Cloud Configuration Assessment Overview
CCA End-of-Life Notice
As of February 15, 2024, Rapid7 will start the End-of-Life (EOL) process for Cloud Configuration Assessment. On February 15, 2025 support will officially end and the feature will be permanently removed from InsightVM for all customers.
While we will continue to support this feature in the interim with security patches, we will not be updating or enhancing CCA further. See our Cloud Risk Complete offering if you’re still interested in the capabilities of CCA.
Cloud Configuration Assessment (CCA) provides visibility into weaknesses that may impact the security of your cloud infrastructure. With CCA, you can assess your resources against Center for Internet Security (CIS) and other industry benchmarks and address any non-compliant findings to minimize the risk of attack and exploitation. Cloud Configuration Assessment collects configuration data from your IaaS resources. To collect this data, you need to create connections between CCA and your IaaS environments.
To begin Cloud Assessment Configuration, navigate to the Cloud Configuration Assessment page and click Enable.
How does CCA work?
CCA collects configuration data from your connected IaaS resource(s). A library of rule checks, complete with CIS benchmarks, best practices, and propriety checks, are run against your resources. After a resource is run against a rule, any findings on that resource are added to its findings page. Findings are marked either "Pass", "Fail", or "Excepted" and ranked in severity. If you do not want a finding to count against your resource, you can create an exception for that finding.
Supported IaaS Providers
Cloud Configuration Assessment supports connections to the following IaaS providers:
Supported Resources
Cloud Configuration Assessment currently supports several resources for all three IaaS providers.
CCA Supported Resources
| Resource type | AWS | Azure | GCP |
|---|---|---|---|
| Autoscaling Group | Autoscaling Group | Virtual Machine Scale Sets | Autoscalers |
| Cache Instance | ElastiCache | Azure Redis | Memorystore |
| Instance | EC2 Instance | Virtual Machine | Instance |
| MapReduce Cluster | Elastic Mapreduce (EMR) | MapReduce | Dataproc, MapReduc |
| Private Image | AMI (Private) | Image | Image |
| Serverless Function | Lambda | Function | Cloud Function |
| Message Queue | Simple Queue Service (SQS) | ServiceBus Queue | N/A |
| Container Registry | Container Registry (ECR) | Container Registry | Container Registry |
| Cloud Account | Cloud Account | Cloud Subscription | Project |
| Cloud Group | IAM Group | Group | Group |
| Cloud Policy | IAM Policy | Policy | Role Permission Set |
| Cloud Role | IAM Role | Role | Service Account |
| Cloud User | IAM User | User | User |
| Network | VPC | N/A | VPC |
| Access List | NACL/Security Group | Network Security Group | Network Firewall |
| NAT Gateway | NAT Gateway (VPC) | NAT Gateway | Cloud NAT |
| Private Subnet | VPC Subnet | Subnet | Subnet |
| Public IP | Elastic IP | Reserved IP | Reserved IP |
| Snapshot | EBS Snapshot | EBS Snapshot | Snapshot |
| Storage Container | S3 Bucket | S3 Bucket | Blob Storage Container |
| Volume | EBS Volume | EBS Volume | Disk |
Frequently Asked Questions
What is a resource?
Resources are the CCA-equivalent of an asset in InsightVM.
What is a rule?
A rule is a specific check for a specific misconfiguration that is run on a resource. CCA contains a library of rules that check for CIS benchmarks, best practices, and Rapid7 propriety checks. The object of running all of these rules is to give you a clearer picture on where you might be misconfigured in your cloud infrastructure.
What is a connection?
InsightVM creates a connection to your cloud environment(s) by using cloud account parameters to retrieve data. You can manage and edit your saved connections from the Management tab.
What is an exception?
An exception allows you to prevent a specific finding from counting against your assessment failure count.
What is the difference between Cloud Configuration Assessment in InsightVM and InsightCloudSec?
Cloud Configuration Assessment powered by InsightCloudSec is a subset of features, asset types, and environments available in InsightCloudSec (ICS). ICS is a full-feature Cloud Security and Posture Management, Cloud Workload Protection and Cloud Identity and Access Management solution. Cloud Configuration Assessment powered by InsightCloudSec focuses on cloud asset inventory and misconfiguration identification based on CIS benchmarks.
What is the difference between Cloud Configuration Assessment in InsightVM and InsightVM Container Security?
Cloud Configuration Assessment in InsightVM focuses on cloud infrastructure inventory and assessment against CIS and other policy benchmarks. The Container Security feature in InsightVM focuses on identifying software vulnerabilities in Container Images either in the registry or the CI/CD pipeline.