The Network ACL Drift Agent: Detection + Proposal

ACLs drift from intended state. The agent that diffs declared and observed, classifies the drift, and proposes a corrective change that a human approves.

Declared vs observed

Declared state lives in your IaC: Terraform, Pulumi, CloudFormation. The agent treats it as the source of truth.

Observed state lives in the cloud provider. The agent pulls it via API. Differences between declared and observed are drift.

Most drift is benign (timestamps, ARNs that auto-rotate). The agent's job is to filter benign drift and surface the meaningful kind.

Drift classification

Manual change: someone edited the ACL in the console. The drift is real and unauthorised.

Pending IaC change: the IaC was updated but not yet applied. The drift will resolve itself on next apply.

External system change: an attached service modified the ACL (e.g., a service mesh adding entries). The drift is expected by design but should be acknowledged.

Propose, do not apply

For each meaningful drift, the agent proposes a corrective change as a Terraform diff.

The diff is reviewed by humans. The agent never applies ACL changes; the blast radius is too large.

If the human accepts, the change is applied through the normal IaC pipeline. The agent does not bypass the pipeline.

Daily scan

The agent runs daily. Surfaces drift that appeared in the last 24 hours. Older drift is already in the team's queue.

The first run after the agent ships will surface a backlog of drift. Plan time to triage; do not be surprised.

After the backlog clears, daily scans typically surface 0-3 drift events. The agent is mostly quiet, which is the success state.

Audit trail

Every drift detected is logged: declared state, observed state, classification, proposed correction.

Every human action on the proposed correction is logged: accepted, rejected, modified.

The audit trail satisfies SOC2 controls around configuration management. The auditor reads the log; the team is not in the audit critical path.