Open Source Apache 2.0

The missing scorecard
for cloud security.

Scanners check your config. CSMM scores your security architecture — from basic hygiene to self-healing, zero-trust operations.

View on GitHub Read the spec
L1 ████████████████████░░░░ 82%
L2 ███████████████░░░░░░░░░ 64%
L3 █████████░░░░░░░░░░░░░░░ 41%
L4 ░░░░░░░░░░░░░░░░░░░░░░░░ locked
L5 ░░░░░░░░░░░░░░░░░░░░░░░░ locked
Overall: Level 2 Guarded — 58/100
Why CSMM

Beyond configuration checks

Most security tools stop at L1–L2. CSMM scores the architecture and processes that actually make the difference.

L1–L2 What scanners cover

Configuration checks
Is MFA enabled? Is the bucket public? Is CloudTrail on?
Baseline guardrails
SCPs, encryption defaults, region restrictions, flow logs.
Gets you compliant
Passes CIS benchmarks, meets basic audit requirements.

L3–L5 Where CSMM diverges

Security architecture
Data perimeters, ABAC/RBAC patterns, cross-account trust controls, permission boundaries.
Process maturity
JIT/break-glass access, least privilege reviews, IaC security gates, drift detection.
Gets you secure
Self-healing environments, zero standing privilege, auto-remediation.
No scanner can tell you whether your IAM architecture is sound, whether your access model is structured or a sprawl of ad-hoc policies, or whether anyone has standing admin access to production. CSMM can.
Framework

Five levels. Each builds on the last.

Levels are gated — you must score 80% or higher before the next level unlocks. You can't skip MFA by being great at ABAC.

L5 Autonomous Self-healing: auto-remediation, SOAR playbooks, automated secret rotation, policy drift auto-revert.
L4 Verified Continuous verification: JIT access, threat hunting, hardened image pipelines, backup architecture, security metrics.
L3 Hardened Security architecture: ABAC/RBAC, data perimeters, network segmentation, secrets management, workload isolation, incident response.
L2 Guarded SCPs, flow logs, CloudTrail, encryption, monitoring alarms, baseline guardrails.
L1 Exposed MFA, root lockdown, public access blocks, default SG restrictions, basic encryption.
Matrix

Levels × Pillars

Every control mapped to a level and pillar. Each cell is a cluster of concrete, verifiable checks.

IAM30% Networking20% Storage20% Compute15% Monitoring15%
L5 Autonomous Policy drift auto-revert Anomaly auto-isolate Automated secret rotation Self-healing infra Automated incident response (SOAR)
L4 Verified Access Analyzer, JIT access, IaC gates DNS security, drift detection Backup architecture, Object Lock Hardened image pipeline, SSM-only Threat hunting, security metrics
L3 Hardened ABAC/RBAC, data perimeters, cross-account trust, least privilege Network segmentation, VPC endpoints, egress filtering, DDoS Data classification, key mgmt architecture, secrets management Container security, workload isolation, patch management Observability architecture, IR runbooks
L2 Guarded SCPs, temp credentials, CloudTrail Flow logs, NACLs, GuardDuty Versioning, backups, encryption IMDSv2, launch templates Security Hub, CloudWatch alarms
L1 Exposed MFA, root lockdown, SSO, key rotation No open SSH/RDP, HTTPS, TLS 1.2 S3 public block, RDS private, encryption EBS encrypt, no public IP/AMI
Scoring

How the score works

Every control is pass/fail, weighted by severity, rolled up through gated levels into one overall score.

Input
Per-Control Pass/Fail
× severity weight
Level Score 0–100
≥ 80% gating
Pillar Score
× pillar weight
Overall 0–100

Severity Weights

Critical4x
High3x
Medium2x
Low1x

Level Weights

L1 Exposed0.35
L2 Guarded0.25
L3 Hardened0.20
L4 Verified0.12
L5 Autonomous0.08

Pillar Weights

IAM30%
Networking20%
Storage20%
Compute15%
Monitoring15%
Deep Dive

IAM Pillar — 26 Controls

Identity & Access Management is the highest-weighted pillar at 30%. Here's every control across all five maturity levels.

L1Exposed · 8
iam-001Enforce MFA for All Console Users
iam-002No Root Account Access Keys
iam-003Root MFA with Hardware Token
iam-004No IAM Users — Use SSO
iam-005Rotate Keys Within 90 Days
iam-006Remove Unused Creds (45d)
iam-007Password Policy 14+ Chars
iam-008Deny Root Usage via SCP
L2Guarded · 7
iam-009Deny Leaving Org via SCP
iam-010Deny CloudTrail Disable
iam-011MFA for Sensitive Actions
iam-012Restrict Regions via SCP
iam-013Enforce Temporary Credentials
gov-001CloudTrail All Regions
gov-002CloudTrail Log Validation
L3Hardened · 6
iam-016Permission Boundaries
iam-017Deny IAM Admin via Boundary
iam-018Least Privilege Review
iam-019Enforce ABAC/RBAC
iam-020Cross-Account Trust Controls
iam-021IAM Data Perimeter
L4Verified · 3
iam-026IAM Access Analyzer
iam-027Temporary Elevated Access (JIT)
ver-001IaC Scanned in CI/CD
L5Autonomous · 2
aut-001Auto-Remediation for L1
aut-002Policy Drift Auto-Reverted
Compare

How CSMM compares

CIS Benchmarks AWS SMM v2 NIST CSF Prowler CSMM
Type Checklist Phases Framework Scanner Maturity model
Levels None 4 phases 4 tiers None 5 levels (gated)
Scoring Pass/fail None None 0-100 (compliance) 0-100 (maturity)
Scores architecture & process No Partially No No Yes (L3-L5)
Open source No No Yes Partial Yes (Apache 2.0)
Progression No Yes No No Yes (leveled)
Community No No No Partial Yes