The 27 Grafana Cloud security checks Black Cat runs
Black Cat SSPM evaluates 27 security policies against your Grafana Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Reduce the number of Cloud organization admins to the minimum required
Remove wildcard scopes from the Cloud Access Policy and replace with least-privilege scopes
Restrict write and delete scopes or limit the policy realm to specific stacks
Add an IP allowlist restriction to the Cloud Access Policy
Add a second admin to the Grafana Cloud organization to eliminate the single point of failure
Add explicit scopes to the access policy or delete it if unused
Add at least one realm binding to the access policy or delete it if unused
Split the policy into separate write and delete policies following least-privilege principle
Replace the org-wide realm with stack-specific realms to limit the policy's blast radius
Review the recently promoted admin account to confirm the elevation was authorized
Add an IP allowlist to access policies that carry write or delete scopes
Add an email address to the organization member account for identification and notifications
Reduce the number of scopes on the access policy by splitting into multiple purpose-specific policies
Revoke the orphaned token and create a replacement under a valid access policy
Reduce the token expiration to 365 days or less and establish a rotation schedule
Rotate the token by creating a replacement and revoking the old one
configuration
Rotate the token before it expires to avoid service disruption
Review the access policy to ensure its scopes and realms still match current requirements
governance
Add a descriptive display name to the access policy for operational clarity
key management
Reduce token count per access policy by revoking unused tokens and splitting policies by use case
Set an expiration date on the Grafana Cloud access policy token
Revoke or rotate Grafana Cloud tokens that have not been used in over 90 days
Reassign the token to a non-wildcard access policy with least-privilege scopes
Revoke newly created tokens that have never been used to eliminate orphaned credentials
Delete the orphaned access policy or create a token under it if it is still needed
Revoke tokens that were created over 30 days ago and have never been used
Revoke inactive write or delete capable tokens to prevent credential abuse