Ensure provisioned resources are not manually modified

Error: Provisioned resources are manually modified

Bridgecrew Policy ID: BC_AWS_DRIFT_1, BC_AWS_DRIFT_2, BC_AZR_DRIFT_2, BC_GCP_DRIFT_2
Severity: HIGH

Provisioned resources are manually modified

Description

A central challenge when managing infrastructure as code is configuration drift. Drift is defined as any case where the state of your infrastructure differs from the state defined in your configuration files.

Drift usually occurs when users either add, remove or modify resources outside of the Infrastructure-as-Code provisioning lifecycle. Drifts can also occur without human-intervention, for example, when resources are terminated or have failed, and when changes have been made by cloud provider or other automation tools.

When a live configuration drifts from its code-defined state, and its current value is the desired value, this live outcome would eventually be overwritten by the next Infrastructure-as-Code deployment cycle. Alternatively, when a live configuration drift from its code-defined state, and its current value is not the desired value, this live outcome could possibly create a trust-boundary breach that could be abused by external threat actors.

Resources that are provisioned using Infrastructure-as-Code should be managed and modified only via their code version, and not manually through the cloud.

We recommend preventing drift to ensure configurations meet their intended functions. When a drift is identified, trace the origin of the drift and based on the current wanted outcome, either revert the configuration change using Infrastructure-as-Code, or modify it to assert the correct intended state.