> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/cloud-security/wiz-integration.md).

# Wiz Integration

<figure><img src="/files/ynuFY5Zdp1luCYiSIpMF" alt=""><figcaption></figcaption></figure>

## Overview

The Wiz integration sends cloud security findings into Keeper Cloud Security for remediation. It is built for issues that need credential rotation, managed onboarding, or tighter privileged access controls.

### Why Integrate Wiz With Keeper

Wiz identifies exposed identities, risky access paths, and cloud misconfigurations. Keeper helps you act on those findings by turning them into managed privileged access controls.

This integration helps you:

* send relevant Wiz findings directly to Keeper.
* remediate identities and resources with KeeperPAM controls.
* keep remediation status aligned across both systems.

### Remediation Workflow

The remediation flow is:

* An admin receives a finding in Wiz.
* The admin reviews the finding and sends it to Keeper for remediation.
* A Keeper admin receives the finding and maps the affected resource in Keeper.
* After remediation, Keeper marks the finding in Wiz as in-progress.
* After the next Wiz validation cycle, the issue is cleared if the risk is resolved.

Keeper uses [Keeper Encrypter](/keeperpam/privileged-access-manager/cloud-security/keeper-encrypter.md) to preserve zero-knowledge architecture during this exchange.

## Setup

{% stepper %}
{% step %}

### Deploy Keeper Encrypter

Deploy [Keeper Encrypter](/keeperpam/privileged-access-manager/cloud-security/keeper-encrypter.md) before you activate the Wiz integration. It receives Wiz webhook traffic and encrypts the integration flow inside your environment.
{% endstep %}

{% step %}

### Set Up a Keeper Integration in Wiz

[Set up Keeper integration in Wiz](https://docs.wiz.io/docs/keeper-security-integration) next. Make sure to save the client id, client secret and API endpoint URL.
{% endstep %}

{% step %}

### Select a PAM configuration

Navigate to secrets manager and select a PAM Configuration you want to link the CNAPP provider to.

In your PAM Configuration:

* Select the gateway you created during Encrypter setup.
* Select the shared folder that stores the encryption key.
* Choose **Wiz** as the CNAPP status provider.

After you select the provider, choose the CNAPP configuration record created earlier and click on **Complete integration setup**.

<figure><img src="/files/dVAA5tcmRXJm0Cg3y5XP" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Verify the Encrypter Connection

Use the **Verify Connection** tab to connect Keeper Encrypter to this PAM Configuration.

Use these values from the UI:

* Set `NETWORK_UID` in the Encrypter `.env` file to **Network UID**
* Set `KSM_CNAPP_CONFIG_RECORD_ID` in the Encrypter `.env` file to **CNAPP Configuration Record UID**
* Click **Verify**. A green checkmark confirms that Keeper Encrypter is connected successfully.

<figure><img src="/files/bWjsGNekUSxkgmPIyJmG" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Authorize Wiz

In the second tab, enter the credentials provided by Wiz and click **Authorize**.

<figure><img src="/files/YM8Qb0K6boOj3NxPMbNK" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

## User Experience

### Cloud Security Dashboard

From the Wiz console, the admin pushes the findings to Keeper through the [Keeper Integration in Wiz](https://docs.wiz.io/docs/keeper-security-integration).

Once pushed, the issues will appear in the **Cloud Security** dashboard, complete with full context from the CNAPP provider.

<figure><img src="/files/9NoXbv8v3xjqRxOawsq1" alt=""><figcaption></figcaption></figure>

### Vulnerability Details

A CNAPP provider has identified an exposed credential for an administrative account. In order to start the remediation, hover over the issue and click **Resolve.**

<figure><img src="/files/Rw5t34DcHP6Zc3bnPbFa" alt=""><figcaption></figcaption></figure>

You can then view a detailed description from the CNAPP provider and onboard the exposed resources to Keeper by selecting **Create New Record.**

<figure><img src="/files/H76BsZWhuZnYfKBYQy6X" alt=""><figcaption></figcaption></figure>

### Onboarding a Resource

Select the appropriate record type for the resource you wish to onboard. Then follow their configuration documentation and click **Add**.

The Cloud Security Dashboard currently supports onboarding of five record types for resources:

1. [PAM Database](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database.md)
2. [PAM Machine](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-machine.md)
3. [PAM Directory](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-directory.md)
4. [PAM Remote Browser](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-remote-browser.md)
5. [PAM Cloud](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-cloud.md)

<figure><img src="/files/jXRm2kG74JVw4tAcVzhu" alt=""><figcaption></figcaption></figure>

Once a resource is onboarded, you can onboard a [PAM User](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user.md) record to link to that resource. In cases where the CNAPP provider finds a compromised cloud identity, a PAM User record can directly be onboarded without a PAM Database, PAM Machine, PAM Directory or PAM Remote Browser being onboarded.

<figure><img src="/files/NeaFivupW4d1ihoePLoW" alt=""><figcaption></figcaption></figure>

### Remediating an Issue

Once a resource is successfully onboarded, you can choose between three different remediations:

* [Rotate Credential](/keeperpam/privileged-access-manager/password-rotation/rotation-overview.md#configure-rotation-settings)
* [Manage Access](/keeperpam/privileged-access-manager/connections/getting-started.md)
* [Enable JIT Access](/keeperpam/privileged-access-manager/just-in-time-access-jit.md)

Select the appropriate remediations and click **Next**.

<figure><img src="/files/NnDAOSPnNBtCZMGJxHH4" alt=""><figcaption></figcaption></figure>

Select **Rotate Credential** to edit the [rotation settings](/keeperpam/privileged-access-manager/password-rotation/rotation-overview.md#configure-rotation-settings) and customize the newly generated password. Once you have the rotation configured, click **Update** and then click **Save and Continue**.

<figure><img src="/files/57HMHBNWLt49Pow83Qjq" alt=""><figcaption></figcaption></figure>

Select **Manage Access** to edit the [connection configuration settings](/keeperpam/privileged-access-manager/connections.md) and manage the access to the onboarded resource though a zero trust interactive session. Once you have the connection configured, click **Update** and then click **Save and Continue**.

<figure><img src="/files/Pj6DjqHZ98tLSN70dXRz" alt=""><figcaption></figcaption></figure>

Select **Enable JIT** to edit the [JIT configuration settings](/keeperpam/privileged-access-manager/just-in-time-access-jit/ephemeral-accounts-and-privilege-elevation.md) and set up Just-in-Time access for the record.

<figure><img src="/files/0SnBbhGwZWmiXH6q6u7X" alt=""><figcaption></figcaption></figure>

Select **Workflow** to edit the [workflow configuration settings](/keeperpam/privileged-access-manager/just-in-time-access-jit.md#pages-in-this-section), limit access time to a resource, add required approvers, enable record check-in, and require MFA. Once you have the your [JIT rollout](/keeperpam/privileged-access-manager/just-in-time-access-jit.md#recommended-rollout) configured, click **Update** and then click **Save and Continue**.

<figure><img src="/files/HrXRjDvEw2fpIr0C4srV" alt=""><figcaption></figcaption></figure>

Keeper then automatically notifies Wiz that the issue has been addressed. The finding moves to the **In Progress** tab in the **Cloud Security** dashboard, and the Wiz team sees the updated status on their end without any manual follow-up.

<figure><img src="/files/vGarQr2wU8EhOnO3NSP5" alt=""><figcaption></figcaption></figure>

On the next Wiz scan cycle, the exposed credential no longer appears. Once Wiz sends back the resolved finding back to Keeper, it transitions cleanly from **In Progress** to **Resolved**.

<figure><img src="/files/a9NBbkyqp58RXgSvavWK" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/cloud-security/wiz-integration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
