View Cloud Drifts

Cloud drift counts the resources that have configuration changes between two consecutive cloud scans. If you have set a baseline, the Cloud drift is the difference in configuration between the current scan and the baseline. For example, you run a cloud scan that detects an EC2 instance with termination protection enabled. After the scan, you disable the termination protection of this EC2 instance. Now, in the next cloud scan, Tenable Cloud Security detects this change and shows it as a Cloud drift. Cloud drifts only happen on unmapped resources.

To view the cloud drift:

  1. In the left navigation bar, click Resources.

    The Resources page appears.

  2. Click the Resources with Drift tab.

    The list of all resource types with drifts appears.

  3. Click the Filters icon.
    Tenable Cloud Security shows the available resource filters.

  4. In the Compliance state section, select Has Cloud Drifts.

  5. (Optional) Use the following filter options to further filter the resource types:

    • Projects — Filters by project names.

    • Cloud Accounts — Filters by cloud accounts.

    • Repository — Filters by repositories.

    • K8s clusters — Filters by Kubernetes clusters.

    • Source — Filters by types: IaC, Cloud, State File, Mapped (IaC & Cloud).

    • Insights — Filters by the types of violations found: Exposed blob stores, Exposed databases, Read/write IAM, and Exposed security groups

    • Compliance State — Filters by compliance states: Has Violations, Has IaC Drifts, and Has Cloud Drifts.

    • Resource Type — Filters by resource types.

    • VPC Filter — Filters by VPC source.

  6. Select the required filters and click Apply.

    Tenable Cloud Security shows the results on the Resources page.

  7. Click the resource type that you want to view.
    All resources with drift for that resource type appear.

  8. Click the resource ID that you want to view.

    The Resource Details tab appears.

  9. Click Drifts.

    Tenable Cloud Security shows the comparison of the previous or baseline configuration with the current configuration.

  10. Click the Drift values filter to select the type of drift:

    • Computed — Configuration that is computed at run time. For example, IaC does not have a value for ARN, but the cloud equivalent configuration usually has an ARN value. In this case, the ARN might show as Computed on the IaC side or not show at all.
    • Missing in IaC — Configuration that does not exist in IaC, but exists in the cloud. Therefore, it is a new parameter added or modified in the cloud.

    • Missing in Cloud — Configuration that was configured in IaC, but Tenable Cloud Security could not find a matching configuration in the cloud. The configuration could be missing due to some of the following reasons:

      • The IaC configuration was not pushed and therefore, the configuration was not propagated to the cloud.

      • The IaC configuration does not have an equivalent cloud value.

      • Someone disabled or removed the configuration from the cloud.