FeaturesCloud security targets

Cloud security targets

Pencheff supports six Infrastructure & Cloud Security target types:

Target typeWire kindMain agents
Cloud Account (CSPM)cloud_accountCloudInventoryAgent, CloudIamExposureAgent, CloudAuditLoggingAgent
Serverless Functionsserverless_functionServerlessSecurityAgent, CloudIamExposureAgent
Cloud Storagecloud_storageCloudStorageAgent, CloudIamExposureAgent
Load Balancer / CDNload_balancer_cdnEdgeCdnSecurityAgent
Database (Cloud)cloud_databaseCloudDatabaseAgent, CloudIamExposureAgent
Secrets Managersecrets_managerSecretsHygieneAgent, CloudIamExposureAgent

All cloud scans are read-only. Pencheff inspects provider metadata or operator-supplied inventory JSON. Secrets-manager targets never read or store secret values; findings only use metadata such as rotation state, policy shape, encryption state, and resource name.

Supported providers

ProviderScope fieldAuthorization method
AWSAccount IDAccess key ID + secret access key, optional STS session token, optional role ARN
AzureSubscription IDTenant ID + client ID + client secret for a Service Principal
GCPProject IDService-account JSON key

The registration form does not ask for invoke URLs for these providers. The target identifier is synthesized as:

cloud://<provider>/<scope>/<kind>

For example:

cloud://aws/123456789012/cloud_storage
cloud://azure/00000000-0000-0000-0000-000000000000/secrets_manager
cloud://gcp/production-project/cloud_database

Checks

CloudAccount scans can run the broadest coverage because account inventory can include IAM, audit logging, storage, database, serverless, edge, and secrets metadata. Resource-specific targets narrow the checks to the selected resource family.

AgentExamples of findings
CloudIamExposureAgentwildcard actions, admin-like principals, privilege-escalation actions such as iam:PassRole
CloudStorageAgentpublic buckets/containers, encryption disabled, access logging disabled
ServerlessSecurityAgentpublic invocation, deprecated runtimes, secret-like environment variable names
EdgeCdnSecurityAgentlegacy TLS, missing WAF, exposed origin, risky cache policy
CloudDatabaseAgentpublic database access, encryption disabled, backups disabled, deletion protection disabled
SecretsHygieneAgentrotation disabled, public/broad secret policy, encryption disabled
CloudAuditLoggingAgentaccount audit logging disabled, log integrity validation disabled

Offline inventory

For teaching, demos, and high-school-friendly testing, you can skip provider authorization and paste inventory JSON in the cloud target form.

Cloud storage example:

{
  "storage": [
    {
      "name": "prod-public-assets",
      "public": true,
      "encrypted": false,
      "logging_enabled": false
    }
  ]
}

Secrets manager example:

{
  "secrets": [
    {
      "name": "prod/db/password",
      "rotation_enabled": false,
      "policy_public": true
    }
  ]
}

Do not include secret values. If a value-shaped field is present in evidence, Pencheff redacts it before storing findings.

Disciplines

Cloud targets can be selected directly or through disciplines:

DisciplineCompatible target kinds
CSPMall six cloud target kinds
CIEMaccount, serverless, storage, database, secrets
DSPMstorage, database, secrets
Serverless Securityserverless
Edge Securityload balancer / CDN
CWPPcontainer image, Kubernetes cluster, host, serverless

Next