search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.65k stars 1.51k forks source link

Support catching infrastructure drift / New check to analyze customer tags #2678

Open ckdake opened 1 year ago

ckdake commented 1 year ago

New feature motivation

I'd like to be able to use prowler to detect, at least a subset of, infrastructure drift: where infrastructure no longer matches what is in configuration. This would allow me to identify resources that were created/modified outside of my infrastructure automation tooling, which ensures the security controls I have implemented in my tooling are actually applied in production.

Solution Proposed

A first step of a check that would be useful to me is an "untagged_resources" flag for each check that prowler performs against AWS, that would "fail" a check if a resource in aws is missing a tag specified in prowler configuration. For example, I apply a default tag of managed_by=terraform. If prowler finds a resource that is missing that tag, it should fail the check. I can do this by hand using "Resource Explorer" on AWS to search for untagged resources. This wouldn't catch changes to managed resources, but would catch unmanaged resources which is a bigger concern. (e.g. I can run terraform apply every day to ensure that things are applied, but terraform can't find things that are no in terraform).

A more robust implementation would work similar to how driftctl works, looking at terraform state and the resources in the upstream provider (e.g. AWS), and catching differences, but this would require pulling in an interface to tfstate and having access to the state.

Describe alternatives you've considered

https://github.com/snyk/driftctl has been put into maintenance mode, and doesn't work with terraform state created with the newest version of the terraform provider. The end result is that driftctl is no longer usable. I built https://github.com/ckdake/driftctl2asff to get driftctl results into SecurityHub. It's not super robust, but you can read the driftctl2asff.py to get an idea of the things driftctl was checking.

Other tooling to detect drift has a variety of maturity, and is another stack to run/operate.

It would be fantastic to be able to use prowler to detect when infrastructure has drifted from configuration.

Additional context

No response

jfagoagas commented 1 year ago

Hi @ckdake, this is a great idea and we can explore it in the following weeks. I'll get back to you next week or the week after.

Thanks!

toniblyx commented 12 months ago

Hey @ckdake, as you said what if we write a check that looks for custom tags (based on user configuration), would that make the trick? Something like Ensure resources are customer tagged, other ideas?

kagahd commented 2 weeks ago

Hey @ckdake, as you said what if we write a check that looks for custom tags (based on user configuration), would that make the trick? Something like Ensure resources are customer tagged, other ideas?

That's a great idea if both the resources aka AWS services to be checked and the required custom tags (keys and maybe also their allowed values) could be configured by the user. With "AWS services" I mean for example rds_cluster, rds_instance and rds_snapshot and not just rds.

ckdake commented 2 weeks ago

@toniblyx whoops, missed the ping. A check for custom tags would work. The newish "AWS Resource Tagging Standard" [https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html] shows a good pattern here, and it's cumbersome to implement in AWS and doesn't cover all resource types. A similar check, in prowler, would be easier and more comprehensive.