DriftGuard is an infrastructure compliance platform that continuously detects and remediates configuration drift across Linux servers running on AWS. By comparing live system states against a version-controlled baseline, it ensures consistency, security, and operational reliability. Built around secure AWS networking and idempotent automation principles, DriftGuard demonstrates real-world DevOps practices including configuration management, self-healing infrastructure, and automated compliance enforcement.
- Overview
- Problem Statement
- Solution
- System Workflow
- Architecture
- Detailed Component Breakdown
- Features
- Core Concepts
- Project Structure
- Documentation
- Execution Flow
- Sample Output
- Getting Started
- Validation Checklist
- Troubleshooting
- Security Best Practices
- Production Considerations
- Future Improvements
- Author
This project implements a centralized configuration management system that ensures consistent server configurations across multiple Linux instances.
The system continuously validates the current state of servers against a defined desired state and performs automated remediation when drift is detected.
It is designed to simulate real-world DevOps workflows used in production environments where consistency, reliability, and automation are critical.
Managing configurations manually across distributed systems leads to:
- Configuration drift between servers
- Inconsistent environments
- Increased debugging complexity
- Security vulnerabilities
- Operational overhead
There is no centralized mechanism to enforce uniform configurations, resulting in unreliable systems.
This project introduces an automated configuration management approach that:
- Defines desired system state using structured configuration files
- Detects configuration drift by comparing actual vs expected state
- Automatically remediates inconsistencies using scripts
- Operates within a secure AWS network architecture
- Enables repeatable and scalable infrastructure management
Developer defines desired configuration
↓
Configuration stored in version control
↓
Scripts executed on target servers
↓
Current state is evaluated
↓
Drift is detected
↓
Remediation logic is triggered
↓
System is restored to desired state
The system is deployed within a secure AWS VPC architecture.
Flow:
User → Internet → Bastion Host → Private Servers
Key Design Principles:
- Only Bastion Host is publicly accessible
- All application servers remain private
- Controlled access between layers
- Outbound internet access via NAT Gateway
- Security enforced using Security Groups
Refer:
Defines the expected configuration of servers including:
- Installed packages
- Running services
- System settings
Located in:
- configs/desired-state.yaml
Compares:
- Current server state
- Desired configuration
Identifies mismatches and flags drift.
Executes corrective actions such as:
- Installing missing packages
- Restarting services
- Fixing configuration files
Initial setup script responsible for:
- Preparing server environment
- Installing dependencies
- Setting baseline configuration
- Centralized configuration management
- Automated drift detection
- Automatic remediation system
- Secure AWS-based architecture
- Repeatable and reliable execution
- Minimal manual intervention
- Script-based automation using Bash
This project demonstrates:
- Configuration Management
- Infrastructure as Code mindset
- Drift Detection
- Automated Remediation
- Secure Cloud Networking
- Bastion-based access control
- Idempotent system behavior
Project-AWS-Config-Drift-Auto-Remediation-System/
│
├── README.md
├── assets/
├── configs/
├── scripts/
├── deployment/
└── docs/
Detailed documentation is available:
These documents provide deeper insights into system design and operational handling.
Bootstrap Script Execution ↓ System Initialization ↓ Drift Detection Script ↓ State Comparison ↓ Mismatch Identified ↓ Auto Remediation Script ↓ System Corrected ↓ Verification
Example outcomes include:
- Detection of missing packages
- Automatic installation of required dependencies
- Service restart and validation
- Logs indicating successful remediation
Create AWS resources:
- VPC
- Public Subnet
- Private Subnet
- Bastion Host
- EC2 Instances
Refer:
- deployment/aws-setup.md
ssh -i key.pem ec2-user@<bastion-public-ip>
ssh -i key.pem ec2-user@<private-ip>
git clone https://github.com/Ask99Ayush/Project-AWS-Config-Drift-Auto-Remediation-System.git
cd Project-AWS-Config-Drift-Auto-Remediation-System/scripts
chmod +x bootstrap.sh
./bootstrap.sh
chmod +x drift-check.sh
./drift-check.sh
chmod +x enforce-config.sh
./enforce-config.sh
- Desired packages installed
- Services running correctly
- No configuration drift detected after remediation
- Scripts execute without errors
- Logs generated successfully
Refer:
Common checks:
systemctl status nginx
systemctl status docker
cat /var/log/config-management.log
- Restrict SSH access to specific IP addresses
- Use Bastion Host for controlled access
- Avoid public exposure of private servers
- Follow least privilege principles
- Rotate keys regularly
- Disable unnecessary ports
For real-world systems:
- Replace scripts with Ansible for scalability
- Use Terraform for infrastructure provisioning
- Implement centralized logging
- Add monitoring (CloudWatch, Prometheus)
- Introduce CI/CD pipelines
- Use AWS Systems Manager instead of SSH
- Integration with Ansible
- Terraform-based infrastructure automation
- CI/CD pipeline integration
- Multi-server orchestration
- Monitoring and alerting system
- Dashboard for drift visibility
Ayush Rao Chaudhary
GitHub: https://github.com/Ask99Ayush
LinkedIn: https://linkedin.com/in/Ask99Ayush
This project demonstrates how configuration management, automation, and cloud security principles can be combined to build a reliable, scalable, and production-ready system for maintaining server consistency.
