* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www2.paloaltonetworks.com/blog/category/announcement/)
* Announcing Multi-Cloud Dr...

# Announcing Multi-Cloud Drift Detection: Keep Code and Cloud Aligned

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fannouncing-multi-cloud-drift-detection%2F)  
[](https://twitter.com/share?text=Announcing+Multi-Cloud+Drift+Detection%3A+Keep+Code+and+Cloud+Aligned&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fannouncing-multi-cloud-drift-detection%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fannouncing-multi-cloud-drift-detection%2F&title=Announcing+Multi-Cloud+Drift+Detection%3A+Keep+Code+and+Cloud+Aligned&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/announcing-multi-cloud-drift-detection/&ts=markdown)  
\[\](mailto:?subject=Announcing Multi-Cloud Drift Detection: Keep Code and Cloud Aligned)  
Link copied  
By [Guy Eisenkot](https://www.paloaltonetworks.com/blog/author/guy-eisenkot/?ts=markdown "Posts by Guy Eisenkot") and [Taylor Smith](https://www.paloaltonetworks.com/blog/author/taylor-smith/?ts=markdown "Posts by Taylor Smith")  
Aug 31, 2021  
4 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Product Announcement](https://www.paloaltonetworks.com/blog/tag/product-announcement/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/tag/products-and-services/?ts=markdown)

Identifying cloud infrastructure misconfigurations can come at different stages in the development lifecycle. Whether in development or in a runtime environment, the important thing is finding and fixing issues before they can be exploited.

Many organizations are shifting to follow GitOps, or defining infrastructure in code, version controlling it and running it through a CI/CD pipeline without modifying runtime configurations directly. The benefits of GitOps include easier repeatability, faster remediation, lower change failure rates and improved posture. In order to achieve those benefits, any update to infrastructure should involve updating the IaC code.

However, manual changes to cloud configurations are inevitable. In "break glass" moments, such as during a service incident, teams may find it faster to make manual changes, such as relaxing firewall rules, directly rather than finding the right engineer to make the change in code. Alternatively, when a misconfiguration is identified in runtime by an Ops team, such as an S3 bucket without versioning, for the sake of efficiency or lack of knowledge about IaC, they may make the change directly in runtime. In both cases, if the resources were provisioned using infrastructure as code (IaC) such as Terraform, they now have drift where the Terraform code is out of sync with the actual runtime configuration.

One other common cause for drift are changes introduced by cloud providers. When AWS rolls out new APIs, or Google Cloud casually deprecates a previously supported attribute, it might not interfere with the current operation of your services but it creates a difference between the codified definition and the newly manifested resource posture.

Drifts are blind-spots for your GitOps workflows. Instead of your code serving as a single source of truth, it now lags behind, and you lose those GitOps benefits mentioned earlier. For example, in the second scenario, if you were to reuse the Terraform code for your next project, you'd carry over the unencrypted database misconfiguration to your next project, turning drift into a possible compromise.

**That's why we're excited to announce** [**Bridgecrew by Prisma Cloud**](https://www.paloaltonetworks.com/blog/2021/02/prisma-cloud-bridgecrew/)**has added Multi-Cloud Drift Detection!**

#### What is Bridgecrew Drift Detection?

Drift Detection continuously compares IaC code stored in any of our supported version control systems (GitHub, GitLab, Bitbucket and Azure Repos) against the runtime configuration of any of our supported cloud providers (AWS, Azure and GCP). If Bridgecrew detects a difference in what should be the configuration based on your code versus the actual configuration found in the cloud provider, it is flagged as drift in our Projects page. Bridgecrew can send an alert via our integrations to tools like Slack to notify the right people about the drift.

![Bridgecrew Projects page showing Drift Detection](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/Image-1.png)
Bridgecrew Projects page showing Drift Detection

There are existing solutions that provide drift detection, but very few enable continuous monitoring for drift across multiple clouds. Some provide drift for only one cloud provider or only compare state when code is updated. Our Drift Detection capability provides both continuous and multi-cloud detection for mixed environments.

Behind the scenes, this works by leveraging our newly released open source IaC tagging tool [Yor](https://www.paloaltonetworks.com/blog/2021/05/yor-automated-iac-tag-and-trace/). When Yor adds a trace tag to IaC resources, that tag helps us track the resource from the repository to runtime. Additionally, we include the code representation of the manual changes using a diff format so it's easy to compare like to like between the IaC and cloud configuration.

#### Efficiently Fixing Drift

Once the drift is identified, there are a few options to remediate the issue. If the change made to the cloud was unintentional or temporary, you can reapply the code and bring the cloud back in line with your IaC.

If the change was intentional and fixed an issue, we provide a **Fix Drift** button that will automatically open a pull request or merge request back to the repository to add, remove or modify the code to make it in sync with the runtime configuration.

![Diff view of a Bridgecrew Fix Drift generated pull request in GitHub](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/Image-2.png)
Diff view of a Bridgecrew Fix Drift generated pull request in GitHub

With this new feature, we've simplified the process of finding and fixing drift in cloud infrastructure. Try Drift Detection for yourself by [signing up for free for Bridgecrew](https://www.bridgecrew.cloud/login/signUp) or learn more about how it works on the [Bridgecrew blog](https://bridgecrew.io/blog/multi-cloud-drift-detection-automated-fixes)!

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Bridging the Gap: Infrastructure as Code Security with Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-bridgecrew-infrastructure-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud Automatically Secures Unprotected Cloud Workloads](https://www2.paloaltonetworks.com/blog/2021/04/april-2021-release-prisma-cloud/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Manage your Unmanaged Cloud with Prisma Cloud and Cortex Xpanse](https://www2.paloaltonetworks.com/blog/cloud-security/manage-unmanaged-cloud-prisma-cloud-and-cortex-xpanse/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Securing Golden Images at Build Using Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/securing-golden-images-hashicorp-packer/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [DevOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devops/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Cloud-Native Security Survey: Patterns and Tipping Points in New Report](https://www2.paloaltonetworks.com/blog/2023/03/cloud-native-security-survey-report/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud Analysis of CVE-2022-42889: Text4Shell Vulnerability](https://www2.paloaltonetworks.com/blog/cloud-security/analysis_of_cve-2022-42889_text4shell_vulnerability/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language