Drift Watch
Drift Watch provides continuous, real-time monitoring of your cloud resources for configuration changes. Unlike scan-based drift detection that runs periodically, Drift Watch polls individual resources on a configurable interval and alerts you immediately when something changes.
Pro Plan Required
Drift Watch is available on Pro, Team, and Enterprise plans.
Overview
Drift Watch monitors specific cloud resources by comparing their live configuration against a stored baseline. When a change is detected, it:
- Classifies the severity (Critical, High, Medium, Low) based on the resource type and what changed
- Attributes the change via CloudTrail (who changed it, from where, which API call)
- Sends notifications via Slack, Teams, PagerDuty, or webhooks
- Optionally auto-reverts dangerous changes (e.g., security groups opened to
0.0.0.0/0)
Supported AWS Resources
Drift Watch supports live configuration monitoring for all 37 AWS resource types:
| Category | Resource Types |
|---|---|
| Compute | EC2 Instances, Auto Scaling Groups, Lambda Functions |
| Containers | ECS Clusters, ECS Services, EKS Clusters, EKS Node Groups |
| Database | RDS Instances, RDS Clusters, DynamoDB Tables, ElastiCache |
| Storage | S3 Buckets |
| Networking | VPCs, Subnets, Security Groups, NAT Gateways, Load Balancers, Target Groups, CloudFront, Route 53 |
| Security | IAM Roles, IAM Users, IAM Policies, KMS Keys, Secrets Manager, ACM Certificates |
| Messaging | SNS Topics, SQS Queues, Kinesis Streams |
| Integration | API Gateway, Step Functions, Cognito User Pools |
| DevOps | CodeBuild Projects, CodePipeline Pipelines |
| Monitoring | CloudWatch Alarms, CloudWatch Log Groups |
Getting Started
Adding a Watch
- Go to Cloud Discovery → Resources or Orphans
- Click on a resource to open its detail panel
- Click the Watch button
- The resource is now monitored — the first check captures the baseline
Alternatively, use Watch Templates to bulk-add watches matching specific criteria.
Watch Templates
Templates auto-discover and watch resources matching your criteria. Go to Drift Watch → Templates in the sidebar.
- Click Create Template
- Define criteria: resource type, provider, region, tag filters
- Click Create Template
- Click Run Now to discover and watch matching resources
- Re-run anytime to pick up newly created resources
Severity Classification
Every drift event is automatically classified:
| Severity | Resource Types | Example Changes |
|---|---|---|
| Critical | Security Groups, IAM Roles/Users/Policies, KMS Keys, Secrets Manager, NAT Gateways | Ingress rules opened, policy documents modified, encryption settings changed |
| High | EC2 Instances, VPCs, Subnets, Load Balancers, RDS, S3, EKS, CloudFront, Route 53, ACM | Networking config, storage policies, database settings |
| Medium | Lambda, ECS, Auto Scaling, DynamoDB, SQS, SNS, CodeBuild, CodePipeline, CloudWatch | Scaling config, function settings, queue attributes |
| Low | Any resource | Tag-only or description-only changes |
When an actual drift is detected, severity may be upgraded based on which specific attributes changed (e.g., a tag change on a security group stays Low, but an ingress rule change becomes Critical).
Execution Modes
Cloud Mode (Default)
Controlinfra's server checks your resources directly via AWS APIs. No infrastructure to manage.
- Checks run every 5 minutes (server-side cron)
- Uses your configured cloud credentials (Access Keys, OIDC, or Cloud Account)
- Best for: most users, quick setup
Runner Mode
Your self-hosted runner executes the checks locally.
- Runner polls for due watches and reports results
- Uses the runner's own AWS credentials (Instance Profile or local config)
- Best for: airgapped environments, custom check scripts, on-premise infrastructure
Features
Auto-Revert
For AWS Security Groups, Drift Watch can automatically revoke newly-added 0.0.0.0/0 ingress rules that weren't in the baseline.
Enable per-watch: Watch Settings → Auto-revert toggle.
WARNING
Auto-revert only revokes open-world (0.0.0.0/0 or ::/0) ingress rules added after the baseline was captured. It does not revert other changes.
Snooze
Temporarily pause alerts for a watch during planned maintenance:
- Click the moon icon on any watch row
- Choose duration: 1 hour, 4 hours, 1 day, or 7 days
- Watch automatically resumes after the snooze expires
- Snoozed watches skip drift checks entirely
Bulk Operations
Click Select above the watch table to enter selection mode:
- Pause / Resume — bulk toggle monitoring
- Accept Baseline — accept current state for all selected
- Snooze / Unsnooze — bulk snooze with duration picker
- Delete — bulk remove watches
CloudTrail Attribution
When drift is detected on AWS resources, Drift Watch queries CloudTrail to identify:
- Who made the change (IAM principal)
- How (API call name, AWS Console vs. CLI/SDK)
- From where (source IP address)
This information appears in the event detail panel.
Drift Metrics
The summary cards on the Drift Watch page show:
- Status Breakdown — pie chart of clean, drifted, pending, error watches (clickable to filter)
- Top Resource Types — most-watched resource types
- Drift Metrics — MTTR (mean time to resolve), 30-day drift count, trend sparkline, severity distribution
Notifications
Drift Watch integrates with your existing notification channels:
- In-app notifications — always enabled
- Slack / Microsoft Teams — real-time alerts with severity, resource details, and CloudTrail attribution
- PagerDuty — for critical severity drifts
- Webhooks — custom integrations via HTTP POST
Weekly Digest
Org admins and owners receive a weekly summary email (Monday 9 AM UTC) with:
- Total drifts detected that week
- Critical drift count
- Check errors
- Auto-reverted rules
- Top drifting resources
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /api/drift-watch | List watched resources |
POST | /api/drift-watch | Create a watch |
GET | /api/drift-watch/:id | Get watch details + recent events |
PATCH | /api/drift-watch/:id | Update watch settings |
DELETE | /api/drift-watch/:id | Remove a watch |
POST | /api/drift-watch/:id/accept | Accept current state as new baseline |
POST | /api/drift-watch/:id/snooze | Snooze a watch |
POST | /api/drift-watch/:id/unsnooze | Unsnooze a watch |
PATCH | /api/drift-watch/bulk-update | Bulk pause/resume/accept/snooze/delete |
GET | /api/drift-watch/events | List drift events |
GET | /api/drift-watch/events/summary | Get event summary stats |
GET | /api/drift-watch/analytics | Get 30-day analytics (trends, MTTR, top changers) |
GET | /api/drift-watch/templates | List watch templates |
POST | /api/drift-watch/templates | Create a template |
POST | /api/drift-watch/templates/:id/run | Run a template |
DELETE | /api/drift-watch/templates/:id | Delete a template |
Next Steps
- Configure AWS Credentials — Set up authentication for cloud checks
- Self-Hosted Runners — Run checks in your own infrastructure
- Drift Detection — Scan-based drift detection (complementary to Drift Watch)