| copyright |
|
||
|---|---|---|---|
| lastupdated | 2026-06-18 | ||
| keywords | |||
| subcollection | workload-protection |
{{site.data.keyword.attribute-definition-list}}
{: #cspm-implement}
Enable cloud security posture management (CSPM) in {{site.data.keyword.sysdigsecure_short}} to scan your {{site.data.keyword.cloud_notm}} resources for compliance with security and regulatory frameworks. With CSPM enabled, {{site.data.keyword.sysdigsecure_short}} continuously evaluates your cloud resources against predefined policies, helping you identify and resolve issues before they become security risks. {: shortdesc}
This topic focuses on enabling CSPM for {{site.data.keyword.cloud_notm}}. Need to enable CSPM for another cloud provider, like AWS, Azure, GCP, or OCI? See Connect cloud accounts{: external} for more information. {: tip}
To learn more about CSPM and how it works, go to About {{site.data.keyword.sysdigsecure_short}}. To see an example workflow, go to Analyzing compliance postures from detection to remediation.
CSPM for {{site.data.keyword.sysdigsecure_short}} depends on {{site.data.keyword.appconfig_short}}, which collects configuration details from your {{site.data.keyword.cloud_notm}} resources. The configuration aggregator feature in {{site.data.keyword.appconfig_short}} is included at no charge as part of the Lite plan. The integration uses IAM trusted profiles to manage permissions securely.
You can enable CSPM for individual {{site.data.keyword.cloud_notm}} accounts or for your entire enterprise. For enterprise-level compliance scanning, see Enabling cloud compliance for enterprises.
CSPM is enabled by default when you create an instance of {{site.data.keyword.sysdigsecure_short}}. However, if you decide to disable it, you can enable it at any time by completing the following steps. For more information on creating an instance of {{site.data.keyword.sysdigsecure_short}} with CSPM enabled, see Getting started. {: tip}
{: #cspm-implement-prereqs-ui}
Before you get started, make sure that you have the following:
- An existing {{site.data.keyword.appconfig_short}} instance. For more information, see Creating an instance.
Managerrole or greater on the {{site.data.keyword.appconfig_short}} service.- An existing {{site.data.keyword.sysdigsecure_short}} instance with CSPM disabled. For more information, see Set up {{site.data.keyword.sysdigsecure_short}}.
- Permissions to create and manage trusted profiles.
Editorrole or greater on the {{site.data.keyword.sysdigsecure_short}} service.- The CRNs for your {{site.data.keyword.sysdigsecure_short}} and {{site.data.keyword.appconfig_short}} instances. If you don't already have them, you can find the CRNs by completing the following steps:
- In the {{site.data.keyword.cloud_notm}} console, click the Navigation Menu icon
> Resource list and search for the service, either {{site.data.keyword.sysdigsecure_short}} or {{site.data.keyword.appconfig_short}}. - After you open your instance of {{site.data.keyword.appconfig_short}}, click Details and copy the CRN.
- After you open your instance of {{site.data.keyword.sysdigsecure_short}}, copy the CRN from the Details panel.
- In the {{site.data.keyword.cloud_notm}} console, click the Navigation Menu icon
If context-based restrictions are enabled for resources in your account, you must create a rule to allow {{site.data.keyword.appconfig_short}} to collect configuration data. When creating the rule, select {{site.data.keyword.appconfig_short}} as the reference service. {: important}
{: #tp-create}
Create a trusted profile that allows your instance of {{site.data.keyword.sysdigsecure_short}} access to the {{site.data.keyword.appconfig_short}} service. Completing the following steps:
- Go to Manage > Access (IAM) > Trusted profiles and click Create.
- After providing a name for the trusted profile, establish trust by selecting {{site.data.keyword.cloud_notm}} services as the trusted entity type, and enter the CRN for your {{site.data.keyword.sysdigsecure_short}} instance.
- Add the following access policies to the trusted profile:
- Viewer and Usage Report Viewer roles on the Enterprise service.
- Configuration Aggregator Reader and Manager roles on the {{site.data.keyword.appconfig_short}} service.
- After you create the trusted profile, copy the profile ID and save it for the next step.
Connecting your {{site.data.keyword.cloud_notm}} account to {{site.data.keyword.sysdigsecure_short}}
{: #cspm-implement-ui}
To start scanning your {{site.data.keyword.cloud_notm}} account for compliance, add it to your existing {{site.data.keyword.sysdigsecure_short}} instance. By doing so, you enable CSPM for your {{site.data.keyword.cloud_notm}} account.
- In the {{site.data.keyword.cloud_notm}} console, click the Navigation Menu icon > Security > Compliance then click the name of your instance of {{site.data.keyword.sysdigsecure_short}}.
- Click Sources, then select the {{site.data.keyword.cloud_notm}} Account tab.
- Click Add and enter the trusted profile ID that you just created along with the CRN for your instance of {{site.data.keyword.appconfig_short}}.
- Click Add to save your changes.
{: #cspm-implement-ui-ca}
Your instance of {{site.data.keyword.sysdigsecure_short}} is now connected to your instance of {{site.data.keyword.appconfig_short}}. However, configuration aggregator within {{site.data.keyword.appconfig_short}} must be enabled to gather information from your {{site.data.keyword.cloud_notm}} account and resources. Complete the following steps:
- In the {{site.data.keyword.cloud_notm}} console, click the Navigation Menu icon > Resource list and search for
App Configuration. - Click the name of the {{site.data.keyword.appconfig_short}} instance to open it.
- Click Configuration aggregator > Define an aggregation.
- Select All regions to gather data from all regions, and click Save.
- Enable Recording to begin collecting configuration data.
Compliance scan results appear within 5-10 minutes after provisioning, depending on the number of resources in your account.
{: #cspm-implement-ui-disable}
To stop scanning your {{site.data.keyword.cloud_notm}} account for compliance, disable CSPM.
- In the {{site.data.keyword.cloud_notm}} console, click the Navigation Menu icon > Security > Compliance then click the name of your instance of {{site.data.keyword.sysdigsecure_short}}.
- Click Sources, then select the {{site.data.keyword.cloud_notm}} Account tab.
- Click the actions menu for the account you want to remove, then click Remove.
Compliance scanning stops for the selected account.