Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Cloud Security Posture Management (CSPM)

Written by
Updated at November 10, 2025

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Cloud Security Posture Management (CSPM) is a tool that monitors infrastructure security level based on security standards, such as Yandex Cloud's Cloud Infrastructure Security Standard.

In a given workspace, Cloud Security Posture Management (CSPM) checks the cloud infrastructure and applications deployed on the Yandex Cloud platform for compliance with comprehensive security requirements and best practices. The module's rules and exceptions help ensure compliance with security policies and protection against common threats and vulnerabilities in the cloud environment.

Standards

Currently, Cloud Security Posture Management (CSPM) supports infrastructure compliance checks for the following security standards:

  • Yandex Cloud basic security rules: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform.
  • Yandex Cloud cloud infrastructure protection standard: Standard providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.

Rules

You can view the information about CSPM rules currently enforced in your workspace and compliance violations detected in the workspace infrastructure on the Security control rules page in the Configuration tab. This section lists rules that are part of security standards applied to the current workspace.

General information about rules

For each rule, the table displays the following information:

Tip

If you need to, you can change the info columns displayed in the table. Do it by clicking in the row with the table column headers, selecting the info columns you need, and clicking Apply.

  • : Rule criticality level. This icon indicates how security-critical the rule is:

    • : Remark
    • : Low severity
    • : Medium severity
    • : High severity

  • Control rule: Rule name and brief summary. To learn more about a rule, click the table row with its name.

  • Rule sets: Icon(s) for the security standards that are using this rule. If the icon is colored, it means the rule is checked for the corresponding standard. If the icon is gray, it means it is not.

  • Verification method: How the infrastructure controlled in the workspace is checked for compliance with this rule:

    • automatic: Rule is checked automatically once every eight hours.
    • manual: Manual check of rule compliance is required. Click the row with the rule to find a guide and details.

  • ID: Rule ID in Yandex Cloud.

  • Violations: Number of rule violations detected.

Detailed information about a rule

To learn more about a security control rule, click the table row with its name. The detailed info window that opens includes the following tabs:

In addition to the data shown in the general rule info table, the Overview tab contains:

  • Date and time of the most recent security check.
  • Details on the monitored features, their configurations, or actions performed with them.

The Violations tab lists security violations detected during checks. Detected violations will not appear in this list if they satisfy the exception criteria specified for the rule.

The Exceptions tab lists all exceptions defined for the rule along with controls for exception management.

The Recommendations tab provides guides and solutions to help you perform the actions required by the rule.

Exceptions to rules

Exceptions allow you to flexibly configure when and for which objects CSPM should ignore the results of a rule check. You can view the list of exceptions set for your workspace in the Security Deck interface under Control rules.

You can specify the following settings for an exception when creating it:

  • Exception type: Action which the exception will trigger:

    • Resource has been checked manually: If the exception conditions are met, the resource will only generate signals about rule compliance.
    • Do not scan resource: If the exception conditions are met, the resource will generate no signals at all, neither about compliance nor violation.

  • Scope of control: Resources you want to exclude when checking security rules:

    • All resources: To exclude all controlled resources in the workspace.
    • Selected resources: To exclude only the explicitly selected resources.

  • Excepted rules: CSPM rules for which the selected resources should not be checked:

    • All rules: To exclude all security rules from compliance checks for the selected resources.
    • Selected rules: To exclude explicitly indicated rules from compliance checks for the selected resources.

  • Reason for exclusion: Reason for the exception. Specify it as plain text in any form.

To cancel the limitations on rule compliance checks imposed by an exception, delete that exception.

See also

Previous
Cloud Infrastructure Entitlement Management (CIEM)
Next
Access Transparency