Resource Configuration Scanning
🚧 This capability reference page is a draft.
If you want to be notified when the capability reference page is finished, click here.
After implementing policies that proactively prevent insecure or incompliant resource configurations with Resource Configuration Policies, cloud foundation teams should consider looking into scanning cloud resources for risky configurations and reacting accordingly with an Incident Management Process.
Overview of Tools for Cloud Resource Configuration Scanning
There are a number of different tools and techniques that Cloud Foundation Teams can leverage to implement cloud resource configuration scanning. These tools have different strengths and weaknesses.
🌤️ Cloud foundation teams should strongly consider starting with the first-party solutions offered by cloud providers as they benefit from tight integration and timely updated support for new cloud services and resource types.
Implementing Resource Configuration Scanning on AWS
For an AWS cloud platform, most foundation teams leverage the following services
AWS Guard Duty - monitors AWS Accounts and resource configuration for IaaS and Container Workloads
AWS Config - records change events to AWS resources and evaluates them against policies for a wide range of services
One practical downside of these solutions is their lack of cost predictability due to complex pricing models and a strong dependence on the actual workloads and resources deployed by your organization. Another challenge is that achieving a comprehensive overview of all resources requires extensive knowledge of a myriad of services and solutions.
Implementing Resource Configuration Scanning on Azure
On Azure, most foundation teams leverage Azure Policy with
audit effects in combination with Azure Security Center and optionally Azure Sentinel. The integration between policy and result reporting in Azure Security is very strong, including initiative management (grouping of multiple policies) and built-in dashboarding.
Implementing Resource Configuration Scanning on GCP
Google Cloud offers some built-in capabilities for configuration scanning as part of the extensive Security Command Center product. Depending on your organization’s needs, this solution may be oversized (or exactly what you need) since it also covers Incident Management Process and Cloud SIEM needs as well.
⛈️ The Forseti open source solution developed by Google has seen its latest releases in 2020. At this point we don’t advise adopting it for new implementations.
GCP also offers a strong cloud asset inventory service based on big query that makes implementing custom policies possible.
Cloud Security Posture Management Solutions
Cloud foundation teams that need to provide multi-cloud coverage should evaluate third-party Cloud Security Posture Management solutions like Prisma Cloud. These solutions provide cloud resource configuration, often based on custom asset inventories and bespoke policy engines. Some of these tools also include “abstraction layers” for cloud resources across multiple clouds. Formulating policies against these abstraction layers can simplify policy implementation effort by writing policies only once, at the sacrifice of precision and the ability to account for cloud-specific configuration issues.
Enforcing Compliance at Deployment-Time
When your organization uses a standardized SDLC toolchain (e.g. GitHub and deploying all resources via Terraform Cloud), enforcing compliance via tools like Sentinel is an option. However, in practice we see most organizations not having the required standardization in deployment processes and cloud foundation teams not in the right position to enforce these practices. This does not mean that adding these components does not provide value to the organization, but we see their role more in augmenting resource configuration scanning implemented at the cloud platform level rather than as a full replacement.
Currently no tool implementations documented. Contributions welcome!