AWS resource drift from IaC configuration
Description
AlphaSOC detected modifications to AWS resources made outside the established infrastructure-as-code (IaC) workflow. These changes were identified through non-IaC user agents and bypassed version control, peer review, and automated deployment processes, creating discrepancies between the intended and actual infrastructure state. This activity may indicate manual interventions, emergency fixes, or unauthorized changes performed outside approved operational procedures. Threat actors can intentionally make changes outside the IaC workflow to exploit the infrastructure, introducing malicious configurations or backdoors that compromise security.
Impact
Changes made outside the IaC workflow can introduce security vulnerabilities, compliance violations, and operational instability. Configuration drift undermines infrastructure governance, complicates disaster recovery efforts, and increases the risk of service disruptions. Threat actors can exploit these inconsistencies to establish persistence, evade detection mechanisms, or execute malicious activities by leveraging unauthorized changes to the infrastructure.
Severity
| Severity | Condition |
|---|---|
Medium | AWS resource drift from IaC configuration |
Investigation and Remediation
Compare current resource configurations with IaC templates to identify specific changes and their scope. Review AWS CloudTrail logs to determine which users, roles, or services made the modifications and when they occurred. Assess the impact of these changes on security posture and operational stability, paying close attention to potential malicious configurations introduced by threat actors. Use IaC deployments to revert unauthorized changes and restore the intended configuration state. Implement AWS Config rules for drift detection, strengthen IAM policies to restrict manual changes, and establish change management processes requiring approval for infrastructure modifications outside the IaC workflow.