Continuous Evaluation for Configuration Audit
Skyhigh CASB provides Continuous Evaluation (CE) for IaaS services including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). It constantly monitors activities that lead to configuration changes for IaaS services and triggers Security Configuration Audit policies to report the violations. When CE is enabled, you will see Configuration Audit violations faster, as they are monitored continuously, instead of catching violations only once in 24 hours as reported by On-Demand Scans. CE is the default and recommended option.
For comparison:
- Near Real-Time Configuration Audit for AWS reports incidents in 2-5 minutes.
- Continuous Evaluation reports incidents usually in 30 minutes (subject to frequency of the activities) for AWS, Azure, and GCP
- On-Demand Scans run once per day or as scheduled.
Also note that:
- CE requires User Activity Monitoring to be enabled.
- When CE is enabled:
- On-Demand Scan frequency is disabled by default. In other words, the scans are created and present, but won't run once a day by default.
- On-Demand Scans are scheduled when accounts, subscriptions, or projects are added or removed to either baseline or update the status of existing incidents.
- When a new IaaS account is added enabling the account level feature flag allows On-Demand Scan to run for newly added IaaS accounts instead of all accounts. To set this feature flag, contact Skyhigh Security Support.
Enable Continuous Evaluation
- Go to Service Management, choose the IaaS CSP, and an instance.
- Under Setup, click Edit.
- Under Activity Monitoring, make sure User Activity Monitoring is enabled.
- Under Security Configuration Audit, Continuous Evaluation is the default selection.
- Click Next and finish configuring the instance as needed.
When Continuous Evaluation is Enabled
When CE is enabled:
- You will receive violations on the Incidents > Policy Incidents page more frequently and throughout the day, compared to before CE was enabled, when incidents were updated only once in 24 hours.
- If you have configured Email Notification for Incidents, you will receive those emails throughout the day, instead of once in 24 hours.
- Activities are populated much faster in the Incidents> User Activity > Activity Monitoring page.
- On the Policy > On-Demand Scans page, scan instances are not updated. Also, fewer scan incidents are reported. So when you select the scan, in the Scan Details pane, you see the message, "Continuous Evaluation is enabled. Scheduled Scan is disabled by default." IaaS services in your environment are monitored continuously for any violations and they are reported by CE, so fewer incidents are reported by On-Demand Scans.
- Also, on the Scan Instances page, you see the message, "Continuous Evaluation is enabled. Scheduled Scan is disabled by default."
NOTE: Evaluation of the following policies depends on the data that is cached by AWS, so the incidents might not be updated as part of CE flow.
- Hardware MFA should be enabled for the root account
- MFA should be enabled for root account
- Root account access key should not exist