Cloud security RFP season. Every mid-market CISO is evaluating Wiz, Orca, Prisma Cloud, or similar.
The question I get: "Which one should we buy?"
My question back: "What percentage of your IAM users have AdministratorAccess?"
The answer is usually uncomfortable.
CNAPPs (Cloud-Native Application Protection Platforms) are powerful. They also cost ₹30L-₹1Cr/yr depending on your scale. Their core promise: unified visibility across misconfigurations, vulnerabilities, and runtime threats.
What the sales deck doesn't tell you:
CNAPP tools surface a flood of alerts. Without IAM hygiene in place first, your team will:
→ Mute 60% of alerts because they're "too many"
→ Lose track of who owns what alert because ownership isn't tagged
→ Fail to act on the 15% that are actually critical because they're buried
→ Renew the CNAPP contract anyway because they can't now admit it didn't help
The foundation that makes CNAPP work:
→ Every IAM user has documented role and justification (review quarterly)
→ No AdministratorAccess for humans. Use Assume-Role + Session Policies for escalation.
→ Service accounts have the minimum permissions they actually use (IAM Access Analyzer reports this)
→ SCPs at the org level block destructive actions even if a user has permissions
→ MFA enforced at login, not optional
→ CloudTrail centralized, immutable, retained 2+ years
With these 6 foundational controls, you actually cut 40-60% of the CNAPP's alert volume because you've prevented the misconfigurations at the source.
CNAPP without foundation = expensive alert dashboard.
Foundation + right-sized CNAPP = actual security posture improvement.
The honest sequence:
→ Month 1-2: IAM audit + Access Analyzer cleanup. Free.
→ Month 2-3: SCP guardrails + MFA enforcement. Free.
→ Month 3-4: Small CNAPP deployment (maybe start with AWS Security Hub — free). Tune alerts.
→ Month 6+: Evaluate if premium CNAPP (Wiz et al) is needed, or if Security Hub + custom GuardDuty rules cover you.
Most Indian mid-market teams I audit find that AWS-native security tools plus IAM discipline covers 80% of what CNAPP sells. The other 20% is noise.
If your security team is in RFP-mode right now, repost. There's a CISO about to sign a ₹80L/yr contract who should audit IAM first.
Top comments (0)