Detect drift. Defend cloud.
🔍 Cloudrift is an open-source cloud drift detection tool that helps you identify when your cloud infrastructure no longer matches your Infrastructure-as-Code (IaC) — before it causes a security or compliance incident.
Cloudrift was featured in TLDR Sec #287 — one of the most respected newsletters in security engineering.
Curated by Clint Gibler, TLDR Sec is read by security teams at Google, Netflix, Segment, and many others.
| Feature | Cloudrift | driftctl | Terraform Drift Detect |
|---|---|---|---|
| Source of Truth | Terraform Plan + Live AWS API | Terraform State + Live AWS API | Terraform State vs Live State |
| Timing | Pre-apply (Plan-only) | Post-apply | Post-apply |
| Live Scan Independence | Separate AWS API scan, outside Terraform | In-memory Terraform refresh | Terraform refresh only |
| Output Format | JSON attribute-level diffs | CLI output (limited JSON/JSONPath support) | Human-readable diff |
| Custom Automation Integration | Easy to ingest into dashboards & bots | Requires parsing CLI output | Not designed for machine parsing |
Cloudrift’s plan-first, API-backed approach is a game-changer for teams that need reliable drift detection before they hit “apply.” Here’s who gets the biggest lift:
-
Early-stage Startups & Small Teams
- Challenge: No formal change-management process, manual reviews, high risk of “it worked in dev” surprises in prod.
- Example:
RockingAI has a 4-engineer team managing customer data buckets in S3. An engineer bumps the bucket ACL to “public-read” in a local plan—but the mistake isn’t caught until after apply, exposing data. - Cloudrift Benefit:
- Runs a plan-only scan and flags “public-read” on the S3 ACL before any changes land in AWS.
- Emits a JSON diff that’s trivial to feed into a Slack bot or GitHub check run, enforcing guardrails with zero human toil.
-
DevOps & Infrastructure Teams
- Challenge: You’ve got multiple environments (dev/stage/prod), rotating credentials and policies, and periodic compliance audits—but nobody’s tracking what drifted since last deploy.
- Example:
FinHealthCo rotates IAM roles weekly. Last month, a stale policy attachment remained in prod and slipped through manual audits. - Cloudrift Benefit:
- Schedules daily plan-only scans against prod via AWS API.
- Generates machine-readable attribute diffs (e.g. removed policy ARN), driving automated remediation or alerts before drift accumulates.
-
Compliance & Security-Focused Organizations
- Challenge: Auditors demand an immutable record of what would change, and when—not just what did change. State-vs-live tools only tell you post-apply mismatches.
- Example:
RegulaBank needs proof that no security groups are ever opened to 0.0.0.0/0 without a policy exception. - Cloudrift Benefit:
- Captures every denied change attempt in JSON logs, complete with timestamp and plan context.
- Serves as an auditable, pre-apply “drift guard” that slots straight into your SIEM or compliance dashboard.
Why not driftctl or Terraform’s drift detect?
While tools like driftctl catch state-vs-live drift after you’ve applied, Cloudrift prevents misconfigurations before they ever reach AWS—ideal for lean teams that can’t afford manual checks or have audit mandates to prove “nothing unsafe ever ran.”
- Detect drift between Terraform and live AWS state
- Catch unmanaged or deleted cloud resources
- Integrate into CI/CD pipelines
- Slack/email notifications
- Simple CLI and JSON output
git clone https://github.com/inayathulla/cloudrift.git
cd cloudriftCloudrift is designed to be used by developers to detect cloud resource drift in their own Terraform-based infrastructure projects.
Assume you have Terraform code stored in your repositories: You will need to create config folder and place cloudrift.yml file.
~/projects/
├── compliance-export/
│ ├── main.tf
│ ├── variables.tf
│ ├── config/
│ └── cloudrift.yml
│ └── ...
└── vuln-export/
├── main.tf
├── config/
│ └── cloudrift.yml
└── ...
cd ~/projects/compliance-exportterraform init
terraform plan -out=compliance.binary
terraform show -json compliance.binary > plan.jsonExample of plan.json
{
"resource_changes": [
{
"address": "aws_s3_bucket.cloudrift",
"type": "aws_s3_bucket",
"name": "cloudrift",
"change": {
"actions": ["create"],
"after": {
"bucket": "cloudrift",
"acl": "private",
"tags": {
"env": "abc",
"owner": "security"
},
"versioning": {
"enabled": false
},
"server_side_encryption_configuration": {
"rules": [
{
"apply_server_side_encryption_by_default": {
"sse_algorithm": "AES256"
}
}
]
},
"logging": {
"target_bucket": "cloudrift-logs",
"target_prefix": "logs/"
},
"public_access_block": {
"block_public_acls": true,
"ignore_public_acls": true,
"block_public_policy": false,
"restrict_public_buckets": false
},
"lifecycle_rule": [
{
"id": "expire-old-objects",
"status": "Enabled",
"prefix": "",
"expiration": {
"days": 90
}
}
]
}
}
}
]
}aws_profile: default
region: us-east-1
plan_path: ~/projects/compliance-export/plan.jsonRepeat the same process for vuln-export or any other Terraform-based repo.
go install github.com/inayathulla/cloudrift@latestMake sure your $GOPATH/bin is in your PATH. Add this to your ~/.zshrc or ~/.bashrc if needed:
export PATH="$HOME/go/bin:$PATH"Then reload your terminal:
source ~/.zshrcNow run:
cloudrift scan --config=config/cloudrift.ymlMake sure to mount your project directory using -v $(pwd):/app so the container can access your Terraform plan and config.
mkdir -p drift-reports
docker run --rm \
-v $(pwd):/app \
inayathulla/cloudrift \
sh -c 'timestamp=$(date +%Y%m%d_%H%M%S) && \
cloudrift scan --config=/app/config/cloudrift.yml > /app/drift-reports/drift-report_$timestamp.txt'
Example output file (on your host):
./drift-reports/drift-report_20250623_113445.txt
- Use clear commit messages (e.g., feat: add EC2 drift detection)
- Keep code modular (e.g., one service = one detector)
- Follow Go formatting: go fmt ./...
- Add unit tests for new components
An overview of the Cloudrift project structure:
cloudrift/
├── .github/
│ └── workflows/ # CI workflows (YAML files)
├── assets/
│ └── s3_scanning.gif # Demo GIF used in README
├── cmd/ # CLI entrypoint
│ ├── root.go
│ └── scan.go
├── config/ # Example configuration
│ └── cloudrift.yml
├── examples/ # Sample Terraform + Cloudrift configs
│ ├── compliance-export/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── config/cloudrift.yml
│ └── vuln-export/
│ ├── main.tf
│ └── config/cloudrift.yml
├── internal/ # Core application internals
│ ├── aws/ # AWS API fetchers
│ │ ├── s3_bucket.go
│ │ └── …other fetchers…
│ ├── common/ # Shared utilities
│ │ └── utils.go
│ ├── detector/ # Diff‑comparison logic
│ │ └── detector.go
│ ├── models/ # Data models
│ │ └── models.go
│ └── parser/ # Terraform plan parser
│ └── parser.go
├── tests/
│ └── internal/ # Unit tests for `internal/`
│ ├── aws_test.go
│ ├── detector_test.go
│ ├── parser_test.go
│ └── models_test.go
├── Dockerfile
├── README.md
├── go.mod
├── go.sum
└── main.go # Application entrypoint
Before submitting a PR:
go tests ./...- Push your branch
- Open a pull request to main
- Briefly explain what your change does and why
- We'll review your PR and respond quickly 🙌
Open an issue or reach out via GitHub Discussions
Interested in working together, sponsoring Cloudrift, or showcasing how it’s helped your team? I’d love to hear from you!
-
Get in Touch:
Email inayathulla2020@gmail.com or connect on LinkedIn Inayathulla Khan Lavani to discuss integrations, pilot programs, sponsorships, or to share your success story. -
Share Your Case Study:
Open an issue or PR to add your company logo and a brief write-up of your use case and outcomes—let’s celebrate real-world wins together!
Apache License 2.0