Identifying cloud infrastructure misconfigurations can come at different stages in the development lifecycle. Whether in development or in a runtime environment, the important thing is finding and fixing issues before they can be exploited.
Many organizations are shifting to follow GitOps, or defining infrastructure in code, version controlling it and running it through a CI/CD pipeline without modifying runtime configurations directly. The benefits of GitOps include easier repeatability, faster remediation, lower change failure rates and improved posture. In order to achieve those benefits, any update to infrastructure should involve updating the IaC code.
However, manual changes to cloud configurations are inevitable. In “break glass” moments, such as during a service incident, teams may find it faster to make manual changes, such as relaxing firewall rules, directly rather than finding the right engineer to make the change in code. Alternatively, when a misconfiguration is identified in runtime by an Ops team, such as an S3 bucket without versioning, for the sake of efficiency or lack of knowledge about IaC, they may make the change directly in runtime. In both cases, if the resources were provisioned using infrastructure as code (IaC) such as Terraform, they now have drift where the Terraform code is out of sync with the actual runtime configuration.
One other common cause for drift are changes introduced by cloud providers. When AWS rolls out new APIs, or Google Cloud casually deprecates a previously supported attribute, it might not interfere with the current operation of your services but it creates a difference between the codified definition and the newly manifested resource posture.
Drifts are blind-spots for your GitOps workflows. Instead of your code serving as a single source of truth, it now lags behind, and you lose those GitOps benefits mentioned earlier. For example, in the second scenario, if you were to reuse the Terraform code for your next project, you’d carry over the unencrypted database misconfiguration to your next project, turning drift into a possible compromise.
That’s why we’re excited to announce Bridgecrew by Prisma Cloud has added Multi-Cloud Drift Detection!
What is Bridgecrew Drift Detection?
Drift Detection continuously compares IaC code stored in any of our supported version control systems (GitHub, GitLab, Bitbucket and Azure Repos) against the runtime configuration of any of our supported cloud providers (AWS, Azure and GCP). If Bridgecrew detects a difference in what should be the configuration based on your code versus the actual configuration found in the cloud provider, it is flagged as drift in our Projects page. Bridgecrew can send an alert via our integrations to tools like Slack to notify the right people about the drift.
There are existing solutions that provide drift detection, but very few enable continuous monitoring for drift across multiple clouds. Some provide drift for only one cloud provider or only compare state when code is updated. Our Drift Detection capability provides both continuous and multi-cloud detection for mixed environments.
Behind the scenes, this works by leveraging our newly released open source IaC tagging tool Yor. When Yor adds a trace tag to IaC resources, that tag helps us track the resource from the repository to runtime. Additionally, we include the code representation of the manual changes using a diff format so it’s easy to compare like to like between the IaC and cloud configuration.
Efficiently Fixing Drift
Once the drift is identified, there are a few options to remediate the issue. If the change made to the cloud was unintentional or temporary, you can reapply the code and bring the cloud back in line with your IaC.
If the change was intentional and fixed an issue, we provide a Fix Drift button that will automatically open a pull request or merge request back to the repository to add, remove or modify the code to make it in sync with the runtime configuration.
With this new feature, we’ve simplified the process of finding and fixing drift in cloud infrastructure. Try Drift Detection for yourself by signing up for free for Bridgecrew or learn more about how it works on the Bridgecrew blog!