IaC Drift Detection identifies runtime configurations that diverge from code. It flags security-critical discrepancies to focus remediation efforts.
IaC drift detection identifies discrepancies between the desired state defined in your Infrastructure as Code templates and the actual state of deployed cloud resources, enabling you to detect unauthorized changes, manual overrides, and configuration drift before they introduce security vulnerabilities.
IaC drift detection preserves Git as the single source of truth (SSOT) by correlating declared infrastructure templates with live cloud resources using Code to Cloud lineage. Cortex evaluates drift through a misconfiguration-based detection model, surfacing discrepancies only when a runtime resource violates a security or compliance rule that is not violated in its corresponding IaC definition. This ensures drift issues reflect security-relevant divergence rather than expected operational variance.
By closing the gap between code-defined infrastructure and runtime reality, drift detection prevents untracked risks. Without it, manual changes applied directly to cloud resources—such as relaxed security group rules, modified IAM policies, or disabled encryption settings—bypass the IaC-governed deployment pipeline and silently weaken your security posture.
Scope: The IaC Drift Detection page consolidates all drift issues across monitored cloud accounts and repositories into a single view where you can prioritize, investigate, remediate, and track drift resolution.
Core achievements and use cases
Detecting unauthorized changes and shadow modifications: Drift detection identifies changes made directly to cloud resources outside the IaC deployment pipeline, such as console modifications, CLI overrides, or API calls, that bypass code review, policy evaluation, and audit controls. Detecting unauthorized changes prevents security-weakening modifications from persisting undetected in production environments
Maintaining IaC as the single source of truth: Drift detection enforces the principle that all infrastructure changes must flow through the IaC pipeline. When drift is detected, Cortex Cloud surfaces the deviation and provides remediation paths to either revert the cloud resource to the IaC-defined state or update the IaC template to codify the change. Maintaining IaC as the authoritative configuration source ensures that security policies, compliance controls, and audit trails remain intact
Reducing configuration entropy: Over time, manual changes accumulate across cloud environments, creating configuration entropy, a state where the actual infrastructure diverges significantly from the declared state. Drift detection quantifies configuration entropy by measuring the number and severity of drifted resources, enabling AppSec managers to track posture degradation and enforce remediation cadences
Establishing compliance evidence for audits: Drift detection provides auditable evidence that deployed cloud resources conform to the configurations defined in IaC templates. Mapping drift issues to specific resources, properties, and timestamps creates a compliance trail that satisfies CIS Benchmarks, SOC 2, NIST SP 800-53 (CM-3 Configuration Change Control, CM-6 Configuration Settings), ISO 27001 (A.12.1.2 Change Management), and organizational security policy requirements
Functional responsibilities
The IaC drift detection workflow facilitates a structured delegation model between Governance and Operations:
AppSec managers (Governance): Review drift trends across cloud accounts, resource types, and environments to identify systemic governance failures. Define drift detection policies that enforce configuration compliance baselines. Prioritize drift remediation based on severity and the security impact of the deviation
AppSec practitioners (Operations): Triage and remediate drift issues by reverting unauthorized changes, updating IaC templates to reflect intentional modifications, or escalating persistent drift to Cases for cross-team coordination. Track drift resolution progress through resolution statuses and SLA compliance
Prerequisites
To enable drift detection, ensure your environment meets the following requirements:
License: An active Cortex Cloud license with Application Security add-on entitlements
RBAC Role: The AppSec Admin or SOC Analyst role, or an equivalent custom role with drift management permissions
Cloud service provider integration: The target cloud accounts (AWS, Azure, or GCP) must be successfully onboarded, returning data, and able to read the actual state of your infrastructure from the live environment
Version control system (VCS) integration: The platform must be able to read the intended state of your infrastructure from your code repositories
Repository integration: A valid integration with a supported VCS provider (such as GitHub, GitLab, Bitbucket, Azure DevOps) must be active
Supported formats: The repository must contain valid Terraform (
.tf) or CloudFormation (.yml/.json) templatesFile structure: The integration must have visibility into the root directory where the IaC templates are located
IaC Scanner: The IaC scanner enabled for the target repositories. For supported frameworks, see Supported frameworks
Code-to-Cloud Mapping: Active Code-to-Cloud traceability linking IaC templates in repositories to deployed cloud resources. Drift detection requires this mapping to compare declared state against runtime state
Resource tagging: Drift detection requires a common identifier to correlate the code block in the VCS with the live resource in the cloud. Use either of the following methods:
Automatically using the Tagging Bot: Refer to Manage repository scan configurations to enable the Tagging Bot
Manually set-up
yortrace tags: Refer to the Yor documentation for more information
Rule mapping (Critical): Drift is calculated only for IaC rules that are mapped to a corresponding CSPM rule. Rules without this mapping lack a runtime signal and cannot generate drift issues. If a declared resource cannot be resolved to a specific runtime resource via this mapping, drift is not evaluated
Periodic Scan: At least one completed periodic scan that includes IaC drift detection results