> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/cloud-security.md).

# Cloud Security

<figure><img src="/files/eXc5MeDgoBoyZLueGxH4" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Contact your Keeper account manager to enable Keeper Cloud Security and supported integrations.
{% endhint %}

## Overview

Keeper Cloud Security connects cloud security findings to privileged access remediation. It helps teams move from detection to action without breaking Keeper's zero-knowledge model.

### Why Keeper built it

CNAPP platforms are strong at finding risk. They do not remediate identity exposure by themselves. Teams still need to rotate credentials, restrict access, and bring unmanaged resources under control.

Keeper Cloud Security closes that gap. It brings findings into Keeper, maps them to identities and infrastructure, and turns them into remediations you can track.

### Why the integration matters

* Send findings from your CNAPP directly into Keeper.
* Resolve issues with rotation, JIT access, or managed onboarding.
* Keep remediation status aligned between both systems.

### How Keeper Encrypter fits

Keeper does not decrypt customer data in the cloud. Cloud Security integrations still need a secure way to receive findings and return status updates. Keeper Encrypter provides that bridge.

Keeper Encrypter is a self-hosted Docker service. It runs in your environment. It receives CNAPP webhooks and encrypts integration traffic between Keeper and the provider. The encryption key stays under your control in your vault.

The service uses Keeper Secrets Manager device configuration and the CNAPP configuration record to authenticate and retrieve the settings it needs. This keeps the integration aligned with Keeper's zero-knowledge architecture.

For deployment details, see [Keeper Encrypter](/keeperpam/privileged-access-manager/cloud-security/keeper-encrypter.md).

### Available Integrations

* [Wiz](/keeperpam/privileged-access-manager/cloud-security/wiz-integration.md)
* More providers are coming soon.

### Prerequisites

Keeper Cloud Security is part of the KeeperPAM platform for customers with an active KeeperPAM subscription.

To enable it:

* Create or select a PAM Configuration.
* Choose your CNAPP provider in **Secrets Manager → PAM Configuration**.
* Deploy Keeper Encrypter for the provider workflow.

### What you can do with a finding

* Rotate exposed or stale credentials.
* Apply [Just-In-Time (JIT) access](/keeperpam/privileged-access-manager/just-in-time-access-jit.md) and approval workflows.
* Onboard users, machines, and databases as managed KeeperPAM resources.

You can also standardize access after onboarding with [Connections](/keeperpam/privileged-access-manager/connections.md) and [Tunnels](/keeperpam/privileged-access-manager/tunnels.md).

### Vault Interface

After you select a CNAPP provider, **Cloud Security** appears in the Keeper Vault. From this screen, an admin can review a finding, open it in the provider, ignore it, delete it, or start remediation.

<figure><img src="/files/jK0P9DhhvMSKSPufFMNs" alt=""><figcaption><p>Cloud Security with CNAPP Provider Integration</p></figcaption></figure>

### Resolve a finding

{% stepper %}
{% step %}

### Review the finding

Open the finding from the Cloud Security dashboard. Use the provider link if you need more context before remediation.
{% endstep %}

{% step %}

### Map the affected resource

To remediate the finding, onboard the identity or machine as a KeeperPAM resource. You can also map the finding to an existing KeeperPAM resource.

<figure><img src="/files/pmV7lFifkzb2rKYoL6R2" alt="" width="474"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Run remediation

Choose the best control for the issue:

* Perform a [credential rotation](/keeperpam/privileged-access-manager/password-rotation/rotation-overview.md)
* Protect access with [Just-In-Time (JIT)](/keeperpam/privileged-access-manager/just-in-time-access-jit.md)
* Apply [workflow controls](/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow.md) and launch-ready access paths

<figure><img src="/files/8wADbIjlVVn6En8BR5V6" alt="" width="466"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Return status to the provider

After remediation, Keeper updates the finding status back to the CNAPP provider. The provider clears the issue after its next validation cycle.
{% endstep %}
{% endstepper %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/cloud-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.