SOC 2, PCI-DSS, and NIST 800-53 control frameworks.
  • Attack-path graph highlights chains of misconfiguration that, together, allow lateral movement or privilege escalation.

Connect your cloud accounts

CloudGuard uses read-only IAM credentials — it never writes to your environment. Grant the least-privilege policy bundle for your cloud provider, then add the account in the Trust Portal under Settings → Cloud Accounts.

  • AWS: create an IAM role with the CloudGuard read-only policy and paste the Role ARN.
  • Azure: register an app in Entra ID and assign the Security Reader built-in role.
  • GCP: create a service account and assign the Security Reviewer role at the org level.
  • Multi-account / multi-project: repeat per account; CloudGuard consolidates findings automatically.
  1. 1
    Create a read-only IAM role.

    In your cloud provider console, create a role or service account using the least-privilege policy template available in the Trust Portal under Settings → Cloud Accounts → Policy Templates.

  2. 2
    Add the account in the Trust Portal.

    Navigate to Settings → Cloud Accounts → Add Account. Select your provider, paste the Role ARN or service-account key, and click Verify.

  3. 3
    Wait for the first inventory pull.

    CloudGuard queues an inventory sync within a few minutes of account registration. The Findings page populates as results arrive.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

CloudGuard operates as a CNAPP — it combines posture management (CSPM), cloud infrastructure entitlement management (CIEM), and attack path analysis in a single pane.

  • Checks: individual posture rules evaluated against your resource inventory (e.g. "S3 bucket is not public").
  • Findings: a check violation tied to a specific resource, with severity and remediation guidance.
  • Attack paths: chains of findings that, combined, could allow lateral movement or privilege escalation.
  • CIEM: entitlement graph showing which identities can reach which resources — highlights over-provisioned roles.
  • Connectors: each cloud account is a connector; inventory syncs on a configurable polling schedule.

Your first scan

After adding a cloud account, CloudGuard schedules an initial inventory pull within a few minutes. Navigate to CloudGuard → Findings to see the first results. Use the Severity filter to focus on Critical and High findings first.

  • The attack-path graph renders under CloudGuard → Attack Paths once inventory is complete.
  • Suppress false-positives per-resource using the "Mark as accepted risk" action — suppression is audited.
  • Connect CloudGuard to Elm (SOAR) to auto-open cases for Critical findings.

Integrations

CloudGuard connects to cloud provider control planes and feeds findings to downstream detection and response tools within the Sandworm platform.

  • Cloud providers: AWS (IAM, CloudTrail, Config, SecurityHub), Azure (Entra ID, Defender for Cloud, Resource Graph), GCP (Security Command Center, Asset Inventory).
  • Elm (SOAR): auto-open cases for Critical and High findings; playbooks can trigger remediation scripts.
  • Sandworm SIEM: forward CloudGuard finding events as OCSF-formatted log records for correlation.
  • Sandworm BAS: Sandworm BAS reads the CloudGuard entitlement graph to simulate lateral-movement scenarios.
  • Trust Portal: posture scores and compliance framework mappings surface on the public attestation index.

API and CLI

Interact with CloudGuard programmatically via the sandworm CLI or the platform REST API. All operations require a valid API token issued from the Trust Portal.

  • `sandworm cloudguard findings list` — list current findings with optional --severity and --account filters.
  • `sandworm cloudguard scan trigger` — request an on-demand inventory refresh for an account.
  • `sandworm cloudguard attack-paths list` — enumerate active attack paths.
  • REST API: see the OpenAPI spec at /api/cloudguard/openapi.json on your deployment.
bash
sandworm cloudguard findings list --severity critical --format table
Book a demo← Back to CloudGuard
CloudGuard Docs | Sandworm Security