Configuration drift occurs when infrastructure deviates from its intended state over time due to manual changes, automated updates, or conflicting tooling. Understanding and controlling drift is fundamental to reliable, secure, and compliant infrastructure at scale — because leaving drift unaddressed silently compounds into security vulnerabilities, compliance failures, and operational instability that becomes exponentially harder to resolve the longer it accumulates.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 175 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Core Concepts and Definitions
The vocabulary of configuration drift spans IaC, GitOps, and ITSM disciplines; getting the terminology right is the prerequisite for effective tooling and process decisions. Drift is not always a mistake — understanding the distinction between intentional and unintentional drift is critical before designing detection and remediation strategies.
| Concept | Example | Description |
|---|---|---|
Server firewall rules diverge from documented baseline over weeks | Gradual deviation of a system's active configuration from its intended, approved baseline state — the root problem all detection and remediation practices address | |
Comparing live cloud resources to IaC templates on a schedule | Process of identifying discrepancies between actual infrastructure state and desired state defined in IaC or a configuration baseline | |
Known security-hardened server configuration stored in CMDB | Reference configuration representing the approved state, used as the comparison point for all drift detection operations | |
Running terraform apply to restore drifted S3 bucket policy | Process of correcting a drifted configuration to restore the intended state, either automatically or through an approval workflow | |
terraform.tfstate tracking all AWS resource attributes | Record of infrastructure's known state used by IaC tools to compare against live resources and plan corrective changes | |
Configuration WebServer { ... } PowerShell DSC block | Declarative approach to infrastructure where the intended state is declared as code and tooling continuously enforces it |