Support catching infrastructure drift / New check to analyze customer tags

[ckdake]

New feature motivation

I'd like to be able to use prowler to detect, at least a subset of, infrastructure drift: where infrastructure no longer matches what is in configuration. This would allow me to identify resources that were created/modified outside of my infrastructure automation tooling, which ensures the security controls I have implemented in my tooling are actually applied in production.

Solution Proposed

A first step of a check that would be useful to me is an "untagged_resources" flag for each check that prowler performs against AWS, that would "fail" a check if a resource in aws is missing a tag specified in prowler configuration. For example, I apply a default tag of managed_by=terraform. If prowler finds a resource that is missing that tag, it should fail the check. I can do this by hand using "Resource Explorer" on AWS to search for untagged resources. This wouldn't catch changes to managed resources, but would catch unmanaged resources which is a bigger concern. (e.g. I can run terraform apply every day to ensure that things are applied, but terraform can't find things that are no in terraform).

A more robust implementation would work similar to how driftctl works, looking at terraform state and the resources in the upstream provider (e.g. AWS), and catching differences, but this would require pulling in an interface to tfstate and having access to the state.

Describe alternatives you've considered

https://github.com/snyk/driftctl has been put into maintenance mode, and doesn't work with terraform state created with the newest version of the terraform provider. The end result is that driftctl is no longer usable. I built https://github.com/ckdake/driftctl2asff to get driftctl results into SecurityHub. It's not super robust, but you can read the driftctl2asff.py to get an idea of the things driftctl was checking.

Other tooling to detect drift has a variety of maturity, and is another stack to run/operate.

It would be fantastic to be able to use prowler to detect when infrastructure has drifted from configuration.

Additional context

No response

[jfagoagas]

Hi @ckdake, this is a great idea and we can explore it in the following weeks. I'll get back to you next week or the week after.

Thanks!

[toniblyx]

Hey @ckdake, as you said what if we write a check that looks for custom tags (based on user configuration), would that make the trick? Something like Ensure resources are customer tagged, other ideas?