Application Configuration Drift Detection (IaC Enforcement)
Description
Continuously monitor application-managed configuration objects — stored in databases, APIs, or runtime registries rather than filesystem files — against a declared baseline, and alert or auto-remediate when unauthorized changes appear. Configuration baselines are maintained in version-controlled Infrastructure-as-Code repositories (Terraform, Ansible, Helm values, Keycloak realm exports). A reconciliation loop periodically exports the live application state via its management API, diffs it against the IaC baseline, and either reverts the drift automatically or raises an alert for human review. Prevents attackers from persisting unauthorized configuration changes — such as adding a malicious identity provider mapper, injecting a rogue OAuth client, or modifying authorization policies — by ensuring that any manual change not committed to the IaC repository is detected and reported within the reconciliation interval.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Compensating control: unauthorized configuration changes are detected within the reconciliation interval and may be automatically reverted, requiring the attacker to re-exploit during each cycle or to compromise the IaC pipeline itself — significantly increasing attack complexity. |
| Integrity (I) | H → L | Persistent configuration modifications are reverted to the declared baseline on each reconciliation cycle; integrity impact is limited to the window between drift introduction and the next reconciliation run. |
CWE Relationships
Verification
Verify that application configuration is managed via IaC and that drift detection runs on a schedule. Introduce a test configuration change via the application admin API and confirm it is detected or reverted within the expected interval.
# Expected: Exit code 2 indicates drift detected between live state and IaC definition
# Expected: Reports changes that would be made to reconcile drift