# Standards and References - Cloud Vulnerability Posture Management

## Cloud Security Standards

### CIS Benchmarks for Cloud
- **AWS**: https://www.cisecurity.org/benchmark/amazon_web_services
- **Azure**: https://www.cisecurity.org/benchmark/azure
- **GCP**: https://www.cisecurity.org/benchmark/google_cloud_computing_platform
- **Relevance**: Prescriptive hardening guidance for cloud service configurations

### NIST SP 800-53 Rev 5
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- **Key Controls**: AC-6 (Least Privilege), CM-6 (Configuration Settings), SC-7 (Boundary Protection)

### CSA Cloud Controls Matrix (CCM) v4
- **URL**: https://cloudsecurityalliance.org/research/cloud-controls-matrix
- **Relevance**: Cloud-specific security control framework aligned with major compliance standards

### AWS Well-Architected Security Pillar
- **URL**: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html

### Azure Security Benchmark v3
- **URL**: https://learn.microsoft.com/en-us/security/benchmark/azure/overview

## Tools

| Tool | Provider | License | URL |
|------|----------|---------|-----|
| AWS Security Hub | AWS | Pay-per-use | https://aws.amazon.com/security-hub/ |
| Azure Defender for Cloud | Microsoft | Free + Standard tiers | https://azure.microsoft.com/en-us/products/defender-for-cloud |
| Prowler | Open Source | Apache 2.0 | https://github.com/prowler-cloud/prowler |
| ScoutSuite | NCC Group | GPL-2.0 | https://github.com/nccgroup/ScoutSuite |
| Steampipe | Turbot | AGPL-3.0 | https://github.com/turbot/steampipe |
| CloudSploit | Aqua Security | GPL-3.0 | https://github.com/aquasecurity/cloudsploit |