You cannot click through every account and region. Scan your whole cloud against CIS Benchmarks with Prowler, shift the same checks into CI against your Terraform, and prioritize what to fix first.
You need an objective standard for "secure enough," and the CIS Benchmarks provide one: hundreds of specific, checkable settings per cloud (IAM, logging, storage, network). Scanning against a benchmark converts "is our cloud secure?" into a concrete score with a list of failing controls — measurable, trackable, and defensible to auditors.
Instead of vibes, measure against a published baseline:
CIS AWS Foundations Benchmark — e.g.:
1.x IAM: MFA on root, no root access keys, key rotation
3.x logging: CloudTrail on in all regions, log file validation
4.x monitoring: alarms on root use, policy changes
5.x network: no 0.0.0.0/0 to 22/3389, default SG restricts all
A CSPM scan = "which of these hundreds of controls are we failing,
in which account/region, right now?" That's your remediation backlog.Prowler is an open-source CSPM tool that runs hundreds of checks across your cloud account and maps them to CIS and other frameworks. Run it (read-only) across every region and account to get a prioritized findings report. ScoutSuite and the cloud-native tools (Security Hub, Defender for Cloud) fill the same role — the point is automated, continuous, account-wide checking.
Read-only required — Run posture scanners with a read-only audit role. They only need to read configuration, never modify it.# scan an AWS account against CIS, output a report
prowler aws --compliance cis_2.0_aws
# focus on the scariest categories first
prowler aws --services s3 iam ec2 --severity critical high
# other engines, same job:
# scout suite aws # ScoutSuite, HTML report
# AWS Security Hub / Azure Defender for Cloud / GCP SCC (native, continuous)
# run it scheduled (daily) from a read-only audit role -> feed findings
# into your tracker. Posture is continuous, not a one-off audit.Finding a misconfiguration in production is late; catching it in the pull request that introduces it is early and cheap. IaC scanners (Checkov, tfsec, Trivy config) read your Terraform/CloudFormation and fail the build on the same misconfigurations a CSPM would later flag — a public bucket, an open security group, an unencrypted volume. This is the cloud half of the DevSecOps Pipeline.
# scan Terraform for misconfigurations before it's ever applied
checkov -d ./infra --compact --hard-fail-on HIGH
trivy config ./infra --severity HIGH,CRITICAL
# example finding it blocks at PR time:
# CKV_AWS_20: "S3 Bucket has an ACL defined which allows public access"
# CKV_AWS_24: "Security group allows ingress from 0.0.0.0/0 to port 22"
# same rule, two places: IaC scan (prevent) + CSPM (detect drift).
# Prevention in CI is cheaper than detection in prod.A scan of a real account returns hundreds of findings; fixing them in listed order is a trap. Prioritize by exploitability: anything public and sensitive first, then over-broad identity, then everything reachable from those. A medium-severity finding on an internet-facing resource beats a high-severity one on an isolated internal system.
Triage order for CSPM findings (not by raw severity alone):
1. PUBLIC + SENSITIVE public bucket/db/snapshot with real data -> now
2. IDENTITY BLAST Action:"*" roles, root keys, no-MFA admins -> now
3. INTERNET-REACHABLE 0.0.0.0/0 to admin ports, exposed services
4. DEFENSE-IN-DEPTH missing encryption, logging gaps on internal stuff
Ask "could an external attacker reach and use this today?" Yes -> top.
Fix in the IaC so it stays fixed, then re-scan to confirm.