Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Cloud Security Posture Management (CSPM)

Written by
Updated at February 11, 2026

Note

This feature is at the Preview stage.

Cloud Security Posture Management (CSPM) is a tool that monitors infrastructure security level based on security standards, such as Yandex Cloud's Cloud Infrastructure Security Standard.

In a given workspace, Cloud Security Posture Management (CSPM) checks the cloud infrastructure and applications deployed on the Yandex Cloud platform for compliance with comprehensive security requirements and best practices. The module's rules and exceptions help ensure compliance with security policies and protection against common threats and vulnerabilities in the cloud environment.

Standards

Currently, Cloud Security Posture Management (CSPM) supports infrastructure compliance checks for the following security standards:

  • Yandex Cloud Security Baseline: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform.
  • Yandex Cloud Security Standard: Standard providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.

Rules

You can view the information about CSPM rules currently enforced in your workspace and compliance violations detected in the workspace infrastructure on the Security control rules page in the Configuration tab. This section lists rules that are part of security standards applied to the current workspace.

General information about rules

For each rule, the table displays the following information:

Tip

If required, you can modify the information columns displayed in the table. Do it by clicking in the row with the table column headers, selecting the info columns you need, and clicking Apply.

  • : Rule criticality level; this icon indicates how security-critical the rule is:

    • : Remark
    • : Low severity.
    • : Medium severity.
    • : High severity.

  • Control rule: Rule name and brief summary. To learn more about a rule, click the table row with its name.

  • Rule sets: Icon(s) complying with the safety standards that implement this rule. If the icon is colored, it means the rule is checked for the corresponding standard. If the icon is gray, it means it is not.

  • Rule type: Compliance check type for the controlled infrastructure in the workspace with this rule:

    • automatic: Rule is checked automatically once every eight hours.
    • manual: Rule has to be checked manually. Click the row with the rule to find a guide and details.

  • ID: Rule ID in Yandex Cloud.

  • Violations: Number of detected rule violations.

Detailed information about a rule

To learn more about a security control rule, click the table row with its name. You will see a window with rule details, which has the following tabs:

The Overview tab contains:

  • Rule ID.

  • Set of security requirements the rule applies to.

  • Date and time of the most recent security check.

  • Check method:

    • automatic: Rule is checked automatically once every eight hours.
    • manual: Rule has to be checked manually.

  • Details on the monitored features, their configurations, or actions performed with them.

The Violations tab lists control rule violations detected during the checks. Detected violations will not appear in this list if they satisfy the exception criteria specified for the rule.

The Exceptions tab lists all exceptions defined for the rule along with controls for exception management.

The Recommendations tab provides guides and solutions to assist you with rule compliance.

Exceptions to rules

Exceptions allow you to flexibly configure when and for which objects CSPM should ignore the results of a rule check. You can view the list of exceptions set for your workspace in the Security Deck interface under Control rules.

You can specify the following settings for an exception when creating it:

  • Exception type: Action which the exception will trigger:

    • Resource has been checked manually: If the exception conditions are met, the resource will only generate signals about rule compliance.
    • Do not scan resource: If the exception conditions are met, the resource will generate no signals at all, neither about compliance nor violation.

  • Scope of control: Resources you want to exclude when checking security rules:

    • All resources: To exclude all controlled resources in the workspace.
    • Selected resources: To exclude only the explicitly selected resources.

  • Excepted rules: CSPM rules for which the selected resources should not be checked:

    • All rules: To exclude all security rules from compliance checks for the selected resources.
    • Selected rules: To exclude explicitly indicated rules from compliance checks for the selected resources.

  • Reason for exclusion: Reason for the exception. Specify it as plain text in any form.

To cancel the limitations on rule compliance checks imposed by an exception, delete that exception.

See also

Previous
Cloud Infrastructure Entitlement Management (CIEM)
Next
Access Transparency