IaC Drift Detection with CloudTrail Query Runbooks

Your Infrastructure as Code (IaC) can drift from reality in hours. Drift means the state you defined in Terraform, CloudFormation, or Pulumi no longer matches what runs. That gap is a risk: misconfigurations, security holes, and broken deployments hide there. Detecting it early matters.

IaC Drift Detection is straightforward in theory. Compare provisioned infrastructure to the source of truth in code. In practice, it needs precision and automation. AWS CloudTrail logs every change: new resources, updated properties, deletions. Querying CloudTrail for configuration changes gives you a real-time feed of potential drift. You can match these changes against your IaC definitions to confirm drift, or dismiss intentional updates.

The core pattern is: gather CloudTrail events → filter for resource change actions → map to resource IDs in your IaC → raise alerts when a mismatch appears. SQL queries in Amazon Athena or direct CloudTrail LookupEvents API calls can extract the actions you care about. Example: UpdateSecurityGroupRule, CreateBucket, ModifyDBInstance. Run them on a schedule, pipe results into a comparison job, store history.

This is where CloudTrail Query Runbooks become valuable. A runbook is a repeatable set of steps you execute whenever drift is suspected. It answers: How do we check? How do we confirm? How do we fix? Codify runbooks so they can be triggered by automation. Step one: run CloudTrail query. Step two: compare to IaC state. Step three: if drift confirmed, trigger pipeline to reapply or alert the right team.

Automating these runbooks turns drift detection from a manual chore into a guardrail. Integrating CloudTrail queries with IaC state files and CI/CD makes drift visible minutes after it happens. No need to wait for outage reports or security scans. Your cloud stays aligned with your code.

See how to set up IaC drift detection with CloudTrail query runbooks directly, and get it running in minutes at hoop.dev.