Cloud Security Scanner: What do Amazon, Azure and GCP Provide?

Learn about cloud security scanning, and how to perform basic scanning of your cloud environment with tools from the big three cloud providers

March 25, 2021

What is a Cloud Security Scanner?

Cloud security scanners are tools that allow organizations to discover and remediate security weaknesses in their cloud deployments. Scanners are only one part of a holistic cloud security strategy (read our in-depth guide to cloud security). 

Cloud security scanning covers several areas, including:

  • Automated vulnerability scanning—testing cloud-based infrastructure, services and applications for known security vulnerabilities such as CVEs or web application security flaws.
  • Security testing—feeding unexpected or malicious inputs to cloud systems and seeing if they react in a secure manner, or attempting to penetrate a cloud system or service to discover security weaknesses.
  • Security misconfiguration—reviewing cloud-based resources and checking if they have common configuration issues that can create security issues, such as lack of authentication or exposure to public networks.
  • Security benchmarks and compliance—checking cloud resources against security benchmarks and best practices, or against specific compliance requirements faced by the organization.

While there are a large number of tools that can be used to scan cloud infrastructure, we will focus on first-party tools provided by the large three cloud providers—Amazon Web Services, Azure, and Google Cloud.

In this article, you will learn:

AWS Cloud Security Scanning with AWS Security Hub

AWS Security Hub is a central console that lets you monitor and control security for Amazon services, and check resources against security best practices. Security Hub collects data from AWS accounts and services, as well as some third-party products, and identifies important security issues you need to resolve.

AWS Security Hub provides two main constructs that help you identify security issues in your cloud infrastructure:

  • Findings—Security Hub pulls “findings”, which are security issues, from multiple sources, including AWS security services, third party products, and custom integrations. It correlates these findings across AWS services and resources to see the ones that have the biggest impact. 
  • Insights—a Security Hub “insight” is a collection of findings that have security significance. For example, an insight could point out a group of EC2 instances with security issues that require remediation (each one with one or more “findings”). Security Hub provides a library of built-in insights. You can define custom insights by providing a search statement, and filters that indicate which AWS resources should match the insight. 

Learn more:

Azure Cloud Security Scanning with Azure Security Center

Azure Security Center is a security management system that can protect workloads against threats, both in the Azure cloud and in a local data center. 

Security Center provides cloud security posture management (CSPM) features, such as asset inventory and identification of security misconfigurations. It also offers cloud workload protection (CWP) via Azure Defender, which generates alerts and can protect virtual machines, databases, networks, containers, and web applications against threats.

Related content: read our guide to CWPP ›

Azure Security Center provides several capabilities that can help you scan cloud resources for security gaps:

  • Vulnerability assessment—Security Center does not directly perform vulnerability scans, but it checks connected VMs and machines to see if they are running vulnerability assessment tools. 
  • Deployment of Qualys vulnerability management—if a machine does not have vulnerability management, you can deploy the Qualys vulnerability scanner, which comes with Azure Defender for Servers, directly to Azure VMs or Azure Arc hybrid machines. The scanner analyzes vulnerabilities on the machines and provides a report, accessible via Azure Security Center.
  • Azure Defender for Container Registries—if enabled, this tool automatically scans any container image added to the Azure Container Registry, or pulled from it in the last month. It reports findings like CVEs, CVSS severity scores, and remediation instructions.

Learn more:

Google Cloud Security Scanning with Google Security Command Center

Google provides the Security Command Center, which provides the following cloud scanning capabilities:

  • Container Threat Detection—continuously monitors container images, identifying suspicious changes and attempts at remote access. The service can detect common container runtime attacks, and provide alerts via Security Command Center or Cloud Logging.
  • Event Threat Detection—monitors Cloud Logging for an organization’s Google-deployed services, and detects threats using detection logic and Google’s threat intelligence sources. Generates alerts in Security Command Center and Cloud Logging.
  • Web Security Scanner—scans web applications running in Google App Engine, Google Compute Engine, or Google Kubernetes Engine (GKE). Can crawl applications, exercise user inputs, and test for vulnerabilities like outdated libraries, mixed content, and cross-site scripting. 

Learn more about the Security Command Center

Cloud Security Scanner Q&A

Is AWS Security Hub Free?

No, AWS Security Hub if priced per security checks, starting from $0.0010 per check in the US-East region. Ingestion of events into Security Hub is free up to 10,000 events per month, and above that, costs $0.00003 per event.

Is Azure Security Center Free?

Yes, Azure Security Center offers a free tier that provides security policies, security assessments, security recommendations for Azure resources. You can upgrade from the free tier to the full Azure Defender, which is priced per hour, with different pricing for different types of protected Azure resources. See the official pricing page for details.

Cloud Security with Aqua Security

With Aqua Security, you get a complete security platform, which secures cloud native applications from start to finish, at any scale. The Aqua platform protects your entire stack, on any cloud, across VMs, containers, and serverless.

Aqua can help you secure your cloud by:

  • Protecting the build with a “shift left” approach to cloud native security that stops threats and vulnerabilities in their tracks — empowering DevOps to detect issues early and fix them fast. Aqua uses a combination of static and dynamic scanning to find vulnerabilities, malware, secrets, and other risks during development and staging. It also allows you to set flexible, dynamic policies to control deployment in your runtime environments.
  • Securing infrastructure, automating compliance and the security posture of your public cloud services, Infrastructure-as-Code templates, and Kubernetes against best practices and standards. This ensures that the infrastructure you run your applications on are securely configured and in compliance.
  • Protect workloads, including VMs, containers, and serverless functions, using granular controls that provide instant visibility and real-time detection and response. Aqua leverages modern micro-services concepts to enforce immutability of your applications in runtime, establishing zero-trust networking, and detecting and stopping suspicious activities, including zero-day attacks.
  • Secure hybrid cloud infrastructure with cloud native security over hybrid-cloud and multi-cloud deployments, with persistent controls that follow your workloads wherever they run.