A cloud security assessment (CSA) system configured to identify and remedy a workflow executing in a cloud web service environment is provided. The CSA system includes a network interface configured to connect the CSA system to the cloud web service environment, wherein the cloud web service environment is defined by a cloud account; and a processor in operative communication with the cloud web service environment configured to receive a cloud account compliance rule for the cloud account in a structured near natural language, the compliance rule being applied by the CSA system on at least an instance of the cloud web service environment, wherein is processor is further configured to perform a remediation action based on a policy of the cloud account upon determination of a violation of the compliance rule.