Introducing drifthound — open-source AWS drift detection
A new open-source tool that answers a question most drift scanners can't — not "did fields on this resource change?" but "what's in my AWS account that no Terraform state owns?"
Most drift detection tools take a state file, compare it to the live
provider, and tell you which fields of a known resource have changed.
That's useful, but it leaves a much larger blind spot: the resources that
were never in any state file to begin with — the console clicks, the
emergency aws cli workarounds, the half-finished POCs nobody cleaned up.
drifthound answers that second question.
The three buckets
drifthound puts every cloud resource into one of three buckets:
| Bucket | Meaning |
|---|---|
drift | Exists in AWS, no state owns it, but some state's scope covers the (account, region) — most likely created out-of-band |
unscoped | Exists in AWS but no state file claims responsibility for that (account, region) — either add a state for that scope or accept the gap |
ghost | Listed in a state file but missing from AWS — deleted out-of-band, state needs a refresh |
The key idea is scope-aware diff: drifthound reads the backends, accounts, and regions each of your state files claims, and uses that to decide whether a found resource is real drift or simply outside any state's responsibility. Graph-based inventory tools don't make that distinction.
What's in the alpha
End-to-end working today:
- State sources: local glob, S3, Terraform Cloud / Enterprise
- Terraform state parsing
- AWS collector via Resource Explorer
- Scope-aware diff with the three-bucket report
Terragrunt module trees are next.
Try it
go build -o drifthound ./cmd/drifthound
Requires Go 1.24+. Pre-built binaries land on each GitHub release once tagged.
Issues, ideas, and PRs welcome — it's alpha, and the surface area where it needs the most real-world input is exactly the "weird state layout" cases every team has.