Infrastructure drift occurs when real-world cloud resources diverge from the desired configuration declared in Infrastructure as Code. Drift undermines reproducibility, increases security risk, and complicates incident response. Kief Morris of ThoughtWorks argues that treating infrastructure definitions as the single source of truth is foundational to preventing these harms, because it enables repeatable builds and automated verification.
Detecting drift
Teams can detect drift through continuous comparison of declared state and actual state. HashiCorp tools implement refresh and plan operations that surface differences between the IaC state file and provider resources, and Mitchell Hashimoto of HashiCorp documents these operations as part of standard Terraform workflows. Cloud providers provide native detection as well. Amazon Web Services offers CloudFormation drift detection and AWS Config to record and evaluate resource configurations over time, which helps identify unauthorized or accidental changes. Combining provider-native audits with external scanners reduces blind spots caused by provider-specific APIs or transient state changes. Detection frequency matters; hourly checks find short-lived manual fixes while daily or weekly checks may miss them.
Remediating drift
Remediation should follow an automated, policy-driven path where possible. The safest approach is to reconcile actual resources to IaC by running the authoritative apply from a CI/CD pipeline, preserving auditability and approvals. For changes that cannot immediately be managed by code, teams should capture the manual change in version-controlled IaC and use feature branches and automated tests before deployment. Policy as code tools such as Open Policy Agent and HashiCorp Sentinel provide guardrails that prevent classes of manual edits from being accepted. Human processes are equally important. Clear runbooks, accessible staging environments, and cross-team change approval reduce the cultural drivers of drift where on-call engineers make expedient console edits to restore service.
Consequences of unchecked drift include compliance violations, increased attack surface, cost leakage from orphaned resources, and geographical inconsistencies that affect data residency obligations in different territories. Remediation strategies must therefore combine technical controls, documented organizational practices, and ongoing education so that IaC remains the authoritative source. Treating drift as a predictable operational phenomenon rather than an exceptional failure creates resilient, auditable cloud infrastructure.