Set up Drift Analysis

Any change to a cloud resource configuration is a potential security policy violation of the cloud security best practices. Tenable Cloud Security helps you analyze drifts and identify resource drifts and violations both in the IaC code and the resources deployed on the cloud. Then, Tenable Cloud Security facilitates to review and remediate the violations. Setting up drift analysis allows you to assess the posture of cloud deployment continuously and flag any drifts from the posture defined through the code.

To calculate drifts, Tenable Cloud Security maps your IaC resources to the corresponding cloud resources in your cloud account. A mapped resource is any resource in the cloud that has a matching configuration in IaC. An unmapped resource is any resource in the cloud that does not have a matching configuration in IaC.

Tenable Cloud Security helps you to analyze the following drifts along with information on how you can review and remediate the drifts.

  • IaC DriftsIaC drifts or code-to-cloud drifts occurs when a cloud resource is mapped with an IaC resource, but the cloud configuration parameter values of that resource are different from the configuration parameter value in the IaC.

  • Cloud Drifts — Cloud to Cloud drift counts the resources that have configuration changes between two consecutive cloud scans. You can also set a baseline for a project to calculate the drift of the current scan from the baseline.

If both IaC and Cloud drifts exist for a resource, the IaC drift takes precedence.

See the following topics: