Drift Watch
Drift Watch provides continuous, real-time monitoring of your cloud resources for configuration changes. Unlike scan-based drift detection that runs periodically, Drift Watch polls individual resources on a configurable interval and alerts you immediately when something changes.
Pro Plan Required
Drift Watch is available on Pro, Team, and Enterprise plans.
Overview
Drift Watch monitors specific cloud resources by comparing their live configuration against a stored baseline. When a change is detected, it:
- Classifies the severity (Critical, High, Medium, Low) based on the resource type and what changed
- Attributes the change via CloudTrail (AWS), Activity Log (Azure), or Audit Log (GCP) — who changed it, from where, which API call
- Sends notifications via Slack, Teams, PagerDuty, or webhooks
- Optionally auto-reverts dangerous changes (e.g., security groups opened to
0.0.0.0/0)
Supported AWS Resources
Drift Watch supports live configuration monitoring for all 37 AWS resource types:
| Category | Resource Types |
|---|---|
| Compute | EC2 Instances, Auto Scaling Groups, Lambda Functions |
| Containers | ECS Clusters, ECS Services, EKS Clusters, EKS Node Groups |
| Database | RDS Instances, RDS Clusters, DynamoDB Tables, ElastiCache |
| Storage | S3 Buckets |
| Networking | VPCs, Subnets, Security Groups, NAT Gateways, Load Balancers, Target Groups, CloudFront, Route 53 |
| Security | IAM Roles, IAM Users, IAM Policies, KMS Keys, Secrets Manager, ACM Certificates |
| Messaging | SNS Topics, SQS Queues, Kinesis Streams |
| Integration | API Gateway, Step Functions, Cognito User Pools |
| DevOps | CodeBuild Projects, CodePipeline Pipelines |
| Monitoring | CloudWatch Alarms, CloudWatch Log Groups |
Getting Started
Adding a Watch
- Go to Cloud Discovery → Resources or Orphans
- Click on a resource to open its detail panel
- Click the Watch button
- The resource is now monitored — the first check captures the baseline
Alternatively, use Watch Templates to bulk-add watches matching specific criteria.
Watch Templates
Templates auto-discover and watch resources matching your criteria. Go to Drift Watch → Templates in the sidebar.
- Click Create Template
- Define criteria: resource type, provider, region, tag filters
- Click Create Template
- Click Run Now to discover and watch matching resources
- Re-run anytime to pick up newly created resources
Severity Classification
Every drift event is automatically classified:
| Severity | Resource Types | Example Changes |
|---|---|---|
| Critical | Security Groups, IAM Roles/Users/Policies, KMS Keys, Secrets Manager, NAT Gateways | Ingress rules opened, policy documents modified, encryption settings changed |
| High | EC2 Instances, VPCs, Subnets, Load Balancers, RDS, S3, EKS, CloudFront, Route 53, ACM | Networking config, storage policies, database settings |
| Medium | Lambda, ECS, Auto Scaling, DynamoDB, SQS, SNS, CodeBuild, CodePipeline, CloudWatch | Scaling config, function settings, queue attributes |
| Low | Any resource | Tag-only or description-only changes |
When an actual drift is detected, severity may be upgraded based on which specific attributes changed (e.g., a tag change on a security group stays Low, but an ingress rule change becomes Critical).
Execution Modes
Cloud Mode (Default)
Controlinfra's server checks your resources directly via AWS APIs. No infrastructure to manage.
- Checks run every 5 minutes (server-side cron)
- Uses your configured cloud credentials (Access Keys, OIDC, or Cloud Account)
- Best for: most users, quick setup
Runner Mode
Your self-hosted runner executes the checks locally.
- Runner polls for due watches and reports results
- Uses the runner's own credentials (AWS Instance Profile, Azure CLI, GCP Application Default Credentials, or local config)
- Supports AWS, Azure, and GCP resources
- Best for: airgapped environments, custom check scripts, on-premise infrastructure
Azure Support
Drift Watch supports Azure resources via both Cloud Mode and Runner Mode:
- Azure resources are fetched using the Azure Resource Graph API (Cloud Mode) or
az resource show(Runner Mode) - CloudTrail attribution is replaced by Azure Activity Log attribution (who, what operation, from where)
- Severity classification includes Azure-specific attributes (security_rule, networkRuleSet, accessPolicies, etc.)
- Azure resources use the
azurerm_prefix (e.g.,azurerm_network_security_group)
GCP Support
Drift Watch supports GCP resources via both Cloud Mode and Runner Mode:
- GCP resources are fetched using Google Cloud APIs (Cloud Mode) or
gcloudCLI (Runner Mode) - Change attribution uses GCP Audit Log (who, what method, from where)
- Severity classification includes GCP-specific attributes (firewall rules, IAM bindings, encryption settings, etc.)
- GCP resources use the
google_prefix (e.g.,google_compute_firewall)
Supported GCP Resources
| Category | Resource Types |
|---|---|
| Compute | Compute Instances, Firewalls, Networks, Subnetworks, Disks, Addresses |
| Storage | Storage Buckets |
| Database | Cloud SQL Instances |
| Containers | GKE Clusters |
| Networking | DNS Managed Zones |
| Messaging | Pub/Sub Topics, Pub/Sub Subscriptions |
| Cache | Memorystore Redis Instances |
| Serverless | Cloud Run Services, Cloud Functions |
| Security | KMS Key Rings, KMS Crypto Keys |
Features
Auto-Revert
For AWS Security Groups, Drift Watch can automatically revoke newly-added 0.0.0.0/0 ingress rules that weren't in the baseline.
Enable per-watch: Watch Settings → Auto-revert toggle.
WARNING
Auto-revert only revokes open-world (0.0.0.0/0 or ::/0) ingress rules added after the baseline was captured. It does not revert other changes.
Snooze
Temporarily pause alerts for a watch during planned maintenance:
- Click the moon icon on any watch row
- Choose duration: 1 hour, 4 hours, 1 day, 7 days, or custom date/time
- Watch automatically resumes after the snooze expires
- Snoozed watches skip drift checks entirely
- Snoozed button shows countdown (e.g., "2h left") — click to unsnooze early
Accept & Revert Baseline
When drift is detected, you can accept the current state as the new baseline:
- Click the watch row to open the detail panel
- Click Accept Baseline — a confirmation dialog explains the action
- The watch is marked as clean and the current state becomes the new baseline
If you change your mind, click Revert Baseline to restore the previous baseline. This is available as long as the previous baseline exists (one level of undo).
Bulk Operations
Click Select above the watch table to enter selection mode:
- Pause / Resume — bulk toggle monitoring
- Accept Baseline — accept current state for all selected
- Snooze / Unsnooze — bulk snooze with duration picker
- Delete — bulk remove watches
CloudTrail Attribution
When drift is detected on AWS resources, Drift Watch queries CloudTrail to identify:
- Who made the change (IAM principal)
- How (API call name, AWS Console vs. CLI/SDK)
- From where (source IP address)
This information appears in the event detail panel.
Drift Metrics
The summary cards on the Drift Watch page show:
- Status Breakdown — pie chart of clean, drifted, pending, error watches (clickable to filter)
- Top Resource Types — most-watched resource types
- Drift Metrics — MTTR (mean time to resolve), 30-day drift count, trend sparkline, severity distribution
Notifications
Drift Watch integrates with your existing notification channels:
- In-app notifications — always enabled
- Slack / Microsoft Teams — real-time alerts with severity, resource details, CloudTrail attribution, and diff summary
- PagerDuty — for critical severity drifts
- Webhooks — custom integrations via HTTP POST
Per-Watch Notification Config
Each watch can be individually configured:
- Channels — Choose which configured channels (Slack, Teams, PagerDuty, Webhooks) receive alerts for this specific watch
- Severity Threshold — Only notify when drift severity meets the threshold (e.g., "High & Critical only")
- Notify on Clean — Receive alerts when a previously drifted resource returns to baseline
- Notify on Error — Receive alerts when a check fails
Event Resolution Tracking
Events on the timeline show resolution status:
- Open — Drift not yet resolved
- Auto-resolved — Resource returned to clean on next check
- Manually accepted — User accepted baseline
- Scan accepted — Resolved via scan acceptance
Filter events by status using the All / Open / Resolved pills on the Event Timeline.
Weekly Digest
Org admins and owners receive a weekly summary email (Monday 9 AM UTC) with:
- Total drifts detected that week
- Critical drift count
- Check errors
- Auto-reverted rules
- Top drifting resources
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /api/drift-watch | List watched resources |
POST | /api/drift-watch | Create a watch |
GET | /api/drift-watch/:id | Get watch details + recent events |
PATCH | /api/drift-watch/:id | Update watch settings |
DELETE | /api/drift-watch/:id | Remove a watch |
POST | /api/drift-watch/:id/accept | Accept current state as new baseline |
POST | /api/drift-watch/:id/snooze | Snooze a watch |
POST | /api/drift-watch/:id/unsnooze | Unsnooze a watch |
PATCH | /api/drift-watch/bulk-update | Bulk pause/resume/accept/snooze/delete |
GET | /api/drift-watch/events | List drift events |
GET | /api/drift-watch/events/summary | Get event summary stats |
GET | /api/drift-watch/analytics | Get 30-day analytics (trends, MTTR, top changers) |
GET | /api/drift-watch/templates | List watch templates |
POST | /api/drift-watch/templates | Create a template |
POST | /api/drift-watch/templates/:id/run | Run a template |
PATCH | /api/drift-watch/templates/:id | Update a template |
DELETE | /api/drift-watch/templates/:id | Delete a template |
GET | /api/drift-watch/templates/:id/watches | List watches created by a template |
POST | /api/drift-watch/:id/unaccept | Revert to previous baseline |
Next Steps
- Configure AWS Credentials — Set up authentication for cloud checks
- Self-Hosted Runners — Run checks in your own infrastructure
- Drift Detection — Scan-based drift detection (complementary to Drift Watch)