Overview
Cye CSPM (formerly Solvo) is a Cloud Security Posture Management solution that monitors cloud configurations and identifies policy violations through metadata-level scanning. It replaces the legacy native cloud integrations that previously collected cloud security findings from AWS and Azure environments.
The migration brings broader finding coverage, improved detection stability, and continuous posture monitoring — but it also resets some historical data.
CYE handles the migration. Depending on the cloud provider, customer involvement ranges from zero (Azure) to a single permissions-approval step (AWS).
Azure customers: Migration is fully managed by CYE. No action required.
AWS customers: The AWS Admin will need to approve read-only IAM permissions by running a CloudFormation stack (an AWS deployment template provided by CYE). CYE will provide the launcher URL and instructions.
After migration, all cloud security findings appear in the Cye Platform under Findings and Assets with the source Cye Cloud Posture.
What Improves After Migration
Broader finding coverage: Cye CSPM detects more misconfigurations and policy violations than the legacy native cloud integrations, particularly for AWS environments.
More reliable detection: Recurring sync failures and missing data from the legacy native cloud integrations are eliminated.
Continuous monitoring: Cye CSPM syncs findings automatically on an ongoing basis, not just during scheduled scans.
Remediation context: Findings include updated remediation guidance aligned with Cye CSPM's detection logic.
How Findings Change
How Findings Change
Cye CSPM becomes the single source of truth for ongoing cloud security findings. Legacy native cloud integration findings are replaced entirely — the two are not merged. Even when both systems detect the same underlying issue, the Cye CSPM finding may differ from the legacy version:
Different categorization: Cye CSPM uses its own detection logic, so a finding may appear under a different use case or severity classification than it did under the legacy native cloud integrations.
Different remediation assets: The recommended remediation steps and associated resources may change to reflect Cye CSPM's analysis.
New findings: Cye CSPM detects issues that the legacy native cloud integrations did not cover. Expect the total number of findings to increase, especially for AWS.
Removed findings: Some legacy native cloud integration findings that Cye CSPM does not replicate will no longer appear.
After migration is complete, the following cleanup steps apply:
Disconnect the legacy integration: Remove the legacy native cloud integration from the Cye Platform. Navigate to Settings → Integrations (requires Administrator role) to disconnect it.
Legacy findings persist: Findings from the legacy integration remain visible but are no longer updated.
Mark legacy findings as Not Relevant: Mark legacy findings as Not Relevant once Cye CSPM coverage has been verified. To verify, compare the count and categories of Cye CSPM findings against legacy findings and confirm equivalent or broader coverage. Stale findings left in an Open state will continue to influence exposure metrics and dashboard calculations.
What Will Be Lost
What Will Be Lost
The following data from the legacy integration does not carry over to Cye CSPM:
Historical finding state changes — The Open → Fixed → Reopen history of legacy findings is not preserved. Post-migration findings start fresh.
Linked Jira or ServiceNow tickets — Tickets linked to legacy native cloud integration findings will no longer be associated with the new Cye CSPM findings. Close legacy tickets and open new ones against the migrated findings.
Manual comments and status overrides — Any comments, notes, or manual status changes (e.g., Acceptable Risk, On Hold) applied to legacy native cloud integration findings do not transfer to Cye CSPM findings.
If the team has invested heavily in finding annotations, export or document them before the migration completion date communicated by CYE.
How the Migration Works
How the Migration Works
Azure — No Action Required
Existing permissions already cover what Cye CSPM needs, so the Azure migration happens without any customer involvement.
What happens:CYE creates the new Cye CSPM integration in the Cye Platform account.
CYE confirms that migration is complete.
Cye CSPM becomes the single source of truth for Azure cloud findings.
AWS — One Step Required
Cye CSPM requires broader read-only permissions than the legacy native cloud integrations used, so the AWS Admin needs to approve the expanded permission set.
What happens:CYE sends a CloudFormation stack launcher URL specific to the account.
The AWS Admin logs into the AWS account (or Organization) to be connected, navigates to the launcher URL, and submits the stack.
The stack creates a cross-account IAM role with read-only access. No write permissions are granted. The stack status should show CREATE_COMPLETE in the AWS CloudFormation console. If the status shows ROLLBACK_COMPLETE or FAILED, contact CYE Support with the stack event details.
After permissions are approved, CYE completes the migration.
For AWS Organizations: If the organization has multiple accounts, the CloudFormation stack can onboard the entire organization at once. CYE will provide specific instructions for the setup.
Temporary duplicate findings:
During the migration, findings from both the legacy integration and Cye CSPM may appear simultaneously in the Findings page for a short period. This is expected and resolves once the migration is complete.
Locating Cye CSPM Findings in the Platform
Locating Cye CSPM Findings in the Platform
After migration, Cye CSPM findings appear in the Cye Platform the same way other integration findings do.
Navigate to Findings in the Left Navigation Bar. Open the Filters panel and select Cye Cloud Posture under Source.
Navigate to Assets in the Left Navigation Bar. Use the same Source filter to view cloud assets detected by Cye CSPM.
When working with multiple cloud environments:
Multiple cloud platforms (AWS and Azure): Use the Cloud Platform tag filter to isolate findings by provider.
Multiple accounts or subscriptions: Use the Account ID or Account Name tag filters to focus on a specific account.
If no findings appear under Source: Cye Cloud Posture within 48 hours of migration completion, contact CYE Support.
What Cye CSPM Accesses in the Environment
What Cye CSPM Accesses in the Environment
Cye CSPM uses read-only access to perform metadata-level scans and security posture assessments. It is not designed to access PII, secrets, or live data, and it cannot modify any resources.
Azure Permissions
Azure Permissions
Cye CSPM connects to Azure through a registered application in the Azure AD tenant. The application uses a Client ID and Client Secret, stored encrypted in Cye's secure vault.
Microsoft Graph API Permissions (Application-Level, Read-Only)
Permission | Description |
| Read all access reviews |
| Read API connectors for authentication flows |
| Read all applications |
| Read all audit log data |
| Read custom security attribute assignments |
| Read Microsoft Intune apps |
| Read Microsoft Intune device configuration and policies |
| Read Microsoft Intune RBAC settings |
| Read directory data |
| Read all external items |
| Read identity providers |
| Read all identity risk event information |
| Read all identity risky user information |
| Read all published labels and label policies |
| Read all hidden group memberships |
| Read organization information |
| Read organization policies |
| Read consent and permission grant policies |
| Read privileged access to Azure AD groups |
| Read privileged access to Azure resources |
| Read all programs |
| Read all usage reports |
| Read role management data for all RBAC providers |
| Read Cloud PC RBAC settings |
| Read organization security actions |
| Read all security incidents |
| Read threat assessment requests |
| Run hunting queries |
| Read all threat indicators |
| Read all users' authentication methods |
Azure RBAC Role: Monitoring Reader
In addition to Graph API permissions, the registered application requires the Monitoring Reader role on selected subscriptions or management groups. This role allows Cye CSPM to:
Read activity logs
Inspect diagnostic settings
Collect metrics and monitoring data
The role assignment scope controls which subscriptions or management groups Cye CSPM can access.
AWS Permissions
AWS Permissions
Cye CSPM connects to AWS through a cross-account IAM role created by running a CloudFormation template. The role uses an External ID unique to the organization, ensuring that only the authorized Cye CSPM account can assume the role.
Base Policy: SecurityAudit (AWS-Managed, Read-Only)
The SecurityAudit managed policy provides broad read-only visibility across AWS services.
Additional Metadata-Only Permissions
A small set of additional read-only permissions supplements the SecurityAudit policy for enhanced risk analysis. These do not expose sensitive resource content or customer data.
Service | Actions | Purpose |
Lambda |
| Retrieve function configuration |
Lambda |
| Access Lambda layer versions |
Macie |
| Retrieve and list Macie resources |
Billing |
| Retrieve billing information |
Budgets |
| Describe and view budget details |
Cost Explorer |
| Retrieve cost and usage data |
EKS |
| List and describe EKS cluster details |
AWS Access Summary
Component | Detail |
Base policy |
|
Additional permissions | Metadata-only read access (Lambda, Macie, Billing, EKS) |
Trust relationship | Cross-account role with External ID |
Access frequency | Temporary, on-demand |
Write access | None |
Credential storage | No persistent credentials in the environment |
Remove the IAM role to revoke Cye CSPM access at any time. All activity is logged in CloudTrail.
Timeline and What to Expect
Timeline and What to Expect
Phase | What happens | Action required |
Notification | CYE communicates the migration schedule and details. | Review the communication. |
Azure migration | CYE creates the Cye CSPM integration using existing permissions. | None. |
AWS permissions | CYE sends a CloudFormation launcher URL. | AWS Admin runs the stack. |
Migration complete | Legacy integration is ready to be disconnected. Cye CSPM is the sole source. | Disconnect legacy integration. Mark legacy findings as Not Relevant. |
Post-migration | Findings and assets appear under Source: Cye Cloud Posture in the Cye Platform. | Filter by new source. |
Wrap-up / Next Steps
Wrap-up / Next Steps
Contact the Customer Success Manager or reach out to CYE Support for migration-related questions.
Export critical annotations: Open Findings, locate legacy findings with comments, Jira links, or manual status overrides, and export or document them before the migration completion date.
AWS customers — confirm Admin availability: Ensure the AWS Admin is available to approve the CloudFormation stack when the launcher URL arrives.
Disconnect the legacy integration: Navigate to Settings → Integrations and remove the legacy native cloud integration after migration is complete (requires Administrator role).
Mark legacy findings as Not Relevant: Open Findings, filter by the legacy source, and update finding statuses to prevent stale data from affecting exposure calculations.
Verify Cye CSPM findings: Open Findings, filter by Source: Cye Cloud Posture, and confirm that cloud findings are present.