Investigate and remediate IaC drift issues - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-10
Category
Administrator Guide

Select any row in the IaC Drift Detection table to open the drift issue side panel. The side panel provides detailed context for investigation and remediation.

Details

Drift issues include general, drift analysis, code evidence, and code-to-cloud details.

General details

The top section of the side panel displays the following fields:

Field

Description

Severity

The severity level of the drift issue

Status

The current resolution status (New, In Progress, Resolved)

Assignee

The user assigned to the drift issue

SLA

The SLA compliance status, calculated from the drift issue creation date and the severity-based target resolution window

Drift Age

The duration since the drift was first detected

Drift analysis

The Drift Analysis section provides a detailed comparison between the IaC-defined state and the live cloud resource state. The drift analysis enables you to determine whether the deviation is an unauthorized change that must be reverted or an intentional modification that must be codified in the IaC template.

Field

Description

Drift Type

The classification of the drift: Modified, Deleted, or Unmanaged

Resource Type

The cloud resource type where drift was detected

Resource ID

The cloud provider resource identifier

Drifted Properties

A structured diff showing each property that differs between the IaC-defined state and the cloud state. Each drifted property displays the property name, the IaC value (expected), and the cloud value (actual)

Drift Summary

A human-readable summary of the drift (such as Security group ingress rule modified: port range expanded from 443 to 0-65535)

Example: drift analysis for a modified AWS security group

Property

IaC Value (Expected)

Cloud Value (Actual)

ingress.0.from_port

443

0

ingress.0.to_port

443

65535

ingress.0.cidr_blocks

[10.0.0.0/8]

[0.0.0.0/0]

Important: The drift analysis example above represents a Critical severity drift issue. The security group ingress rule was modified from a restricted CIDR block and single port to an unrestricted CIDR block and full port range, exposing the resource to the public internet.

Code evidence

The Code evidence section displays the IaC template context for the drifted resource:

  • Repository Name: The name of the repository containing the IaC template that defines the resource.

  • File Path: The full path to the IaC template file with a link to the VCS provider.

  • Code Block: The source code snippet showing the resource definition as declared in the IaC template.

  • Commit Details: The Git author, commit hash, and commit timestamp of the last commit that modified the resource definition.

Code-to-cloud graph

The Code-to-cloud graph visualizes the traceability path from the IaC template in the repository to the deployed cloud resource where drift was detected. The Code-to-Cloud graph enables you to understand the relationship between the IaC-defined resource and the live cloud resource, confirming the mapping used for drift comparison.

Prioritize IaC drift issues

Effective prioritization of IaC drift issues requires evaluating the security impact of the configuration deviation, the environment where the drift occurred, and the business criticality of the affected resource. Application Security uses severity-based prioritization to determine remediation order.

Severity-based prioritization

Severity reflects the security impact of the configuration deviation. Use severity as the baseline filter:

Severity

Remediation Priority

Critical

Immediate remediation required. The drift introduces a directly exploitable attack vector (such as public network exposure, disabled encryption, or overly permissive IAM policies)

High

Remediate within the current sprint. The drift weakens a security control (such as relaxed firewall rules or modified logging configuration)

Medium

Schedule for remediation. The drift deviates from best practices but does not introduce an immediate exploitable risk

Low

Address during routine maintenance. The drift has minimal security impact (such as non-security-related property changes)

Informational

No action required. The drift is advisory (such as tag modifications or description changes)

Take action on IaC drift issues

The IaC Drift Detection page supports the following actions for drift issues : change resolution status, assign a drift issue, revert to IaC state, update IaC template, apply manual remediation.

Change resolution status

Update the resolution status to track drift remediation progress.

  • From the main drift table:Right-click on a drift issue in the tableChange StatusChange Status

  • From the side-card:Status field[Select a status]

Status values: New: The drift issue has not been triaged, In Progress: Remediation is underway, Resolved: The drift has been corrected and verified.

Assign a drift issue

Assign an IaC drift issue to a specific user for remediation.

  • From the main drift table:Right-click on a drift issue in the tableChange AssigneeChange Status

  • From the side-card:Assignee field[Select a status]

Revert to IaC state

For drift issues where the cloud resource was modified outside the IaC pipeline, revert the cloud resource to the configuration defined in the IaC template.

  1. Select a drift issue in the IaC Drift Detection table.

  2. Right-click to open the context menu.

  3. Select Revert to IaC State.

  4. Review the revert preview, which displays the properties that will be changed on the cloud resource.

  5. Click Confirm Revert.

Cortex Cloud triggers a redeployment of the IaC template to restore the cloud resource to the declared state.

Note

The Revert to IaC State action requires write permissions on the target cloud account. Verify that the Cortex Cloud service account has the necessary IAM permissions before initiating a revert operation.

Update IaC template

For drift issues where the cloud resource change was intentional and must be preserved, update the IaC template to reflect the current cloud state.

  1. Select a drift issue in the IaC Drift Detection table.

  2. Right-click to open the context menu.

  3. Select Update IaC Template.

  4. Cortex Cloud generates a pull request in the source repository that updates the IaC template with the current cloud resource configuration.

  5. Review and merge the pull request to codify the change.

Note

Updating the IaC template codifies the current cloud state as the new desired state. Verify that the cloud resource configuration complies with security policies before merging the generated pull request.

Apply manual remediation

For drift issues that require manual intervention, the side panel provides remediation guidance.

  1. Select a drift issue in the table to open the side panel.

  2. Review the Drift Analysis section to understand the specific properties that deviated.

  3. Determine the appropriate remediation path:

    • Revert: Manually update the cloud resource to match the IaC-defined configuration using the cloud provider console, CLI, or API

    • Codify: Manually update the IaC template to reflect the intentional change, then redeploy through the standard IaC pipeline

Example: manual remediation for a Terraform drift issue

# IaC-defined state (expected)
resource "aws_security_group" "web_sg" {
  name        = "web-sg"
  description = "Security group for web servers"

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }
}

# To revert drift, redeploy the Terraform template above.
# The cloud resource will be restored to the IaC-defined state.

Understand SLA compliance

Each IaC drift issue is tracked against an SLA target based on the issue severity. The SLA status is displayed in the drift issue side panel under General Details. The SLA calculation uses the drift issue creation timestamp and the configured severity-to-target-days mapping. Resolved drift issues stop the SLA clock at the resolution timestamp.

SLA Status

Description

Within SLA

The drift issue is within the severity-based remediation window

Approaching

The drift issue is nearing the SLA deadline. Prioritize remediation

Overdue

The drift issue has exceeded the SLA deadline. Escalate or reassign

Understand drift types

IaC drift detection classifies each drift issue into one of three drift types based on the nature of the discrepancy between the IaC-defined state and the cloud state.

Drift Type

Description

Security Implication

Example

Modified

A resource property in the cloud differs from the value defined in the IaC template. The resource exists in both the IaC template and the cloud, but one or more properties have been changed outside the IaC pipeline

The modification may weaken security controls, expand network access, disable encryption, or alter access policies

A security group ingress rule was changed from port 443 to port range 0-65535 via the AWS console

Deleted

A resource defined in the IaC template no longer exists in the cloud. The resource was removed from the cloud environment without a corresponding change to the IaC template

The deletion may remove security controls, logging configurations, or monitoring resources that the IaC template assumes are in place

A CloudTrail logging trail was deleted via the AWS CLI, but the Terraform template still declares the trail resource

Unmanaged

A resource exists in the cloud but is not defined in any IaC template. The resource was created directly in the cloud environment without IaC governance

Unmanaged resources bypass IaC-governed security policies, code review, and compliance controls. Unmanaged resources represent shadow infrastructure that may introduce untracked attack surfaces

An EC2 instance was launched via the AWS console without a corresponding Terraform resource definition

Supported frameworks and cloud providers

The Cortex Cloud IaC drift detection scanner supports the following Infrastructure as Code frameworks and cloud providers:

Supported IaC frameworks

Framework

File Types

Drift Detection Scope

Terraform

.tf, .tfvars

Full property-level drift detection for all Terraform-managed resources. Drift detection compares the Terraform state file against the live cloud resource configuration

CloudFormation

.yaml, .json, .template

Full property-level drift detection for all CloudFormation stack resources. Drift detection compares the CloudFormation stack definition against the live cloud resource configuration

Pulumi

.ts, .py, .go, .yaml

Property-level drift detection for Pulumi-managed resources. Drift detection compares the Pulumi state against the live cloud resource configuration

Supported cloud providers

Cloud Provider

Resource Coverage

Integration Requirement

AWS

EC2, S3, IAM, VPC, Security Groups, RDS, Lambda, CloudTrail, KMS, and additional AWS resource types

AWS account onboarded with read-only IAM role or cross-account access configured

Azure

Virtual Machines, Storage Accounts, Network Security Groups, Key Vault, Azure AD, App Service, and additional Azure resource types

Azure subscription onboarded with Reader role assigned to the Cortex Cloud service principal

GCP

Compute Engine, Cloud Storage, IAM, VPC, Cloud SQL, Cloud Functions, Cloud KMS, and additional GCP resource types

GCP project onboarded with Viewer role assigned to the Cortex Cloud service account