IaC Governance
IaC Governance helps you maintain the integrity of your infrastructure-as-code (IaC) by detecting when your live AWS resources have drifted from their CloudFormation templates. When manual changes are made to resources that are managed by CloudFormation -- whether through the AWS console, CLI, or through automated remediation -- the IaC Governance feature detects the discrepancy and provides corrected templates to bring everything back into sync.
Why IaC Drift Matters
Infrastructure-as-code is a cornerstone of reliable cloud operations. When your CloudFormation templates accurately describe your live infrastructure, you gain:
- Predictable deployments -- Stack updates apply only the changes you intend
- Reproducibility -- You can recreate your infrastructure from templates at any time
- Auditability -- Templates serve as a record of your intended infrastructure state
- Collaboration -- Teams can review and approve infrastructure changes through code review
When drift occurs -- when the live state diverges from the template -- these benefits erode:
- Unexpected reversions -- A stack update might revert a critical fix that was applied manually
- Failed deployments -- Templates that no longer match reality can cause deployment errors
- Compliance gaps -- Auditors expect your templates to match your live infrastructure
- Knowledge loss -- Manual changes that are not captured in code are easily forgotten
One of the most common sources of drift is automated remediation. When Guardian Pro (or any tool) fixes a security finding on a CloudFormation-managed resource by modifying it directly, the template is now out of sync. The next stack update could undo the fix. IaC Governance detects this immediately.
How Drift Detection Works
IaC Governance operates automatically as part of Guardian Pro's analysis pipeline:
- Resource discovery identifies all resources in your environment, including their CloudFormation stack membership
- Configuration comparison detects when a resource's live configuration differs from what its CloudFormation template specifies
- Drift classification determines the nature and severity of the drift
- Template correction generates an updated template that reflects the current desired state
This process runs automatically after every scan. You do not need to trigger drift detection separately.
The IaC Governance Dashboard
The IaC Governance tab in the Architecture Advisor provides two views:
Pending Updates
The Pending Updates view lists all CloudFormation templates that need to be updated. Each entry shows:
| Field | Description |
|---|---|
| Stack name | The CloudFormation stack containing the drifted resource |
| Affected resource | The specific resource whose configuration has changed |
| Change summary | A description of what changed (for example, "Encryption enabled on S3 bucket") |
| Cause | How the drift occurred (manual change, automated remediation, console modification) |
| Detected | When the drift was first detected |
Stack Health
The Stack Health view provides an overview of all CloudFormation stacks in your environment and their current status:
| Status | Meaning |
|---|---|
| In sync | The stack's live resources match the template. No action needed. |
| Drift detected | One or more resources have drifted from the template. Review pending updates. |
| Update available | Guardian Pro has generated a corrected template ready for review and deployment. |
Reviewing Corrected Templates
When Guardian Pro detects drift, it generates a corrected version of the affected CloudFormation template. The corrected template incorporates the live changes, so deploying it will bring the template into alignment with the current state of your infrastructure without reverting any changes.
To review a corrected template:
- Navigate to the Pending Updates list
- Click on the affected stack
- Review the template diff showing exactly what changed
- Download the corrected template or deploy it directly
Guardian Pro's corrected templates preserve all existing template structure, parameters, conditions, and outputs. Only the specific resource properties that have drifted are updated.
Deploying Updated Templates
Once you have reviewed a corrected template, you can either:
Deploy Directly from Guardian Pro
Click Deploy Template to update the CloudFormation stack directly. Guardian Pro will:
- Show a preview of the changes that will be applied
- Request your confirmation before proceeding
- Execute the stack update
- Monitor the update progress and report the result
Download and Deploy Manually
Download the corrected template and deploy it through your existing CI/CD pipeline or directly through the AWS CloudFormation console. This is the recommended approach for organisations with strict change management processes.
If your organisation uses a CI/CD pipeline for infrastructure deployments, download the corrected template and commit it to your source repository. This ensures the fix flows through your standard review and approval process.
Common Drift Scenarios
Security Remediation Drift
When Guardian Pro's automated remediation fixes a security finding on a CloudFormation-managed resource (for example, enabling encryption on an S3 bucket), the resource's live state changes but the template still specifies the old, insecure configuration. IaC Governance detects this and provides a corrected template with the security improvement included.
Console Modifications
Team members sometimes make changes through the AWS console for urgent fixes or troubleshooting. These changes are not reflected in the template and can be reverted by the next stack update. IaC Governance catches these changes and helps you decide whether to incorporate them into the template or revert them.
API and CLI Changes
Changes made through the AWS CLI or SDK (for example, a deployment script that modifies a resource directly) can also cause drift. IaC Governance detects these regardless of how the change was made.
Best Practices for IaC Governance
Review Drift Promptly
Address pending template updates as soon as they are detected. The longer drift persists, the higher the risk of an unintended reversion during the next stack update.
Integrate with Your CI/CD Pipeline
For the most robust workflow, download corrected templates and commit them to your source repository. This ensures that:
- Template changes go through code review
- Your source repository remains the single source of truth
- Deployments are consistent and auditable
Plan for Remediation Drift
When using Guardian Pro's automated remediation, expect that some fixes will create template drift for CloudFormation-managed resources. This is by design -- the fix is applied immediately for security, and IaC Governance helps you update the template afterward. Review the IaC Governance page after running remediations to keep templates in sync.
Monitor Stack Health Regularly
The Stack Health view gives you a quick overview of which stacks are in sync and which need attention. Include a stack health review in your regular operational processes.
IaC Governance currently supports CloudFormation templates. If you manage infrastructure with other IaC tools (Terraform, CDK, Pulumi), Guardian Pro still detects configuration drift on the underlying resources, but corrected template generation is available for CloudFormation stacks.
Relationship to Template Update Needed Risks
The Risk Radar includes a "Template Update Needed" risk type that is directly linked to IaC Governance. When the Risk Radar flags a Template Update Needed risk, you can navigate to IaC Governance to view the corrected template and resolve the risk.
Resolving a Template Update Needed risk involves:
- Reviewing the corrected template in IaC Governance
- Deploying the corrected template (directly or through your pipeline)
- Confirming the stack update completes successfully
- The risk is automatically resolved in the next scan
Next Steps
- Risk Radar -- View Template Update Needed risks alongside other architectural risks.
- Architecture Map -- See which resources in your topology are CloudFormation-managed.
- Action Centre -- Manage remediation actions that may create template drift.
- Growth Readiness -- IaC adoption is a key factor in the operational readiness dimension.