Validation
The Validation page provides a way to audit your live cloud environment against the policies you have defined in EndState CloudSec. It answers the critical question: "Does my actual cloud configuration match my intended security posture?"
Running Validation Checks
The page presents a series of automated checks that you can run on demand.
To run a check:
- Find the check you want to perform (e.g., "Flow-Based Route Validation").
- Click the Run Check button.
- The check status will change to
loadingas the system performs read-only API calls to your connected cloud accounts.
Understanding the Results
Once the check completes, the status will update to either success or error, and a results card will appear.
| Result | Meaning |
|---|---|
| Passed | Your live cloud configuration aligns with the policy being checked. |
| Failed | A discrepancy exists between your live configuration and your intended policy. The details section provides actionable remediation guidance. |
Available Checks
Flow-Based Route Validation
This is one of the most powerful checks available.
What it does: Verifies that the data flows you defined on the Flows page are actually possible at the network level.
How it works: For every flow you have defined (e.g., from Zone A to Zone B), this check examines the routing tables in your cloud provider's network. It ensures there is a valid route from the source subnet(s) to the destination subnet(s).
Example failure scenario:
You define a flow from your Application Zone to your Data Zone, but the Application Zone's subnet does not have a route table entry that directs traffic to the Data Zone's subnet.
The check will report:
FAILED: No valid route found from Application Zone (subnet-0abc123)
to Data Zone (subnet-0def456).
Missing route in route table rtb-0123456:
Destination: 10.0.2.0/24 (Data Zone)
Expected next hop: local or transit gateway
Recommendation: Add a route entry in rtb-0123456 for destination
10.0.2.0/24 pointing to the appropriate gateway.Security List Verification
This check is currently in development and will be available in an upcoming release.
What it will do: Verify that the rules in your live Security Groups (AWS), Network Security Groups (Azure), and VPC Firewalls (GCP) match the rules generated by the Deployment process. This helps detect configuration drift -- manual changes that may have occurred outside of the EndState CloudSec platform.
Planned Future Checks
| Check | Description | Status |
|---|---|---|
| Flow-Based Route Validation | Verify network routes support defined flows | Available |
| Security List Verification | Detect configuration drift in firewall rules | Coming Soon |
| Cross-Region Connectivity | Validate VPC peering and transit gateway configs | Planned |
| Encryption in Transit | Verify TLS/SSL requirements are met | Planned |
| Compliance Benchmarks | CIS, SOC2, PCI-DSS automated checks | Planned |
Best Practices
- Run validation after every deployment -- Confirm that the deployed changes match your expectations.
- Schedule regular validation -- Run checks weekly or after any manual cloud changes to detect drift.
- Investigate all failures -- Every failed check represents a potential security gap.
- Export results -- Use the validation results alongside your Audit Logs for compliance reporting.
Running these validation checks regularly provides a continuous feedback loop, ensuring that your security posture remains consistent, compliant, and correctly implemented over time.