# Sola for Cloud Security
Cloud environments are dynamic and complex, making continuous visibility essential.
Sola helps you monitor configurations, detect misconfigurations, and ensure alignment with cloud security best practices across [AWS](/integrations/data-sources/aws.md), [Azure](/integrations/data-sources/azure.md), and [GCP](/integrations/data-sources/gcp.md).
This page explains the key concepts behind **Cloud Security Posture Management (CSPM)**, what it is, why it matters, and how Sola helps you analyze it. It also includes [prompt examples](#prompt-examples) you can use directly in [Sola AI](/getting-started/sola-ai.md).
{% hint style="info" %}
 **Start with Sola AI**
Expand the prompts below to get started, then [explore more prompt examples](#prompt-examples) further down the page.
{% endhint %}
Ask: Show me my cloud security risks
Copy this prompt into [Sola AI](https://app.sola.security/) to get started:
{% code overflow="wrap" %}
```
I want to understand the most critical security risks in my cloud environment. Guide me to identify which cloud provider I should connect first - such as AWS, Azure, or GCP - to quickly discover high-impact misconfigurations like public exposure, overprivileged identities, IAM posture, or missing encryption. If I already have a data source connected, ask me which one I should use. Guide me to the best next step to quickly experience Sola's value. Do this as an interactive conversation, guide me one step at a time, avoid long explanations upfront, and pause for my response.
```
{% endcode %}
Build: Build cloud security monitoring
Copy this prompt into [Sola AI](https://app.sola.security/) to get started:
{% code overflow="wrap" %}
```
I want to build an app that continuously monitors my cloud security posture. Guide me to identify which cloud provider I should connect first - such as AWS, Azure, or GCP - or if I already have one connected, ask me which to use. Then help me build queries to detect critical misconfigurations like public exposure, overprivileged identities, IAM posture, or missing encryption, create canvases to visualize risks over time, and set up alerts for new issues. Guide me to the best next step to quickly experience Sola's value. Do this as an interactive conversation, guide me one step at a time, avoid long explanations upfront, and pause for my response.
```
{% endcode %}
## What is Cloud Security Posture Management (CSPM)?
CSPM is the practice of continuously monitoring and assessing your cloud infrastructure to detect risks, misconfigurations, and policy violations. Ensuring that your cloud accounts, services, and resources comply with security benchmarks like CIS, ISO, or SOC2.
In simple terms, CSPM helps answer the question:\
\&#xNAN;***βIs my cloud configured securely right now?β***
Insights are generated from your [connected data sources](/integrations/data-sources.md) to identify and remediate risks such as:
* Publicly exposed storage buckets or databases.
* Unencrypted or misconfigured resources.
* Excessive permissions or inactive identities.
* Missing or incomplete logging coverage.
* Non-compliance with established security policies.
## Why is CSPM important
Cloud misconfigurations are among the most common causes of data exposure.
Without continuous monitoring, even minor configuration errors can expose sensitive data, weaken access controls, or impact compliance.
CSPM ensures visibility, enforces security best practices, and reduces the risk of accidental exposure or policy drift across cloud environments.
## CSPM with Sola
Sola isnβt about replacing traditional CSPM solutions, it enables you to build one that fits your organization.
With Sola, you can build a tailored solution to:
* **Monitor** configuration drift, public exposure, and encryption status across AWS, GCP, and Azure.
* **Enforce** security and compliance standards such as CIS, ISO, and SOC2 through automated checks and alerts.
* **Visualize** posture changes and risk trends with dashboards and reports.
* **Automate** remediation workflows to handle recurring or critical misconfigurations.
Each of these components can be queried, visualized, and automated within your Sola apps, giving you full visibility and control over your cloud security posture.
Download the app for the complete experience
***
## Prompt examples
Explore the security risks and misconfigurations covered by CSPM for [AWS](/integrations/data-sources/aws.md).
1. [Identity and access management (IAM)](#id-1.-identity-and-access-management-iam)
2. [Network Security](#id-2.-network-security)
3. [Data protection (S3, RDS, EBS, EFS)](#id-3.-data-protection-s3-rds-ebs-efs)
4. [Compute and container security](#id-4.-compute-and-container-security)
5. [Logging, monitoring and governance](#id-5.-logging-monitoring-and-governance)
6. [Resilience and availability](#id-6.-resilience-and-availability)
{% hint style="info" %}
*Copy any prompt into* [*Sola AI*](https://app.sola.security/) *to get started.*
{% endhint %}
π΄ Critical π High π‘ Medium
### 1. Identity and access management (IAM)
Prevent misuse of privileges and unauthorized access.
π΄ Detect publicly accessible EC2 instances with admin roles
{% code title="PROMPT" overflow="wrap" %}
```
Find all EC2 instances with a public IP address that are attached to IAM roles with admin-level permissions.
```
{% endcode %}
| What it checks:
Detects EC2 instances with public IPs and admin-level roles
| Why it matters:
A compromised instance could grant full account access
|
| ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
π΄ Identify Lambda functions with privileged execution roles
{% code title="PROMPT" overflow="wrap" %}
```
List all Lambda functions where the execution role has administrator or wildcard (β*β) permissions.
```
{% endcode %}
| |
|---|
What it checks:
Finds functions using excessive permissions | Why it matters:
Reduces the blast radius of potential compromise |
π Ensure EC2 instances use IAM roles instead of static keys
{% code title="PROMPT" overflow="wrap" %}
```
Show EC2 instances not configured with an IAM role or still using hardcoded access keys.
```
{% endcode %}
| |
|---|
What it checks:
Ensures instances are using IAM roles instead of static access keys | Why it matters:
Prevents credential leakage |
π‘ Verify IAM Access Analyzer is enabled in all active region
{% code title="PROMPT" overflow="wrap" %}
```
Check whether IAM Access Analyzer is enabled in all active AWS regions.
```
{% endcode %}
| |
|---|
What it checks:
Validates that exposure detection is active | Why it matters:
Identifies unintended cross-account access |
### 2. Network Security
Limit public exposure and enforce segmentation.
π΄ Detect subnets that automatically assign public IPs
{% code title="PROMPT" overflow="wrap" %}
```
Find EC2 subnets that are configured to automatically assign public IP addresses to instances.
```
{% endcode %}
| What it checks:
Flags subnets that expose instances to the internet
| Why it matters:
Reduces attack surface
|
| -------------------------------------------------------------------------------------- | --------------------------------------------------------- |
π΄ Identify security groups with unrestricted inbound access
{% code title="PROMPT" overflow="wrap" %}
```
List all security groups with rules allowing inbound traffic from 0.0.0.0/0 or ::/0, and show which ports are exposed.
```
{% endcode %}
| |
|---|
What it checks:
Detects overly broad rules (e.g., 0.0.0.0/0) | Why it matters:
Prevents unauthorized inbound connections |
π΄ Find resources with open administrative ports
{% code title="PROMPT" overflow="wrap" %}
```
Show all resources with SSH (port 22), RDP (port 3389), or other management ports open to the internet.
```
{% endcode %}
| |
|---|
What it checks:
Scans for open management ports | Why it matters:
Avoids brute-force and RCE attempts |
π Verify default VPC security groups restrict all traffic
{% code title="PROMPT" overflow="wrap" %}
```
Check whether the default security group in each VPC blocks all inbound and outbound traffic.
```
{% endcode %}
| |
|---|
What it checks:
Ensures default networks are locked down | Why it matters:
Reduces accidental exposure |
#### 3. Data protection (S3, RDS, EBS, EFS)
π΄ Identify S3 buckets without Block Public Access enabled
{% code title="PROMPT" overflow="wrap" %}
```
List all S3 buckets that do not have Block Public Access settings enabled at the bucket or account level.
```
{% endcode %}
| What it checks:
Detects public data exposure
| Why it matters:
Common cause of cloud data leaks
|
| --------------------------------------------------------------- | ------------------------------------------------------------------- |
π΄ Detect publicly shared snapshots
{% code title="PROMPT" overflow="wrap" %}
```
Find all EBS snapshots and RDS snapshots that are shared publicly or with untrusted AWS accounts.
```
{% endcode %}
| |
|---|
What it checks:
Ensures backups are private | Why it matters:
Prevents data theft from shared snapshots |
π΄ Check if CloudTrail logs bucket is publicly accessible
{% code title="PROMPT" overflow="wrap" %}
```
Verify that the S3 bucket storing CloudTrail logs is not publicly accessible.
```
{% endcode %}
| |
|---|
What it checks:
Protects audit logs from manipulation | Why it matters:
Maintains integrity of forensic evidence |
π Verify encryption at rest is enabled for data stores
{% code title="PROMPT" overflow="wrap" %}
```
Check whether EBS volumes, RDS databases, and EFS file systems have encryption at rest enabled.
```
{% endcode %}
| |
|---|
What it checks:
Verifies EBS, RDS, EFS encryption settings | Why it matters:
Protects data from unauthorized physical access |
π‘ Ensure S3 versioning and MFA delete are enabled
{% code title="PROMPT" overflow="wrap" %}
```
List S3 buckets without versioning enabled or MFA delete configured.
```
{% endcode %}
| |
|---|
What it checks:
Guards against accidental or malicious deletion | Why it matters:
Improves recoverability |
#### 4. Compute and container security
π΄ Identify ECS containers running in privileged mode
{% code title="Prompt" overflow="wrap" %}
```
Find all ECS task definitions where containers are configured to run as privileged or as root.
```
{% endcode %}
| What it checks:
Prevents host-level compromise
| Why it matters:
Reduces container escape risk
|
| ----------------------------------------------------------------- | ---------------------------------------------------------------- |
π΄ Verify ECR image scanning is enabled
{% code title="Prompt" overflow="wrap" %}
```
Check whether Amazon ECR repositories have image scanning enabled for vulnerability detection.
```
{% endcode %}
| |
|---|
What it checks:
Ensures image scanning is active | Why it matters:
Prevents deployment of vulnerable builds |
π Detect ECS tasks sharing host process namespace
{% code title="Prompt" overflow="wrap" %}
```
List ECS task definitions that share the host's process namespace with containers.
```
{% endcode %}
| |
|---|
What it checks:
Enforces container isolation | Why it matters:
Avoids cross-process attacks |
π‘ Identify Lambda functions using deprecated runtimes
{% code title="Prompt" overflow="wrap" %}
```
List all Lambda functions that are running on deprecated or outdated runtime environments.
```
{% endcode %}
| |
|---|
What it checks:
Checks for deprecated environments | Why it matters:
Reduces CVE exposure |
#### 5. Logging, monitoring and governance
π΄ Verify CloudTrail logs are encrypted and validated
{% code title="Prompt" overflow="wrap" %}
```
Check whether CloudTrail logs are encrypted with KMS and have log file validation enabled.
```
{% endcode %}
| What it checks:
Ensures log integrity
| Why it matters:
Prevents tampering
|
| -------------------------------------------------------- | ----------------------------------------------------- |
π Check if CloudTrail and AWS Config are enabled in all regions
{% code title="Prompt" overflow="wrap" %}
```
Verify that CloudTrail and AWS Config are enabled and recording in all active AWS regions.
```
{% endcode %}
| |
|---|
What it checks:
Confirms activity tracking coverage | Why it matters:
Core to audits and investigations |
π‘ Ensure VPC Flow Logs and Load Balancer logging are enabled
{% code title="Prompt" overflow="wrap" %}
```
List VPCs without Flow Logs enabled and load balancers without access logging configured.
```
{% endcode %}
| |
|---|
What it checks:
Tracks network traffic | Why it matters:
Detects anomalies and intrusion attempts |
#### 6. Resilience and availability
π Verify backup recovery points are encrypted
{% code title="Prompt" overflow="wrap" %}
```
Check whether AWS Backup recovery points are encrypted at rest.
```
{% endcode %}
| What it checks:
Secures stored backups
| Why it matters:
Protects backup data from unauthorized access or theft
|
| --------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
π‘ Verify RDS clusters use multiple Availability Zones
{% code title="Prompt" overflow="wrap" %}
```
Check whether RDS database clusters are configured for Multi-AZ deployment.
```
{% endcode %}
| |
|---|
What it checks:
Checks for high availability configuration | Why it matters:
Prevents single-AZ failures |
π‘ Ensure load balancers span multiple Availability Zones
{% code title="Prompt" overflow="wrap" %}
```
List all Application and Network Load Balancers that are not configured across multiple Availability Zones.
```
{% endcode %}
| |
|---|
What it checks:
Ensures multi-zone redundancy | Why it matters:
Improves uptime |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sola.security/resources/prompt-library/cloud-security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.