Skip to content

The 27 Grafana Cloud security checks Black Cat runs

Black Cat SSPM evaluates 27 security policies against your Grafana Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumExcessive Cloud Admins

Reduce the number of Cloud organization admins to the minimum required

criticalCloud Wildcard Access Policy

Remove wildcard scopes from the Cloud Access Policy and replace with least-privilege scopes

highOverly Permissive Access Policy

Restrict write and delete scopes or limit the policy realm to specific stacks

mediumAccess Policy Without IP Restriction

Add an IP allowlist restriction to the Cloud Access Policy

highSingle Cloud Admin

Add a second admin to the Grafana Cloud organization to eliminate the single point of failure

highAccess Policy With No Scopes

Add explicit scopes to the access policy or delete it if unused

mediumAccess Policy With No Realm Binding

Add at least one realm binding to the access policy or delete it if unused

highAccess Policy Combines Write and Delete Scopes

Split the policy into separate write and delete policies following least-privilege principle

mediumAccess Policy Uses Org-Wide Realm

Replace the org-wide realm with stack-specific realms to limit the policy's blast radius

mediumRecently Added Admin Member

Review the recently promoted admin account to confirm the elevation was authorized

highWrite-Scoped Access Policy Without IP Restriction

Add an IP allowlist to access policies that carry write or delete scopes

mediumOrganization Member Without Email

Add an email address to the organization member account for identification and notifications

mediumExcessive Scope Count on Access Policy

Reduce the number of scopes on the access policy by splitting into multiple purpose-specific policies

highToken Bound to Unknown or Deleted Policy

Revoke the orphaned token and create a replacement under a valid access policy

mediumToken With Expiration Over 365 Days

Reduce the token expiration to 365 days or less and establish a rotation schedule

mediumToken Not Rotated in 180 Days

Rotate the token by creating a replacement and revoking the old one

configuration

mediumToken Expiring Within 14 Days

Rotate the token before it expires to avoid service disruption

lowStale Access Policy Not Updated in 180 Days

Review the access policy to ensure its scopes and realms still match current requirements

governance

infoAccess Policy Without Display Name

Add a descriptive display name to the access policy for operational clarity

key management

mediumExcessive Tokens Per Policy

Reduce token count per access policy by revoking unused tokens and splitting policies by use case

highNon-Expiring Cloud Token

Set an expiration date on the Grafana Cloud access policy token

mediumDormant Cloud Token

Revoke or rotate Grafana Cloud tokens that have not been used in over 90 days

criticalToken With Wildcard Policy

Reassign the token to a non-wildcard access policy with least-privilege scopes

lowRecently Created Token Without Use

Revoke newly created tokens that have never been used to eliminate orphaned credentials

lowOrphaned Access Policy

Delete the orphaned access policy or create a token under it if it is still needed

mediumToken Never Used After 30 Days

Revoke tokens that were created over 30 days ago and have never been used

highWrite-Capable Token Inactive for 30 Days

Revoke inactive write or delete capable tokens to prevent credential abuse

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial