Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Configuration Drift

Configuration Drift

Section titled “Configuration Drift”

5 automated security scanners

IaC Template Version Drift

Section titled “IaC Template Version Drift”

Purpose: The IaC_Template_Version_Drift Scanner is designed to identify discrepancies and inconsistencies in infrastructure-as-code (IaC) templates across various environments. By comparing current configurations with expected versions, this scanner helps ensure that all cloud resources are aligned with the intended state, thereby mitigating security risks and operational inconsistencies.

What It Detects:

  • S3 Configuration Drift:

    • The scanner checks if BlockPublicAcls is set to false, ensuring that public access via ACLs is restricted.
    • It verifies whether server-side encryption is configured, which is crucial for data security.
    • It identifies the presence of AllUsers or AuthenticatedUsers in ACLs, which can lead to unauthorized access.

  • IAM Policy Drift:

    • The scanner detects policies with unrestricted permissions ("Effect": "Allow" and "Action": "*"), which can lead to security vulnerabilities.
    • It flags the use of the root user ARN, emphasizing the importance of least privilege principles.
    • It checks for policy creation dates to identify outdated or unused policies that might need review and potential removal.

  • EC2 Security Group Drift:

    • The scanner identifies security groups with overly permissive ingress rules, which can expose systems to unauthorized access.
    • It detects the use of default security groups known for their less secure configurations.

  • CloudTrail Configuration Drift:

    • It ensures that CloudTrail logging is enabled and correctly configured to prevent data loss or manipulation.
    • It checks for log file validation settings to ensure integrity and authenticity of logged events.

Inputs Required:

  • domain (string): Primary domain to analyze, providing context for resource identification.
  • aws_account_id (string): AWS account ID is necessary for configuration audit within the specific account.
  • aws_region (string): Specifies the AWS region targeted for the scan, ensuring regional consistency in findings.

Business Impact: Ensuring that infrastructure configurations are consistent and secure across different environments is critical to maintaining a robust security posture. Misconfigurations can lead to unauthorized access, data breaches, and compliance violations. This scanner helps maintain regulatory adherence and reduces the risk of unintended exposure or misuse of cloud resources.

Risk Levels:

  • Critical: Policies with unrestricted permissions or use of the root user ARN are considered critical as they pose significant security risks without adequate oversight.
  • High: Insecure ingress rules in security groups and misconfigurations in IAM policies can lead to high risk if left unaddressed.
  • Medium: Default security group usage and incomplete server-side encryption configurations represent medium risks that need attention for better security practices.
  • Low: While less severe, logging issues or minor ACL misconfigurations are still important to address for optimal operational efficiency.
  • Info: Informational findings such as default security groups not being used might be useful for optimizing resource management but carry minimal risk by themselves.

Example Findings:

  • A bucket configured with BlockPublicAcls set to false, indicating public access is allowed, which is a critical issue needing immediate attention.
  • An IAM policy granting all actions ("Action": "*") without specific conditions, posing a high risk of unauthorized activities and requiring review and potential modification.

Security Control Decay

Section titled “Security Control Decay”

Purpose: The Security Control Decay Scanner is designed to identify and report on potential vulnerabilities and misconfigurations in AWS environments by analyzing various aspects such as S3 bucket settings, IAM policies, EC2 security groups, CloudTrail configurations, and other common issues across multiple AWS services. This tool aims to assist in maintaining a robust security posture by detecting weaknesses that could lead to unauthorized access or data breaches.

What It Detects:

  • S3 Bucket Misconfigurations: Identifies S3 buckets with public access enabled, missing server-side encryption, or permissions granted to AllUsers or AuthenticatedUsers.
  • IAM Policy Vulnerabilities: Detects overly permissive IAM policies that allow all actions ("Action": "*"), use of the root user ARN (arn:aws:iam::.*?:root), and outdated creation dates for users.
  • EC2 Security Group Issues: Identifies EC2 security groups with open ports to the internet or overly permissive rules.
  • CloudTrail Configuration Flaws: Detects CloudTrail trails that are not enabled, have logging disabled, or do not cover all regions.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • aws_account_id (string): AWS account ID for configuration audit.
  • aws_region (string): AWS region to focus the scan on.

Business Impact: This scanner is crucial as it helps in proactively identifying and addressing security control decay, which can lead to significant vulnerabilities that may be exploited by malicious actors. By detecting misconfigurations early, organizations can mitigate risks associated with data breaches, unauthorized access, and other potential threats.

Risk Levels:

  • Critical: Conditions such as public S3 buckets without encryption or overly permissive IAM policies allowing all actions are considered critical as they directly impact the security of sensitive information and system integrity.
  • High: Issues like open ports in EC2 security groups or incomplete CloudTrail configurations are high risk, as they can lead to unauthorized data access and audit trail gaps.
  • Medium: Lower severity issues include outdated user accounts that may not be actively monitored but still pose a potential risk if left unaddressed.
  • Low: Informational findings such as minor misconfigurations in IAM policies or S3 bucket settings are considered low risk unless they escalate into more severe conditions.
  • Info: These are general configurations and do not directly impact security but can be useful for operational improvements.

Example Findings:

  • A critical finding could be a public S3 bucket that allows unrestricted access, posing a significant data exposure risk.
  • An example of high risk would be an EC2 instance with multiple open ports, which increases the attack surface and potential entry points for unauthorized users.

Hardening Standards Erosion

Section titled “Hardening Standards Erosion”

Purpose: The Hardening Standards Erosion Scanner is designed to detect baseline security degradation and exception accumulation by analyzing AWS configurations to ensure compliance with hardening standards. It identifies deviations from secure settings in S3, IAM, EC2, and CloudTrail, providing a comprehensive view of potential vulnerabilities and misconfigurations within an organization’s AWS environment.

What It Detects:

  • S3 Configuration Issues:

    • Public Access: The scanner detects if the BlockPublicAcls setting in S3 buckets is set to false, indicating that the bucket allows public access.
    • Encryption: It checks for the absence of server-side encryption configuration, which could lead to data exposure.
    • Permissions: Identifies policies granting access to AllUsers or AuthenticatedUsers, potentially exposing sensitive information.

  • IAM Policy Vulnerabilities:

    • Overly Permissive Policies: The scanner identifies IAM policies with an “Allow” effect and a wildcard action, which can lead to excessive permissions being granted.
    • Root User Usage: It flags the use of the root user in IAM policies, which is highly risky as it lacks multi-factor authentication protections.
    • Policy Creation Date: Flags policies created before a certain date to monitor long-standing permissions that may have been forgotten or abused.

  • EC2 Security Group Misconfigurations:

    • Open Ports: The scanner detects security groups with open ports that are not restricted, potentially allowing unauthorized access.
    • Inbound Rules: Identifies inbound rules allowing traffic from 0.0.0.0/0, which is overly permissive and insecure.

  • CloudTrail Configuration Gaps:

    • Logging Disabled: Checks if CloudTrail logging is disabled for any regions, leading to a lack of audit trail for critical activities.
    • Data Events: Detects missing data event logging configurations, which are crucial for detailed security auditing.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com, providing context for the scope of the audit.
  • aws_account_id (string): The AWS account ID associated with the configuration audit, enabling targeted analysis within a specific account.
  • aws_region (string): Specifies the AWS region to focus on during the scan, ensuring localized analysis and minimizing unnecessary data retrieval.

Business Impact: This scanner is critical for maintaining secure configurations in AWS environments as it helps prevent unauthorized access, potential data breaches, and compliance violations that could lead to significant financial losses and legal repercussions.

Risk Levels:

  • Critical: Conditions where BlockPublicAcls in S3 buckets is set to false, IAM policies with “Allow” and ”*” without restrictions, and the use of the root user are considered critical risks as they directly impact security posture and compliance.
  • High: Overly permissive IAM policies and open ports in EC2 security groups pose high risk by granting excessive permissions or allowing unrestricted access to resources.
  • Medium: Missing server-side encryption in S3 buckets and incomplete CloudTrail data event logging are considered medium risks as they may lead to significant vulnerabilities if not addressed promptly.
  • Low: Informational findings such as policies created long ago without review might be low risk but should still be monitored for compliance and security practices.

Example Findings:

  • “Bucket example-bucket has public access via ACL, which is highly insecure.”
  • “Policy AdminPolicy is overly permissive, allowing all actions on the specified resources.”
  • “Security group sg-12345678 allows inbound traffic from 0.0.0.0/0, posing a significant risk of unauthorized access.”

Cloud Configuration Regression

Section titled “Cloud Configuration Regression”

Purpose: The Cloud Configuration Regression Scanner is designed to detect and alert on changes that revert secure settings, unauthorized permissions, and default configurations in cloud environments. This ensures that security policies remain intact and unauthorized modifications are identified promptly.

What It Detects:

  • Reverted Secure Settings:

    • Identifies S3 buckets with BlockPublicAcls set to false, indicating public access is allowed.
    • Flags S3 buckets without server-side encryption, which can lead to data exposure.
    • Alerts on S3 buckets accessible by AllUsers or AuthenticatedUsers, potentially exposing sensitive information.

  • Permission Creep:

    • Identifies IAM policies that allow all actions ("Action": "*"), which could lead to unauthorized access.
    • Detects the use of the root user in IAM roles, posing a significant security risk.
    • Flags recent policy creation dates, suggesting potential unauthorized changes.

  • Default Reversion:

    • Highlights EC2 security groups with default open rules that may not be secured.
    • Detects S3 buckets with default bucket policies allowing public access.
    • Flags IAM roles that have not been customized from their default settings, which could lead to unauthorized activities.

  • CloudTrail Activity:

    • Identifies unauthorized or suspicious API calls in CloudTrail logs.
    • Detects changes to security-related policies over time, indicating potential policy manipulation.

  • Configuration Drift:

    • Identifies configurations that have drifted from the expected secure state, which could lead to unintentional exposure of data.
    • Flags modifications to access controls not intended or authorized by default settings.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • aws_account_id (string): AWS account ID for configuration audit.
  • aws_region (string): AWS region to target for the scan.

Business Impact: This scanner is crucial as it helps in maintaining a secure cloud environment by promptly identifying and rectifying changes that revert important security settings, unauthorized permissions, and default configurations. These issues can lead to significant data breaches and compliance violations if not addressed promptly.

Risk Levels:

  • Critical: Immediate attention is required for critical findings such as reverted secure settings in S3 buckets or IAM policies allowing root user usage.
  • High: High severity includes permission creep, where broad permissions are granted unintentionally, posing a significant risk to the security of the cloud environment.
  • Medium: Medium severity involves default reversion issues that might not be immediately critical but could escalate if left unchecked.
  • Low: Low and informational findings pertain to configuration drift or minor deviations from expected secure settings, which are still important for monitoring but less urgent than higher risks.

Example Findings:

  • A significant S3 bucket has its BlockPublicAcls set to false, potentially exposing data to unauthorized users.
  • An IAM policy allows all actions and uses the root user, posing a severe security risk by granting unlimited permissions to anyone with access to this policy.

Compliance Posture Regression

Section titled “Compliance Posture Regression”

Purpose: The Compliance Posture Regression Scanner is designed to detect regulatory drift and control framework divergence by analyzing AWS configurations. It aims to ensure compliance with security best practices through the identification of potential security gaps that may arise from configuration changes over time.

What It Detects:

  • S3 Bucket Configuration Issues:

    • Public Access: Detects buckets where BlockPublicAcls is set to false.
    • Encryption: Identifies buckets without server-side encryption enabled.
    • Permissions: Flags buckets with permissions granted to AllUsers or AuthenticatedUsers.

  • IAM Policy Vulnerabilities:

    • Overly Permissive Policies: Detects policies with "Effect": "Allow" and "Action": "*" which grant full access.
    • Root User Usage: Identifies actions performed by the root user (arn:aws:iam::.*?:root).
    • Policy Creation Date: Checks for recently created policies (e.g., within the last year).

  • EC2 Security Group Misconfigurations:

    • Open Ports: Detects security groups with open ports to the internet.
    • Default Security Groups: Identifies usage of default security groups which may have permissive rules.

  • CloudTrail Configuration Issues:

    • Logging Disabled: Checks if CloudTrail logging is disabled for any regions.
    • Multi-Region Logging: Ensures that CloudTrail logs are enabled across all required regions.

  • General Configuration Drift:

    • Unexpected Changes: Detects unexpected changes in configuration settings that deviate from the expected security posture.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • aws_account_id (string): AWS account ID for configuration audit.
  • aws_region (string): AWS region to focus on.

Business Impact: This scanner is crucial as it helps in maintaining a robust security posture by identifying potential gaps and deviations from best practices, which could lead to regulatory non-compliance or significant security vulnerabilities.

Risk Levels:

  • Critical: Conditions that directly impact critical systems or where compliance with regulations is mandatory.

    • Examples: Public access blocks not enforced, lack of server-side encryption for S3 buckets, overly permissive IAM policies granting full access.

  • High: Conditions that significantly increase the risk of security breaches or violations.

    • Examples: Use of root user in critical operations, failure to enable CloudTrail logging across all regions.

  • Medium: Conditions that may lead to moderate risks if not addressed promptly.

    • Examples: Inadequate permissions on S3 buckets, use of default security groups with open ports.

  • Low: Informal or non-critical issues that might be relevant for continuous improvement but do not pose immediate threats.

    • Examples: Minor deviations in configuration settings, unutilized resources without significant risk exposure.

Example Findings:

  • “Bucket example-bucket has BlockPublicAcls set to false.”
  • “Policy ExamplePolicy is overly permissive and grants full access.”