Drift Detection

By Emmanuel Nwankwo, Customer Success Engineer

Did you know that the repositories you browse today are potentially more vulnerable to nefarious hacks than you think? Hackers can even attack repositories on your private network through drifts. If your company maintains various projects, you may need a better way to secure your repositories.

One way to maintain this security is with Drift Detection, a feature that is included with Prisma Cloud Code Security. Drift Detection is a type of monitoring that helps detect unwanted changes to your project’s source code. A few lines of code can turn your project upside down by creating easy entry points for hackers to use in order to leak data or turn your repository into malware.

If you already have a Prisma Cloud Code Security subscription, you can learn how to set up Drift Detection for your repositories. Otherwise, keep reading this overview to learn about how Drift Detection works in Prisma Cloud Code Security and how this feature can help you.

Drifts are misconfigurations that arise when resources, such as code configurations, are adjusted locally via CLI or terminal and this causes deviations from the original code that cannot be documented or tracked.  These discrepancies can be the result of adding or deleting values from the original template configuration of the source code.  Code Security performs frequent scans of the repositories where the templates are to detect drift (deviations) that may occur between the build and deploy phases and provide you with correction options to manage, traceable, configuration changes.  

Currently, drift detection supports AWS resources deployed with Terraform and CloudFormation. Support for resources deployed using Azure or Google Cloud Platform (GCP) templates are coming soon. After applying a corrective solution for the drift on the Prisma Cloud console, you may observe the configuration changes made to the code before and after the correction.

For each drift detection scan, you can view the following details for a resource block.

1. Resource Block and Resource Name: The drift detection scan identifies the resource block and name. The resource block is the grouping of configurations or settings associated with a given resource.

2. Before Drift: The code's original template as stored in the repository before it is adjusted to fit needs.

3. After Drift: Any local or manual changes that you have made to the resource block will now show on the console including any change(s) to add or delete values within the code. 

3. After Drift: The console will display any modifications to the configuration itself; including manual or locally created changes to the resource block and any change(s) to add or delete values within the code. 

4. Resource History: The audit trail of configuration changes made to a resource helps you review the updates anytime. This includes configuration changes of adding or deleting a value and fixing scan issues within code.

Configuring a Drift Detection: 

To run a drift detection scan on your repository, you must first configure a Drift Detection by completing the following steps:

Step One: Connect your AWS cloud account and code repository to Prisma Cloud.

Step Two: Connect your repositories to Code Security, which hosts the Terraform and CloudFormation templates used to deploy resources on your AWS cloud account.

Step Three: To enable access to the Prisma Cloud Console, add the Prisma Cloud IP addresses and hostname for Code Security to a list of allowed IP addresses.

Setting up Yor:

Yor is an open-source application that facilitates uniform management of tags across infrastructure as code frameworks for CI/CD. 

Complete the following steps to configure Yor for your repository:

Step One: You must install and run Yor.

Step Two: Enable Yor to scan your repository for drift detection. 

Note: You may install Yor using GitHub or Continuous Integration. 

Step Three: Enable automatic resource trace tags on newly created or changed IaC resource blocks by navigating to "Code Security > Projects > Manage tags'' and activating the yor_trace tag. 

Note: Refer to "IaC Tag and Trace" for further information on managing tags.

Step Four: After connecting the repository, configure "Yor" and enable trace and tag management on your repository. 

Note: If your AWS cloud account was previously onboarded on Prisma Cloud, you must enable additional permissions necessary for a drift detection scan. Please refer to updating an "onboarded AWS account" to redeploy the stack with the required permissions specified in the AWSCloudFormationReadOnlyAccess policy.

Manage Drift:

You can manage drift detection scan results for your repository either through Suppress or Fix Drift.

Step One: Review the results of the drift detection scan for your repository.

View Drift Alerts

When Prisma Cloud spots any inconsistencies, it swiftly triggers an alert to inform you of the mismatch. This vigilant process guarantees that any runtime variations from your desired configurations are quickly recognized and highlighted, empowering you to take decisive corrective measures without delay.

In this example, using the word 'traced' to search for AWS traced resources are manually modified.

You can either "FIX" or "Suppress" to address a drift. The "FIX" approach allows you to incorporate manual modifications made locally or via a command-line interface into the code configuration. By fixing the drift, you align the template configuration with the current running configuration of the resource. Once you submit the changes made within the template, fixing the drift generates a Pull Request (PR).

Step Two: Take action to manage drift detection scan results. You can either Suppress or Fix a drift detection. 

Suppression: This allows you to restore a resource block to its configuration prior to any local or manual changes. With suppression, you may enforce the configuration specified in the IaC template and undo any modifications made to the operating resource. Suppressing a drift will display the drift detection result until the next scan when the resource will be compliant and the drift resolved.

Fix Drift: This enables you to apply the configuration modification that incorporates the manually modified resource block within the template. Fix Drift generates a Pull Request (PR) directly from your code to implement template configuration changes. 

When correcting drift, the template configuration is modified to reflect the resource's actual configuration.

We hope you enjoyed our blog post about how Prisma Cloud Code Security supports Drift Detection. We know that many developers are looking for a way to keep their repositories safe and secure and we are here to help. Drift detection is an essential part of code security, as it can help identify changes that the developers may not sanction and could be a sign of a security threat. If you have any questions or comments, please feel free to open a Support Portal Request. We are always happy to help answer any questions you may have. If you would like to learn more, please visit our documentation on Drift Detection.