Drift detection
Keep your code in sync with your cloud
When changes are made directly to cloud resources instead of the infrastructure as code (IaC) templates that provisioned them, drift occurs. Although infrastructure drift isn’t always a security risk, it undermines the benefits of IaC and is at odds with GitOps. Without code to cloud visibility, it’s impossible to detect drift programmatically.
Bridgecrew’s Multi-Cloud Drift Detection continuously monitors configuration discrepancies between your cloud resources and IaC and provides automated fixes in code.
Drift 101
Why does cloud configuration drift occur?
Drift occurs for a variety of reasons but happens mostly during maintenance, incident response tasks, and because of knowledge and access gaps. For teams leveraging IaC, the risk of misconfiguration and performance issues increases when cloud configuration changes are made outside of Git.
Accidental or temporary modifications
When troubleshooting a problem within an application—often during a “break glass” moment—temporary changes made directly to cloud infrastructure may be the fastest solution. But if those changes don’t get reverted, they can become permanent fixtures that may cause friction the next time IaC is provisioned.
Permanent or intentional modifications
Whether due to a lack of knowledge or access to code, it’s not uncommon for SecOps to head straight to a cloud console or CLI to fix a misconfiguration. Although that change may improve security posture in the short term, the resulting drift will negate the auditability, collaboration, and repeatability benefits of IaC.
Checklist: Shift-Left Cloud Security
Learn how to prevent drift and more with these 6 code-to-cloud security rules
Platform
Detect drift continuously with Bridgecrew
Automatically get alerted about out-of-sync changes that get introduced to your cloud environment.
Multi-framework, multi-cloud
Depending on the framework, Bridgecrew supports several ways to trace IaC to their cloud resources, including through our open source IaC tag and trace tool, Yor.
Fixes, two ways
When drift is detected, Bridgecrew enables you to either codify the cloud change in your IaC resource block or head over to your cloud console to fix it directly.
Our approach
Code to cloud coverage
The best way to avoid drift is to ensure complete adoption of IaC, but that takes time. And even then, drift is inevitable. Having code to cloud drift detection coverage is the only failsafe.
Preventative IaC security
Bridgecrew embeds across your development lifecycle to ensure code is secure and compliant at each phase. If Bridgecrew detects that an IaC resource is different from its runtime state, Bridgecrew highlights the changes so you can easily fix the drift then and there.
Continuous cloud monitoring
With GitOps in place, drift shouldn’t technically be an issue. But when it inevitably crops up, Bridgecrew has your runtime environment covered to help you detect it and get all the information you need to quickly assess and revert unintended changes.
Detect drift between IaC and cloud resources
Sign up for a free 14-day Bridgecrew trial or get a Prisma Cloud Code Security demo.
Keep reading
Check out these blog posts to learn more about cloud drift detection
Drift detection: How to resolve out-of-state changes
Get our guidance on how to take action when cloud drift inevitably crops up between IaC and cloud resources.
It's not all bad! Using cloud drift for teachable moments
Read about the main causes of drift, and how to use it to share knowledge about GitOps best practices.