The CSPM score is a risk indicator aggregating findings from vulnerability scanning of your cloud accounts.  This score helps you understand the current security posture and improve the overall security posture of the cloud accounts over time.

The Aqua CSPM Score is a letter grade between “A” and “F” that represents the overall security risk of a cloud account. The CSPM score is used in scan and compliance reports.

CSPM score calculation

The CSPM score is calculated by aggregating security findings discovered by vulnerability scanning of the cloud account in the following manner:

These risks are identified by assessing the cloud resources against default and custom compliance standards. Each compliance program is divided into controls which are in turn mapped to Aqua CSPM plugins. Each control will then report the plugin counts with the corresponding aggregated statuses: PASSWARNFAIL, or UNKW for unknown results.

CSPM score (in %)= (Number of passing results/Total number of results) * 100

The calculated numerical score is between 0 and 100 and then is mapped to a letter grade using the table below.

GradeScore Range
FBelow 60

Factors lowering the CSPM score

The CSPM score starts with a score of 100, which is reduced for each risk factor discovered. The following are factors that reduce the image score:

  • Risks identified from storage buckets exposed publicly 
  • Risks identified from compute and database resources with unintended public access 
  • Risks identified from improper settings by the use of encryption in transit and at rest across cloud services
  • Risks identified from changes to critical resources such as firewall rules, logging groups, or account settings
  • Risks identified from activity in unused or unexpected cloud provider regions or locations
  • Risks identified from user policy definitions to ensure least-privileged access to resources
  • Risks identified from misconfiguration of the cloud platform