Drift Detection: Finding Configuration Drift in Cloud Infrastructure
Configuration drift detection identifies when deployed cloud resources diverge from their declared state in Terraform, CloudFormation, or other IaC tools.
What is Drift Detection?
Configuration drift detection identifies when the actual state of your cloud infrastructure diverges from its declared state — the configuration defined in your Infrastructure as Code (IaC) templates like Terraform, CloudFormation, Pulumi, or Kubernetes manifests.
Drift happens when someone or something modifies a resource outside the normal IaC workflow. A developer changes a security group rule through the AWS console. An auto-scaling event modifies instance metadata. A hotfix adds an IAM policy directly. The result: your infrastructure no longer matches what your code says it should be.
Why It Matters
Drift is a security and reliability problem:
- Security gaps — A Terraform template enforces encrypted storage, but someone disables encryption via the console. Your IaC review passed, but your production environment is non-compliant.
- Compliance violations — Auditors check your deployed state, not your Terraform files. Drift means your compliance evidence is inaccurate.
- Incident response confusion — During an incident, you need to know the actual state. If documentation (IaC) doesn’t match reality, you’re debugging blind.
- Hidden attack indicators — An attacker modifying security group rules or adding IAM users creates drift. Detecting it quickly can catch breaches early.
Studies show that organizations with mature IaC practices still experience drift in 40-60% of resources within six months of deployment.
How It Works / Key Concepts
Drift detection compares two states:
Declared state — What your IaC templates specify (the “should be”) Actual state — What’s currently deployed in your cloud account (the “is”)
Any difference between these states is drift.
Common Drift Sources
| Source | Example |
|---|---|
| Console changes | Developer adds an ingress rule via AWS Console |
| Hotfixes | SRE attaches an IAM policy to unblock a deploy |
| Auto-operations | AWS modifies default VPC settings, auto-remediation tools |
| Third-party tools | CI/CD pipelines that modify resources directly |
| Service-linked changes | AWS creating service-linked roles automatically |
Detection Approaches
- IaC plan comparison — Run
terraform planand check for differences (limited to Terraform-managed resources) - Cloud API polling — Periodically snapshot resource configurations and diff against baseline
- Event-driven detection — Monitor CloudTrail/Audit Logs for changes outside approved workflows
- CSPM continuous scanning — Compare each scan against previous results to detect changes
Handling Drift
Not all drift is bad. Expected drift (auto-scaling group sizes, dynamic tags) should be excluded. Unexpected drift needs investigation: was it authorized? Is it a security risk? Should the IaC be updated to match, or should the resource be reverted?
How Kloudle Helps
Kloudle detects drift through continuous scanning — comparing your current cloud state against security baselines across 1,890 checks. When configurations change between scans, Kloudle flags the delta so you can determine whether a change was intentional or a security risk. With sovereign CSPM deployment, drift data and scan history remain entirely within your infrastructure.
Related Terms
- What is CSPM? — Continuous posture monitoring catches drift
- What is Cloud Misconfiguration? — Drift often introduces misconfigurations
- What is Sovereign CSPM? — Keep drift detection data in your infrastructure