Support catching infrastructure drift / New check to analyze customer tags #2678
Labels
feature-request
New feature request for Prowler.
need information
new check idea
provider/aws
Issues/PRs related with the AWS provider
severity/informational
Cosmetic or nice-to-have.
status/awaiting-reponse
Waiting response from Issue owner
New feature motivation
I'd like to be able to use prowler to detect, at least a subset of, infrastructure drift: where infrastructure no longer matches what is in configuration. This would allow me to identify resources that were created/modified outside of my infrastructure automation tooling, which ensures the security controls I have implemented in my tooling are actually applied in production.
Solution Proposed
A first step of a check that would be useful to me is an "untagged_resources" flag for each check that prowler performs against AWS, that would "fail" a check if a resource in aws is missing a tag specified in prowler configuration. For example, I apply a default tag of
managed_by=terraform
. If prowler finds a resource that is missing that tag, it should fail the check. I can do this by hand using "Resource Explorer" on AWS to search for untagged resources. This wouldn't catch changes to managed resources, but would catch unmanaged resources which is a bigger concern. (e.g. I can run terraform apply every day to ensure that things are applied, but terraform can't find things that are no in terraform).A more robust implementation would work similar to how driftctl works, looking at terraform state and the resources in the upstream provider (e.g. AWS), and catching differences, but this would require pulling in an interface to tfstate and having access to the state.
Describe alternatives you've considered
https://github.com/snyk/driftctl has been put into maintenance mode, and doesn't work with terraform state created with the newest version of the terraform provider. The end result is that
driftctl
is no longer usable. I built https://github.com/ckdake/driftctl2asff to get driftctl results into SecurityHub. It's not super robust, but you can read the driftctl2asff.py to get an idea of the things driftctl was checking.Other tooling to detect drift has a variety of maturity, and is another stack to run/operate.
It would be fantastic to be able to use prowler to detect when infrastructure has drifted from configuration.
Additional context
No response
The text was updated successfully, but these errors were encountered: