Drift detection

Keep your code in sync with your cloud

When changes are made directly to cloud resources instead of the infrastructure as code (IaC) templates that provisioned them, drift occurs. Although infrastructure drift isn’t always a security risk, it undermines the benefits of IaC and is at odds with GitOps. Without code to cloud visibility, it’s impossible to detect drift programmatically.

Bridgecrew’s Multi-Cloud Drift Detection continuously monitors configuration discrepancies between your cloud resources and IaC and provides automated fixes in code.

Drift 101

Why does cloud configuration drift occur?

Drift occurs for a variety of reasons but happens mostly during maintenance, incident response tasks, and because of knowledge and access gaps. For teams leveraging IaC, the risk of misconfiguration and performance issues increases when cloud configuration changes are made outside of Git.

Accidental or temporary modifications

When troubleshooting a problem within an application—often during a “break glass” moment—temporary changes made directly to cloud infrastructure may be the fastest solution. But if those changes don’t get reverted, they can become permanent fixtures that may cause friction the next time IaC is provisioned.

Permanent or intentional modifications

Whether due to a lack of knowledge or access to code, it’s not uncommon for SecOps to head straight to a cloud console or CLI to fix a misconfiguration. Although that change may improve security posture in the short term, the resulting drift will negate the auditability, collaboration, and repeatability benefits of IaC.

Checklist: Shift-Left Cloud Security

Learn how to prevent drift and more with these 6 code-to-cloud security rules


Detect drift continuously with Bridgecrew

Automatically get alerted about out-of-sync changes that get introduced to your cloud environment.

Multi-framework, multi-cloud

Depending on the framework, Bridgecrew supports several ways to trace IaC to their cloud resources, including through our open source IaC tag and trace tool, Yor.

Fixes, two ways

When drift is detected, Bridgecrew enables you to either codify the cloud change in your IaC resource block or head over to your cloud console to fix it directly.

Detect drift between IaC and cloud resources

Sign up for a free 14-day Bridgecrew trial or get a Prisma Cloud Code Security demo.