Skip to main content

Overview

Cloud Security Posture Management (CSPM) is the process of securing multi-cloud environments through enhanced visibility, risk and misconfiguration identification, posture assessment, and compliance protocols. CodeAnt AI continuously monitor cloud infrastructure—such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—for gaps in security policy enforcement.

Key Features

  • Multi-Cloud Support: Currently supports AWS, GCP and Azure.
  • Seamless Integration: Connect seamlessly with any cloud provider and continuously monitor for security vulnerabilities, misconfigurations, and compliance issues.

How It Works

  1. Copy your External ID:
    • In CodeAnt AI, go to Settings -> Cloud Security -> AWS.
    • Copy the External ID shown at the top of the form — it’s a per-tenant value used to prevent cross-account confused-deputy attacks. You’ll paste it into your IAM trust policy in step 2.
  2. Create an IAM role in your AWS account:
    • Create an IAM role and attach the trust policy below, replacing <EXTERNAL_ID> with the value you copied above: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::785132296666:role/service-role/codeantcibackend-role-u7zwirub"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" }
      }
    }
  ]
}
    • Attach the AWS managed ReadOnlyAccess policy. That is the only permission CodeAnt AI needs — it only reads, never writes, creates, or deletes.
    • Copy the Role ARN (e.g. arn:aws:iam::123456789012:role/CodeAntCSPM).
    Need tighter, least-privilege access? You can grant CodeAnt AI extremely fine-grained, view-only access instead — see Fine-grained permissions at the bottom of this page.
  3. Save in Settings:
    • Back in Settings -> Cloud Security -> AWS, paste the Role ARN and your region, then save.
    • Click Validate Permissions to confirm CodeAnt AI can assume the role and that ReadOnlyAccess (or a valid fine-grained set) is attached.
  4. Start a Scan:
    • Go to Cloud Security -> Infrastructure Scan and click Start New Scan, then pick your AWS connection.
    • The scan typically completes in 5-20 minutes depending on account size, and results appear under Overview, Findings, Services, and Compliance.

Benefits

  • Enhanced Visibility: Gain complete visibility into your cloud infrastructure’s security posture.
  • Risk and Misconfiguration Identification: Continuously identify and address risks and misconfigurations.
  • Compliance Assurance: Ensure your cloud infrastructure complies with industry standards and protocols.

Demo

For a detailed use case and step-by-step guide on how to utilize the cloud security feature, check out our demo. The demo provides a comprehensive walkthrough, showing you how to configure settings, start a scan, and interpret the results effectively.

Fine-grained permissions

We recommend ReadOnlyAccess for most teams — it’s the simplest setup and covers every feature. If your security program calls for tighter, least-privilege access, you can grant CodeAnt AI extremely fine-grained, view-only access instead. It’s two parts: 1. Attach AWS’s managed security policies — SecurityAudit + ViewOnlyAccess. These are standard AWS managed policies, maintained by AWS — you don’t author or maintain their contents. They grant read access to security configuration/metadata only (no object, message, or log contents), comparable to how Vanta requests access, and cover the full posture scan, GuardDuty findings, and compliance. 2. Add this one custom policy. It’s the only thing you configure yourself — a small set of read-only actions the two managed policies above don’t include: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowMoreReadOnly",
      "Effect": "Allow",
      "Action": [
        "account:Get*",
        "appstream:Describe*",
        "appstream:List*",
        "backup:List*",
        "backup:Get*",
        "bedrock:List*",
        "bedrock:Get*",
        "cloudtrail:GetInsightSelectors",
        "codeartifact:List*",
        "codebuild:BatchGet*",
        "codebuild:ListReportGroups",
        "codepipeline:ListTagsForResource",
        "cognito-idp:GetUserPoolMfaConfig",
        "dlm:Get*",
        "drs:Describe*",
        "ds:Get*",
        "ds:Describe*",
        "ds:List*",
        "dynamodb:GetResourcePolicy",
        "ec2:GetEbsEncryptionByDefault",
        "ec2:GetSnapshotBlockPublicAccessState",
        "ec2:GetInstanceMetadataDefaults",
        "ecr:Describe*",
        "ecr:GetRegistryScanningConfiguration",
        "elasticfilesystem:DescribeBackupPolicy",
        "glue:GetConnections",
        "glue:GetSecurityConfiguration*",
        "glue:SearchTables",
        "glue:GetMLTransforms",
        "lambda:GetFunction*",
        "logs:FilterLogEvents",
        "lightsail:GetRelationalDatabases",
        "macie2:GetMacieSession",
        "macie2:GetAutomatedDiscoveryConfiguration",
        "s3:GetAccountPublicAccessBlock",
        "shield:DescribeProtection",
        "shield:GetSubscriptionState",
        "securityhub:GetFindings",
        "servicecatalog:Describe*",
        "servicecatalog:List*",
        "ssm:GetDocument",
        "ssm-incidents:List*",
        "states:ListTagsForResource",
        "support:Describe*",
        "tag:GetTagKeys",
        "wafv2:ListIPSets",
        "wafv2:GetIPSet",
        "wafv2:ListWebACLs",
        "wafv2:GetWebACL",
        "wafv2:GetWebACLForResource",
        "wafv2:ListResourcesForWebACL",
        "wafv2:GetLoggingConfiguration",
        "wellarchitected:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAPIGatewayReadOnly",
      "Effect": "Allow",
      "Action": ["apigateway:GET"],
      "Resource": [
        "arn:*:apigateway:*::/restapis/*",
        "arn:*:apigateway:*::/apis/*"
      ]
    }
  ]
}
3. (Optional) Enable API-abuse / WAF-log detection — attach CloudWatchLogsReadOnlyAccess. The view-only set above does not read log contents, so the API Abuse tab stays empty. To enable it, also attach the AWS managed policy CloudWatchLogsReadOnlyAccess — this lets CodeAnt AI analyze your WAF and API Gateway logs to flag suspicious client IPs. It reads edge-log content (client IPs and request bodies), so it’s fully opt-in.
Strict-minimal alternative to CloudWatchLogsReadOnlyAccess: a custom policy granting only logs:DescribeLogGroups, logs:StartQuery, and logs:GetQueryResults on Resource: "*".
4. (Optional) Enable container scanning — attach AmazonEC2ContainerRegistryReadOnly. Container scanning reads and scans your ECR images, which requires pulling image layers — the view-only policies above can only list repositories, not download images. To enable it, also attach the AWS managed policy AmazonEC2ContainerRegistryReadOnly. It grants read-only access to your ECR registry (ecr:DescribeRepositories, ecr:DescribeImages, ecr:GetAuthorizationToken, ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and related read actions) so CodeAnt AI can pull and scan images for vulnerabilities and secrets.