Resource Configuration Scanning

⭐️⭐️⭐️🛬 Landing ZoneScan cloud resource configurations against a catalog of configuration policies for potential security risks and compliance violations.

🚧 This capability reference page is a draft.

If you want to be notified when the capability reference page is finished, click here.

After implementing policies that proactively prevent insecure or incompliant resource configurations with Resource Configuration Policies, cloud foundation teams should consider looking into scanning cloud resources for risky configurations and reacting accordingly with an Incident Management Process.

Overview of Tools for Cloud Resource Configuration Scanning

There are a number of different tools and techniques that Cloud Foundation Teams can leverage to implement cloud resource configuration scanning. These tools have different strengths and weaknesses.

🌤️ Cloud foundation teams should strongly consider starting with the first-party solutions offered by cloud providers as they benefit from tight integration and timely updated support for new cloud services and resource types.

Implementing Resource Configuration Scanning on AWS

For an AWS cloud platform, most foundation teams leverage the following services

One practical downside of these solutions is their lack of cost predictability due to complex pricing models and a strong dependence on the actual workloads and resources deployed by your organization. Another challenge is that achieving a comprehensive overview of all resources requires extensive knowledge of a myriad of services and solutions.

Implementing Resource Configuration Scanning on Azure

On Azure, most foundation teams leverage Azureopen in new window Policyopen in new window with audit effects in combination with Azure Security Center and optionally Azure Sentinel. The integration between policy and result reporting in Azure Security is very strong, including initiative management (grouping of multiple policies) and built-in dashboarding.

Implementing Resource Configuration Scanning on GCP

Google Cloud offers some built-in capabilities for configuration scanning as part of the extensive Security Command Centeropen in new window product. Depending on your organization’s needs, this solution may be oversized (or exactly what you need) since it also covers Incident Management Process and Cloud SIEM needs as well.

⛈️ The Forsetiopen in new window open source solution developed by Google has seen its latest releases in 2020. At this point we don’t advise adopting it for new implementations.

GCP also offers a strong cloud asset inventoryopen in new window service based on big query that makes implementing custom policies possible.

Cloud Security Posture Management Solutions

Cloud foundation teams that need to provide multi-cloud coverage should evaluate third-party Cloud Security Posture Management solutions like Prisma Cloudopen in new window. These solutions provide cloud resource configuration, often based on custom asset inventories and bespoke policy engines. Some of these tools also include “abstraction layers” for cloud resources across multiple clouds. Formulating policies against these abstraction layers can simplify policy implementation effort by writing policies only once, at the sacrifice of precision and the ability to account for cloud-specific configuration issues.

Enforcing Compliance at Deployment-Time

When your organization uses a standardized SDLC toolchain (e.g. GitHub and deploying all resources via Terraform Cloud), enforcing compliance via tools like Sentinel is an option. However, in practice we see most organizations not having the required standardization in deployment processes and cloud foundation teams not in the right position to enforce these practices. This does not mean that adding these components does not provide value to the organization, but we see their role more in augmenting resource configuration scanning implemented at the cloud platform level rather than as a full replacement.

Currently no tool implementations documented. Contributions welcome!