Drifts are inconsistencies in code configuration that occur when a resource is modified locally or manually using CLI or console. These inconsistencies are seen as divergences in code and are most often not tracked or recorded until an error is identified during the build and deploy phase. Prisma Cloud Code Security supports Drift Detection for your integrated repositories and periodically scans them to identify drifts that may occur between the build and deploy phase. On
Code Security > Projects, in
IaC Misconfigurationview, you can view contextual information for drifts while executing corrective solutions to handle traceable configuration changes. To know more see Monitor and Fix Issues in Your Scans.
Drift detection is currently available only for resources that are deployed using Terraform and CloudFormation on AWS and Azure. Support for resources deployed on Google Cloud Platform (GCP) templates are not yet available.
Set up Drift Detection
For a drift detection scan to run on your repository you need to connect your AWS and Azure cloud account and code repositories to Prisma Cloud.
After the repository integration, set up Yor and enable tag and trace management. The yor_trace tag must be unique for the resource. The tag must not be in use on another Prisma Cloud tenant or a copy of a public demo repository.
+ Yor tags are not required for CloudFormation templates connected to an AWS account. You will automatically see drifts violations on the
Code Security > Projectsonce Prisma Cloud detects a gap between the the runtime and build time resources.
- Onboard your AWS and Azure cloud account and code repositories to Prisma Cloud.The AWS and Azure cloud account and code repositories must be connected to Prisma Cloud. For more details to onboard your cloud accounts see, AWS and Azure and then Connect Your Repositories to Code Security that hosts the Terraform and CloudFormation templates used to deploy resources on the AWS and Azure cloud account.If you have previously onboarded your AWS cloud account on Prisma Cloud, you must enable the additional permissions required for a drift detection scan. See update an onboarded AWS account for redeploying the stack with the required permissions that are included in the AWSCloudFormationReadOnlyAccess policy.lambda:GetLayerVersion lambda:GetEventSourceMapping lambda:GetFunction s3:ListBucket sns:GetSubscriptionAttributesAdd the Prisma Cloud IP addresses and hostname for Code Security to an allow list, to enable access to the Prisma Cloud Console.Set up YorYor is an open-source tool that helps you manage tags consistently across infrastructure as code frameworks on your CI/CD. To set up Yor for your repository you need to install and run Yor and then enable Yor to scan your repository for a drift detection scan.Install and Run Yor.You can choose to install Yor either through a GitHub Actions or GitLab CI.Enable Yor on the Prisma Cloud console.Enable automated resource trace tags to a new or modified IaC resource blocks usingCode Security > Projects > Manage tagsto enable the yor_trace tag. For further details on how to manage tags see IaC Tag and Trace.
You can manage drift scan results for your repositories by either fixing the issue or suppressing it.
- Review drifts identified in your scanned repository.
- SelectCode Security > Projectsand then selectIaC Misconfiguration.
- SelectAdd Filter > IaC Categoriesand then selectDrift.
- Take action and manage drifts.
- Select aResource Blockand then accessResource Explorer.
- SelectIssuesto take an action and manage drift.To manage a drift you can eitherFIXa drift or choose toSuppressit.
- FixEnables you to apply the manual changes made locally or in a CLI to the code configuration. When you fix drift, you correct the template configuration to match the running configuration of the resource. Fixing a drift creates a PR (Pull Request) after you Submit with the changes implemented within the template.
- SuppressEnables you to revert the manual changes made locally or in a CLI to the code configuration. When you Suppress issues in a scan result, you can enforce the configuration as defined in the IaC template and revert any changes to the running resource.Suppressing a drift will continue to display the drift detection result until the next scan where the running resource is compliant and the drift is fixed.
Create Alert Rules for Detecting Drift
An alert rule for Drift Detection generates alerts when a drift occurs for resources deployed on AWS (Amazon Web Services) and Azure. When creating a drift alert rule, you must specify the account groups for which you would like to receive alerts and include the policies for which you want to generate alerts.
Support for resources deployed on Google Cloud Platform (GCP) is not yet available.
- Verify that the policies for AWS and Azure are enabled.
- SelectPoliciesand verify if the specific policies are enabled for AWS and Azure cloud accounts. In this example, the policy AWS traced resources are manually modified is enabled.
- Add an alert rule.
- SelectAlerts > Alert Rulesand then selectAdd Alert Rules.
- Add details to create an alert rule for the configuration build policy.
- Add a name for the drift alert rule.You can optionally add a description.Drift alerts currently support alert notifications only. Support for Auto- Remediation is currently not available.
- SelectAccount Groupsto apply the alert rule.You can select all groups or pick select groups to include or exclude.You can optionally add additional criteria to the alert rule:
- Exclude Cloud Accounts: You can select cloud accounts to be excluded from the alert rule. You will not receive an alert for the selected accounts.
- Include Regions: Select regions to include to receive alerts.
- Include Resource Tags: Add the Key and Value of the resource tag to receive alerts for the specific resources in the cloud accounts.
- Assign policies.
- Select the policies for which you want to generate alerts.In this example, policy AWS traced resources are manually modified is assigned to the alert rule.You can optionally search for specific policies to enable drift alerts.In this example, using the word ‘traced’ to search for policy Traced Azure resources are manually modified.It is recommended to apply the alert rules with granular selection to avoid many alerts if the rule is applied for all policies.
- Review and save the alert rule.
- View the detailed summary of the alert rule to verify the granular details before youSaveyour changes.To make changes,Edit, theAdded Details,Assigned TargetsandAssigned Policies.You can view the alert counts for the new drift detection onAlerts > Overview.
View Drift Alerts on Prisma Cloud
Prisma Cloud generates alerts on drifts detected for policies included in the alert rule monitoring AWS and Azure cloud resources for runtime resources that deviate in configuration from IaC templates used to deploy these resources.
- SelectAlerts > Alerts Overview.
- Search or filter the policy in the list.
- SelectAlert Countto view the alerts with granular information.In this example, for the AWS traced resources are manually modified policy, there are 15 alert counts. Accessing each alert gives you granular information for each drift alert with IaC Resource Details.
- SelectResource Nameto view information on drifts identified in a specific resource.
- SelectAlert IDto view the traceability of drifts within the resource.For each drift alert, you can view the following details.
- Resource NameWhen selecting a resource name within the drift policy violation, you can view granular information about the resource and when and where the resource is likely to be modified.Using the information here onDetails, Audit Trail, Alerts, FindingsandRelationshipyou can understand where the drift may originate.
- Alert IDWhen selecting an alert ID within a resource where the drift policy violation occurs, you can view granular information on the time and status of the alert acrossOverview, Traceability, Alert Rules, Resource Config, Action Log,andAttribution Event.InOverviewyou can seeDetailsandIaC Resource Detailswhich include information on IaC Framework the resource is using,Git ProviderandGit Organizationfrom where the resource is hosted, including the IaC filename, last modification information and update.InTraceabilityyou can see Details and Build-time Resource which include information on the resource IaC State, if the resource has drifted or not. Traceability tag includes the yor_trace tag that Prisma Cloud uses to trace drifts using Checkov. In summary on the build-time resource you can seeRepository, File PathandResourcethe alert originates.UsingView Drift Details, you can access the drift onCode Security > Projectsand choose toFixorSuppressthe drift (if the status is open). You can also choose to view the alert origin on the AWS or Azure cloud platform by selectingView in Console.
- Dismiss and SnoozeIn addition to monitoring which resource you choose to receive an alert, you choose to Dismiss or Snooze an alert within a policy violation. In this example, you see the Dismiss and Snooze actions corresponding to the resource and alert ID.
- Dismiss: You can manually dismiss an alert even when the issue is not resolved with a mandatory reason for dismissing the alert. You can choose to reopen a dismissed alert if needed manually. Alerts that are manually dismissed remainDismissedeven when the same policy violation reoccurs.
- Snooze: You can temporarily snooze an active alert for a specific period with a mandatory reason for snoozing the alert. At the expiration of the specific timer, the alert automatically changes to anOpenorResolvedstatus depending on if the drift was fixed.Suppressing a drift on Projects parallelly suppresses a drift alert rule configured.
Troubleshoot Drift Detection
Listed here are causes that maybe effecting the drift detection in your integrated repositories.
- Your Prisma Cloud user role is restricting you from detecting drift. Ensure you have the right permissions when onboarding AWS and Azure accounts. See Prisma Cloud Administrator Permissions to know more.
- The code or cloud account with a runtime resource is not onboarded.
- Ensure your repository is private.
- The changes in CloudFormation are not deployed.
- Ensure three policies are enabled on Policies for drift detection.
- AWS traced resources are manually modified`
Recommended For You
Recommended videos not found.