All posts
September 15, 20251 min read

Catch Infrastructure Drift Across AWS Accounts with CLI Profiles

The dashboard looked clean. Too clean. And that’s when you knew the infrastructure was lying to you. Infrastructure drift is silent until it burns you. Teams build with Terraform, CloudFormation, Pulumi, or CDK, then six months later the actual cloud state has shifted like sand under your feet. A setting tweaked in production at 2 a.m. stays undocumented. A security group widened “just for testing” remains forgotten. You can’t fix what you can’t see, and without detection, you’ll only catch the

Free White Paper

AWS IAM Policies + Cloud Infrastructure Entitlement Management (CIEM): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The dashboard looked clean. Too clean.
And that’s when you knew the infrastructure was lying to you.

Infrastructure drift is silent until it burns you. Teams build with Terraform, CloudFormation, Pulumi, or CDK, then six months later the actual cloud state has shifted like sand under your feet. A setting tweaked in production at 2 a.m. stays undocumented. A security group widened “just for testing” remains forgotten. You can’t fix what you can’t see, and without detection, you’ll only catch the drift after damage is done.

The fastest way to catch drift across AWS accounts is to think in profiles. AWS CLI-style profiles split your environments by named credentials. Your IaC validation should leverage the same approach, scanning each profile to compare the declared state in code against the live cloud API responses.

Set up AWS CLI profiles for each account, environment, or role. The naming convention matters because automation can loop through profiles without guessing. Use a single configuration file to define them, keeping secrets and API keys out of source control.

Continue reading? Get the full guide.

AWS IAM Policies + Cloud Infrastructure Entitlement Management (CIEM): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Once profiles are in place, you can run drift detection workflows in sequence. Call the IaC tool with the --profile flag or equivalent, diffing for changes between your repo and cloud state for each profile. Automate the run so it happens after every merge, every deploy, or on a schedule. The power here is frictionless multi-account coverage without hardcoding credentials or switching contexts manually.

The reports should be sharp and automatic. They must show what changed, when, and who might have changed it. This turns drift from a vague suspicion into a concrete incident you can understand and resolve. If a change is intentional but missing from code, update the IaC. If it’s unintentional, revert it and close the loop.

AWS CLI-style profiles give you the isolation you need for safety and the scalability you want for visibility. Drift detection stops being a quarterly ritual and becomes a live guardrail. You can know your cloud is in the state you declared, not the state it wandered into.

You can see this whole workflow running live in minutes with hoop.dev. Point it at your AWS CLI profiles, connect your IaC, and watch it pull drift out of the shadows. The time to set up is short. The time it saves you is long.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts