Yesterday, we showed you how you can use Fugue Risk Manager to scan your AWS infrastructure, discover what resources you have running, and identify any policy violations for compliance frameworks like HIPAA, GDPR, NIST 800-53, and the AWS CIS Benchmarks.
Today we get to the really cool thing about Risk Manager: Detecting infrastructure drift that can lead to data breaches, compliance fines, and system downtime—and automatically remediating it when it occurs.
OK, let’s assume you’ve used Risk Manager to help you bring your AWS environment into compliance. Or perhaps you already have your infrastructure how you want it. But how can you make sure your infrastructure always stays in compliance, especially if you’re constantly updating it?
Fugue Risk Manager makes this task easy and can save your team a lot of time otherwise spent buried under a pile of alerts looking for critical misconfiguration issues to remediate, often manually.
Establishing an Infrastructure Baseline on AWS
Now, you can choose to just use Risk Manager to find compliance violations in your cloud environment, along with detailed information about the precise rules that were violated, a description of the rule, and the reason the resource failed.
This is the logical place to start with Risk Manager, and it can suffice if you don’t change your infrastructure often, aren’t operating at scale, and aren’t responsible for critical data.
But there’s more to Fugue Risk Manager than compliance scans. It employs the concept of a “known-good baseline.” Once you have your infrastructure where you want it (i.e., “in compliance”), simply click the “Establish Baseline” button.
This saves the state of your infrastructure. Your established baseline now serves as a basis for monitoring for policy violations and drift—the unauthorized or unknown changes that can lead to deployment failures and security incidents. Risk Manager detects any deviation from your established baseline. No more false positives!
Any time a drift event occurs, Risk Manager provides you with information on what resource was affected and specific details on what configuration changed.
A list of drift events:
Detailed information on a specific drift event:
So, Risk Manager can cut down significantly on alert fatigue cloud teams contend with, but we’re still using a monitoring-only approach to drift and misconfiguration.
Automatically Remediating Cloud Infrastructure Drift
This is where baseline enforcement comes in and can be such a powerful tool in your cloud management arsenal. Risk Manager can automatically remediate drift events back to your established baseline when they occur.
Once you’ve established your baseline, access the "Edit Environment Settings" dialog and click “Enable Baseline Enforcement.” In this mode, when Risk Manager detects drift from your baseline, it restores it back, automatically (currently for configuration modifications, not create/delete actions). This not only saves a lot of time traditionally spent manually fixing issues, it reduces your Mean Time to Remediation (MTTR) to minutes to greatly reduce your exposure risk.
But we know that not all change is bad! In fact, most change is good. If you're innovating fast and operating at scale on cloud, change is constant. Risk Manager understands this. When intentional changes need to be made, you can disable enforcement, make your change, establish a new baseline, and resume enforcement. Allow for good change and prevent bad change.
Bottom line: Risk Manager provides powerful security and compliance capabilities:
- Scan your cloud environment for compliance
- Establish a known-good infrastructure baseline
- Continuously monitor for any unauthorized change (drift) from your baseline
- Optionally remediate any drift event, automatically
Getting up and running with Fugue Risk Manager is easy, and it only takes a few minutes to identify compliance violations in your AWS environment and begin detecting (and remediating) drift.
Becki Lee, Rob Donoghue, and Drew Wright all contributed to this post.