58 min

Building an open-source CSPM service

Co-founder & CEO at Fix Security

Daniel Spangenberg

Staff Cloud Security Engineer at Lyft

Daniel Spangenberg, Staff Cloud Security Engineer at Lyft, is building an internal cloud security posture management (CSPM) service.Daniel has developed a mental model that looks at cloud security in three components: 

  1. The past. Data about your current cloud inventory, e.g. your EC2 instances and S3 buckets, to idenfity and remediate misconfigurations.
  2. The present. Event logs, access logs and CloudTrail data, with real-time processing and alerting.
  3. The future. Preventative measures to guardrail your deployments, e.g. in Terraform or with policy-based controls.

Daniel explains how he uses tools like Cloudquery and AWS Trusted Advisor to gather data and identify security issues. He also discusses the importance of resource coverage and how he leverages existing tools to extract data into a centralized view.

Daniel prioritizes issues based on their severity and assigns them to the respective service teams for resolution. Daniel highlights the importance of having a comprehensive asset inventory and using tools like Lyft's Cartography for graph traversal.

Daniel shares insights on tracking success, visualizing data, and the shortcomings of existing CSPM solutions. He advises approaching cloud security thinking like a developer, and fostering collaboration between security and engineering teams.


  • Lyft's cloud security team focuses on securing the infrastructure by addressing the past, present, and future components of cloud security.
  • Coverage is important to ensure that all resources are accounted for, even if they are not actively used.
  • Data is extracted from existing tools and centralized into a single source of truth for better visibility and analysis.
  • Prioritization of security issues is based on severity, and tickets are assigned to the respective service teams for resolution. Having a comprehensive asset inventory is crucial for effective cloud security.
  • Custom queries and automation are essential for handling a large volume of findings and creating tickets for remediation.
  • Auto-remediation is a complex topic that requires careful consideration and can potentially cause more harm than benefit if not implemented correctly.
  • A labeling system, such as using tags, can help identify resource ownership and assign tickets to the appropriate teams.
  • Tracking success in cloud security can be done through risk assessment, ticket counts, and data normalization.
  • Building an in-house CSPM solution allows for customization and integration into existing workflows, avoiding the limitations of commercial solutions.
  • Thinking like a developer and understanding the motivations behind certain configurations can help bridge the gap between security and engineering teams.
  • Collaboration and communication between security and engineering teams are essential for successful cloud security.

Subscribe to our newsletter to get notified of new articles and updates.

We care about your data. Read our privacy policy.