CSPM scanner
Last updated: Jun 30, 2026
For common configuration file keys that apply to all scanners, see Use a configuration file.
Specific configuration file keys
The following key is available for the CSPM scanner, and it can be used to perform cloud security posture management analysis over AWS environments.
cspm
This key has the following configuration option:
-
aws_credentials(mandatory): A list of AWS role configurations to analyze. Each entry supports:role(mandatory): The AWS role ARN to assume for the scan.external_id(optional): The external ID required to assume the role, when the IAM role's trust policy specifies an external ID condition.
Both fields support the
${VAR_NAME}syntax — see example.
Configuration file example
namespace: my_app
language: EN
output:
file_path: /fluid-attacks-results.sarif
format: SARIF
checks:
- F005
cspm:
aws_credentials:
- role: arn:aws:iam::123456789012:role/MyRole
external_id: my-external-idConfiguration file example with envars
namespace: my_app
language: EN
output:
file_path: /fluid-attacks-results.sarif
format: SARIF
checks:
- F005
cspm:
aws_credentials:
- role: arn:aws:iam::123456789012:role/MyRole
external_id: ${CSPM_AWS_EXTERNAL_ID}Have a question about the scanner or encountered a problem? Read "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' pentesting team, fill out this contact form.