Cloud Configuration Assessment Overview

CCA End-of-Life Notice

As of February 15, 2024, Rapid7 will start the End-of-Life (EOL) process for Cloud Configuration Assessment. On February 15, 2025 support will officially end and the feature will be permanently removed from InsightVM for all customers.

While we will continue to support this feature in the interim with security patches, we will not be updating or enhancing CCA further. See our Cloud Risk Complete offering if you’re still interested in the capabilities of CCA.

Cloud Configuration Assessment (CCA) provides visibility into weaknesses that may impact the security of your cloud infrastructure. With CCA, you can assess your resources against Center for Internet Security (CIS) and other industry benchmarks and address any non-compliant findings to minimize the risk of attack and exploitation. Cloud Configuration Assessment collects configuration data from your IaaS resources. To collect this data, you need to create connections between CCA and your IaaS environments.

To begin Cloud Assessment Configuration, navigate to the Cloud Configuration Assessment page and click Enable.

How does CCA work?

CCA collects configuration data from your connected IaaS resource(s). A library of rule checks, complete with CIS benchmarks, best practices, and propriety checks, are run against your resources. After a resource is run against a rule, any findings on that resource are added to its findings page. Findings are marked either "Pass", "Fail", or "Excepted" and ranked in severity. If you do not want a finding to count against your resource, you can create an exception for that finding.

Supported IaaS Providers

Cloud Configuration Assessment supports connections to the following IaaS providers:

Supported Resources

Cloud Configuration Assessment currently supports several resources for all three IaaS providers.

CCA Supported Resources

Resource typeAWSAzureGCP
Autoscaling GroupAutoscaling GroupVirtual Machine Scale SetsAutoscalers
Cache InstanceElastiCacheAzure RedisMemorystore
InstanceEC2 InstanceVirtual MachineInstance
MapReduce ClusterElastic Mapreduce (EMR)MapReduceDataproc, MapReduc
Private ImageAMI (Private)ImageImage
Serverless FunctionLambdaFunctionCloud Function
Message QueueSimple Queue Service (SQS)ServiceBus QueueN/A
Container RegistryContainer Registry (ECR)Container RegistryContainer Registry
Cloud AccountCloud AccountCloud SubscriptionProject
Cloud GroupIAM GroupGroupGroup
Cloud PolicyIAM PolicyPolicyRole Permission Set
Cloud RoleIAM RoleRoleService Account
Cloud UserIAM UserUserUser
Access ListNACL/Security GroupNetwork Security GroupNetwork Firewall
NAT GatewayNAT Gateway (VPC)NAT GatewayCloud NAT
Private SubnetVPC SubnetSubnetSubnet
Public IPElastic IPReserved IPReserved IP
SnapshotEBS SnapshotEBS SnapshotSnapshot
Storage ContainerS3 BucketS3 BucketBlob Storage Container
VolumeEBS VolumeEBS VolumeDisk

Frequently Asked Questions

What is a resource?

Resources are the CCA-equivalent of an asset in InsightVM.

What is a rule?

A rule is a specific check for a specific misconfiguration that is run on a resource. CCA contains a library of rules that check for CIS benchmarks, best practices, and Rapid7 propriety checks. The object of running all of these rules is to give you a clearer picture on where you might be misconfigured in your cloud infrastructure.

What is a connection?

InsightVM creates a connection to your cloud environment(s) by using cloud account parameters to retrieve data. You can manage and edit your saved connections from the Management tab.

What is an exception?

An exception allows you to prevent a specific finding from counting against your assessment failure count.

What is the difference between Cloud Configuration Assessment in InsightVM and InsightCloudSec?

Cloud Configuration Assessment powered by InsightCloudSec is a subset of features, asset types, and environments available in InsightCloudSec (ICS). ICS is a full-feature Cloud Security and Posture Management, Cloud Workload Protection and Cloud Identity and Access Management solution. Cloud Configuration Assessment powered by InsightCloudSec focuses on cloud asset inventory and misconfiguration identification based on CIS benchmarks.

What is the difference between Cloud Configuration Assessment in InsightVM and InsightVM Container Security?

Cloud Configuration Assessment in InsightVM focuses on cloud infrastructure inventory and assessment against CIS and other policy benchmarks. The Container Security feature in InsightVM focuses on identifying software vulnerabilities in Container Images either in the registry or the CI/CD pipeline.