Your infrastructure is lying to you.

You think it matches the code in your repository. You think the state in Terraform, CloudFormation, or CDK is the whole truth. But resources created by hand, scripts run in production, or quiet failures in CI can drift you away from reality without warning. Detecting and reconciling Infrastructure as Code (IaC) drift is not optional. It’s survival.

For teams running on AWS, the AWS CLI gives a direct and reliable way to spot this drift before it becomes an outage. It connects straight to AWS CloudFormation’s drift detection features, letting you compare your intended stack against the actual resources in your account. No guesswork.

Understanding IaC Drift in AWS

IaC drift happens when the configuration of your live AWS resources stops matching what’s defined in your templates. This can come from ad-hoc changes in the AWS console, experimental testing, hotfixes at 3 a.m., or broken deployments. Left unchecked, drift leads to unpredictable environments and failed deployments.

The AWS CLI can trigger and check drift detection against entire stacks or individual stack resources. It works whether your templates declare a handful of S3 buckets or a sprawling network of VPCs, autoscaling groups, ALBs, and secrets.

Running AWS CLI Drift Detection

To detect drift with AWS CLI, first make sure you have the latest CLI installed and configured with valid credentials. Then run:

aws cloudformation detect-stack-drift --stack-name MyStack

This starts a drift detection operation for the stack named MyStack. AWS processes the request asynchronously. You can check its progress with:

aws cloudformation describe-stack-drift-detection-status \
 --stack-drift-detection-id abcdefgh-1234-5678-abcd-1234567890ab

Once complete, view the results:

aws cloudformation describe-stack-resource-drifts --stack-name MyStack

The output tells you exactly which resources have drifted, what properties changed, and whether they can be reconciled.

Why Detecting Drift Early Matters

Drift is a silent source of risk. A production stack that doesn’t match its IaC makes every deployment a roll of the dice. Deploying over drift can erase critical manual patches or break integrations that depend on the changed configuration. Detecting drift early means resolving it on your terms, not in the middle of an outage window.

Automating drift detection with AWS CLI in CI pipelines or scheduled jobs enforces configuration integrity. It ensures your IaC is trusted as the single source of truth.

Integrating Drift Detection Into Your Workflow

AWS CLI commands fit neatly into existing DevOps pipelines. You can run drift detection against every environment after changes, or nightly against all stacks. Combine with notification hooks to post results to Slack or ticketing systems. This shortens the loop between drift happening and drift being fixed.

The habit of continuous drift detection builds operational discipline. It sends a clear signal that no change, however small, escapes scrutiny.

Cut the lag between code, truth, and reality. See true AWS IaC drift detection in action with hoop.dev and get it running live in minutes.