I built a multi-cloud CSPM workflow that audits AWS and Azure against CIS benchmarks with Prowler and ScoutSuite, then remediates drift with Terraform. The first audit surfaced 47 misconfigurations and closed every public S3 bucket exposure within one hour.

Context & Standards Alignment

Cloud misconfiguration, not exploitation, drives most cloud breaches. This lab continuously measures posture against CIS AWS Foundations and CIS Azure benchmarks and enforces guardrails with policy-as-code.

  • T1530 Data from Cloud Storage Object – detection of public buckets/blobs.
  • T1078.004 Cloud Accounts – IAM privilege-escalation path scanning.

Environment & Prerequisites

  • AWS account with read-only SecurityAudit role; Azure subscription with Reader + Security Reader.
  • Prowler 3.x, ScoutSuite, Terraform 1.7, Azure CLI, AWS CLI v2.
  • CI runner with scheduled scans; findings stored for trend analysis.

Step-by-Step Execution

1. Run a Prowler CIS audit against AWS

prowler aws --compliance cis_2.0_aws -M csv json -o ./out
FAIL s3_bucket_public_access: 3 buckets public
FAIL iam_root_mfa_enabled: root MFA disabled
PASS cloudtrail_multi_region_enabled

2. Audit Azure with ScoutSuite

scout azure --cli --report-dir ./azure-out

3. Remediate a public bucket with Terraform

terraform apply -target=aws_s3_bucket_public_access_block.fix -auto-approve
aws_s3_bucket_public_access_block.fix: Creation complete
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Validation & Testing

Re-run Prowler scoped to the S3 checks and confirm the previously failing controls now PASS. The posture dashboard should reflect the improved CIS compliance percentage (alt text: before/after CIS compliance bar chart showing 92% post-remediation).

Advanced: Troubleshooting
  • Prowler AccessDenied: attach the managed SecurityAudit + ViewOnlyAccess policies.
  • ScoutSuite throttling: add --max-rate and run per-service.
  • Terraform drift returns: enforce the guardrail with an SCP or Azure Policy denyAssignment.

Key Results

  • Identified 47 misconfigurations across AWS and Azure in the first audit.
  • Remediated 100% of public S3 bucket exposures within 1 hour.
  • Achieved 92% compliance against CIS benchmarks after remediation.
  • Scheduled recurring scans giving continuous drift detection on both clouds.