Drift & Compliance

Drift happens when someone changes cloud resources outside of Archie — via the console, CLI, or another tool. Archie detects these changes and helps you fix them.

What is Drift?

When Archie deploys a VPC with a specific CIDR block, that's the desired state. If someone manually changes the CIDR in the AWS console, the actual state no longer matches. That's drift.

Drift Detection

Archie checks for drift automatically on a configurable schedule. You can also trigger manual checks.

Platform Health Dashboard

The main dashboard shows:

X drifting — number of stacks with detected drift
Drift Alerts — critical drifts with resource counts
Example: "legacy-api-prod CRITICAL 4 resources"

Drift Detail

Click a drifted stack to see:

Which resources drifted
What changed (expected vs actual values)
When the drift was detected

Remediation

Two options for handling drift:

Remediate — reset the resource to match the blueprint (one click)
Acknowledge — accept the drift and update the desired state

Compliance

Archie runs compliance checks at deploy time (see Deploying). Cloud-specific rules include:

Azure: No Public Blob Access, Encryption at Rest, HTTPS Only, WAF Required, No Unrestricted Inbound, NSG Explicit Deny-All

AWS: Tag requirements, IAM least privilege, encryption standards

Configuring Scans

In Settings → Drift & Orphan Scans, configure:

Scan frequency (hourly, daily, weekly)
Which stacks to include
Notification preferences

What's Next

Advanced Features — orphan detection, cost tracking
Settings & Admin — configure scan policies

← Previous

Stacks & Lifecycle

Advanced