Trivy Cloud misconfiguration checks are surprisingly effective at finding security holes even in environments that are otherwise well-managed, because they operate on a different axis than traditional vulnerability scanning.
Let’s look at a typical scenario. Imagine you’ve got a Kubernetes cluster running on AWS, and you’ve scanned your container images for vulnerabilities with Trivy. Everything looks clean. But what about the cluster itself? Misconfigurations in how your cloud resources are set up can leave your applications exposed, even if the code inside your containers is pristine.
Here’s a snapshot of Trivy Cloud in action, scanning an AWS account for misconfigurations. We’re using the trivy config command, pointing it at an AWS account ID and specifying the cloud-config type.
trivy config --cloud-config aws --account-id 123456789012
Trivy will then enumerate various AWS resources like S3 buckets, IAM policies, EC2 security groups, and more, comparing their configurations against a set of security best practices and compliance standards. The output will list findings, detailing the resource, the specific misconfiguration, and a remediation suggestion.
For instance, it might flag an S3 bucket that has public read access enabled:
AWS:S3:BUCKET_PUBLIC_READ_PROHIBITED
{
"Target": "s3://my-insecure-bucket",
"Severity": "CRITICAL",
"Category": "Misconfiguration",
"VulnerabilityID": "AWS:S3:BUCKET_PUBLIC_READ_PROHIBITED",
"Description": "S3 buckets should not be publicly readable.",
"Status": "UNKNOWN",
"Remediation": {
"Content": "To restrict public read access to the bucket, remove the 'AllUsers' or 'AuthenticatedUsers' principal from the bucket policy. Alternatively, disable 'Public access' settings for the bucket in the AWS console.",
"Type": "Terraform"
}
}
This isn’t about finding a vulnerable library in your app; it’s about finding an open door in your infrastructure. The problem Trivy Cloud addresses is the sheer complexity and ever-changing nature of cloud environments. Manual audits are nearly impossible to keep up with, and even infrastructure-as-code (IaC) tools can have subtle misconfigurations that slip through. Trivy Cloud acts as an automated, continuous auditor for your cloud posture.
Internally, Trivy Cloud works by:
- Discovering Resources: It uses cloud provider APIs (like AWS STS for credentials, EC2 API for security groups, S3 API for bucket policies, etc.) to discover and fetch the configuration of various resources within your specified cloud account(s).
- Applying Policies: It has a built-in set of policies, often aligned with industry benchmarks (CIS Benchmarks, NIST, PCI DSS) and general security best practices. These policies are essentially rules that define what a secure configuration looks like for a given resource type.
- Comparing Configurations: For each resource, Trivy compares its actual configuration against the rules defined in its policies.
- Reporting Findings: If a resource’s configuration violates a policy rule, Trivy reports it as a misconfiguration finding, usually including a severity level, a description of the issue, and a suggested remediation.
The levers you control with Trivy Cloud are primarily around:
- Scope: Which cloud accounts, regions, and resource types to scan. You can be very granular or broad.
- Policies/Standards: You can select specific compliance standards (e.g.,
cis-aws-1.2,nist-800-53) to focus your scans on particular regulatory requirements. - Severity Filtering: You can choose to report only findings above a certain severity level (e.g.,
CRITICAL,HIGH). - Exclusions: You can specify certain resources or findings to ignore if they are known exceptions in your environment.
When you’re scanning AWS, Trivy Cloud often relies on your local AWS credentials (e.g., via environment variables like AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, or an IAM role if running on an EC2 instance/ECS task) to authenticate and access your cloud resources. For Azure, it leverages service principals or managed identities, and for GCP, service accounts. The key is that the identity Trivy uses needs sufficient read-only permissions across the services you want to audit.
One aspect that often surprises people is how many critical findings can appear even with existing security tooling. Trivy Cloud isn’t just looking for known CVEs in your applications; it’s evaluating the fundamental security assumptions of your cloud infrastructure. For example, it might flag an Elastic Load Balancer (ELB) that doesn’t enforce TLS, or an RDS instance that’s publicly accessible. These are often overlooked because they’re not directly tied to application code but rather to the deployment and management of infrastructure services.
After fixing the critical S3 bucket misconfiguration, the next most common cloud misconfiguration you’ll likely encounter is overly permissive IAM roles or policies, leading to IAM_POLICY_DOCUMENT_MAX_ложение_PRINCIPAL_PROHIBITED or similar findings.