Overview

Cloud Security Posture Management (CSPM) is the process of securing multi-cloud environments through enhanced visibility, risk and misconfiguration identification, posture assessment, and compliance protocols. CodeAnt AI continuously monitor cloud infrastructure—such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—for gaps in security policy enforcement.

Key Features

  • Multi-Cloud Support: Currently supports AWS, GCP and Azure.
  • Seamless Integration: Connect seamlessly with any cloud provider and continuously monitor for security vulnerabilities, misconfigurations, and compliance issues.

Setup

  1. Permissions
    1. Create a dedicated service account in each project 
      PROJECT_ID=<your-project-id>
SA=codeant-cspm
gcloud iam service-accounts create $SA --project $PROJECT_ID \
  --description="CodeAnt AI CSPM scanner" \
  --display-name="CodeAnt CSPM"
    2. Grant the minimum roles
      1. Viewer — lets the scanner read basic project metadata 
        gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/viewer"
      2. Cloud Asset Viewer — needed for asset inventory reads 
        gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/cloudasset.viewer"
      3. Service-agent prep — grab the project-number and service-agent address 
        PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
SERVICE_AGENT="service-${PROJECT_NUMBER}@gcp-sa-cloudasset.iam.gserviceaccount.com"
      4. Service Networking Service Agent — lets the Cloud Asset service do its job 
        gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SERVICE_AGENT}" \
  --role="roles/servicenetworking.serviceAgent"
      5. Storage Object Admin (for the Cloud Asset service agent) — so exported dumps can land in GCS 
        gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SERVICE_AGENT}" \
  --role="roles/storage.objectAdmin"
      6. Storage Admin (for your CSPM service account) — needed to create / clean up buckets 
        gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/storage.admin"
      7. Service Usage Consumer — allows the scanner to call enabled APIs 
        gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/serviceusage.serviceUsageConsumer"
      Collectively, these roles satisfy the cloudasset.assets.exportResource and cloudasset.assets.exportIamPolicy permissions the scanner needs.
    3. Enable the Cloud Asset Inventory API 
      gcloud services enable cloudasset.googleapis.com --project $PROJECT_ID
    4. Generate & download a JSON key 
      gcloud iam service-accounts keys create ./codeant-cspm.json \
  --iam-account="${SA}@${PROJECT_ID}.iam.gserviceaccount.com"
  2. Settings
    • In the CodeAnt UI navigate to Settings -> Cloud Security Settings -> GCP.
    • Write project id, paste the JSON key and hit save.
    • Credentials
  3. Start a Scan
    • Go to Cloud Security -> Start a New Scan and pick your GCP connection.
    • Within 15-20 minutes, the scan will be completed, and you will see the results.

Demo

For a detailed use case and step-by-step guide on how to utilize the cloud security feature, check out our demo. The demo provides a comprehensive walkthrough, showing you how to configure settings, start a scan, and interpret the results effectively.