# Sovereign Observer > A multi-cloud security posture management (CSPM) tool that scans your cloud configuration and Terraform, chains findings into ranked attack paths, and hands back the exact fix — as copy-paste Terraform/CLI or a reviewable pull request. Read-only access, scoped and revocable. Self-hostable. Sovereign Observer is a CSPM/CNAPP-lite product for startups and small teams on AWS, Azure, and GCP. It is remediation-first: most scanners stop at the finding, Sovereign closes the loop to a fix. The marketing site is at https://sovereign-observer.com/ and a live demo (seeded data, no signup) is at https://sovereign-observer.com/demo. ## What it does - **Finds misconfigurations** across AWS, Azure, and GCP — 240+ native checks plus the open-source Prowler engine for live cloud and Checkov for Terraform/IaC. - **Prioritizes by real risk** — builds an asset graph from discovered network and identity relationships and chains findings into attack paths, so you see the handful of chains that actually reach your data instead of thousands of disconnected findings. - **Fixes, not just flags** — every finding ships a ready-to-paste Terraform snippet, the equivalent CLI command, and console steps; Terraform fixes in a PR arrive as a suggested change you review and merge. - **Shifts left** — a GitHub Action scans Terraform on every pull request, comments inline, and can fail the merge on a severity gate. - **Maps to compliance** — findings cross-walk to CIS, SOC 2, ISO 27001, NIST 800-53, and PCI DSS, with audit-ready evidence exports. ## Access and data handling - **Read-only.** Live cloud scanning uses a read-only role you create (AWS SecurityAudit / ReadOnlyAccess or the Azure/GCP equivalent). No write, modify, or delete permissions. - **No long-lived AWS keys.** The role is assumed at scan time with your ExternalId; delete the role to revoke access instantly. Terraform/IaC scanning needs no cloud access at all. - **Config metadata only.** Resource IDs, types, regions, and relationships — not the contents of your data stores. Data is not sold, shared, or used to train models. - **Self-hosted option.** A Docker deployment runs the whole platform inside your own infrastructure, so no data leaves your environment. - **Stated honestly:** not SOC 2 / ISO 27001 certified yet — early-stage. The self-hosted deployment is the recommended path for teams that cannot use an uncertified SaaS vendor. ## Guides - [CSPM vs CNAPP: What’s the Difference? (2026)](https://sovereign-observer.com/blog/cspm-vs-cnapp/): CSPM vs CNAPP explained: what each acronym means, how they relate (CSPM is one pillar of CNAPP), what CWPP and CIEM add, and which one a startup actually needs first. - [Wiz Alternatives for Startups and Small Teams (2026)](https://sovereign-observer.com/blog/wiz-alternatives-startups/): Looking for a Wiz alternative that fits a startup budget? Compare Prowler, Aikido, Orca, Prisma Cloud, and Sovereign Observer on pricing, setup, and who each one actually fits. - [How to Find and Fix Over-Permissive IAM Roles in AWS (2026 Guide)](https://sovereign-observer.com/blog/fix-over-permissive-iam-roles/): Step-by-step guide to finding IAM roles and policies with wildcard "*" permissions in AWS and cutting them down to least privilege — console, CLI, IAM Access Analyzer, and how to stay clean. - [Best CSPM Tools for Startups and Small Teams (2026)](https://sovereign-observer.com/blog/best-cspm-tools-startups/): Comparing CSPM options for startups in 2026: Wiz, Orca, Prisma Cloud, open-source Prowler, and Sovereign Observer — pricing models, setup time, and who each one fits. - [CIS AWS Foundations Benchmark: What It Is and How to Pass It](https://sovereign-observer.com/blog/cis-aws-foundations-benchmark/): What the CIS AWS Foundations Benchmark covers, which controls matter most, how scoring works, and the fastest way to get compliant — manually or with automated scanning. - [How to Find and Fix Public S3 Buckets in AWS (2026 Guide)](https://sovereign-observer.com/blog/fix-public-s3-buckets/): Step-by-step guide to finding every public S3 bucket in your AWS account and locking it down — console, CLI, and account-wide Block Public Access, plus how to stay clean. - [What Is CSPM? Cloud Security Posture Management, Explained](https://sovereign-observer.com/blog/what-is-cspm/): CSPM (Cloud Security Posture Management) continuously scans AWS, Azure, and GCP for misconfigurations. Learn how it works, what it catches, and when you need one. ## Pages - [Home](https://sovereign-observer.com/): Product overview, live product views, pricing model. - [Live demo](https://sovereign-observer.com/demo): Seeded sample data, no signup or email gate. - [Blog](https://sovereign-observer.com/blog/): Practical cloud-security guides on CSPM, misconfigurations, and attack paths. - [Docs](https://sovereign-observer.com/docs): Product documentation. - [Contact](https://sovereign-observer.com/contact): Get in touch for a walkthrough.