ankos drift
Detect PCI posture drift by comparing the current AWS state against a previously collected evidence baseline. CI/CD-friendly, with severity-based exit codes.
ankos drift compares the current state of your AWS environment against
a baseline directory produced by an earlier ankos scan
and reports what changed — new resources, removed resources, security
posture degradations, and improvements.
The intended use is scheduled execution: run it nightly or weekly in CI, fail the build when something drifts in a critical direction, and catch PCI regressions between assessments instead of at them.
AWS-only. drift currently compares AWS baselines only. For GCP,
run ankos scan --provider gcp on a
schedule and diff the JSON outputs manually until GCP drift detection
ships.
Synopsis
ankos drift <baseline-dir> [flags]Quick start
# Last week's scan is the baseline; compare current state against it
ankos drift ./ankos-evidence-baseline
# Save the drift report to a file
ankos drift ./ankos-evidence-baseline -o ./drift-report.json --format json
# CI gate: fail the build if any critical-severity drift appeared
ankos drift ./ankos-evidence-baseline --fail-on critical
# Update the baseline in place after the comparison (start of new week)
ankos drift ./ankos-evidence-baseline --baseline-updateFlags
| Flag | Default | Description |
|---|---|---|
--region | (from baseline) | AWS region(s) to check. Defaults to the regions recorded in the baseline. |
--all-regions | false | Check every region present in the baseline. |
--profile | (none) | AWS profile to use. |
--collectors | (from baseline) | Subset of collectors to compare. Default uses everything in the baseline. |
--format | text | Output format: text or json. |
--output / -o | (stdout) | Save drift report to file. |
--fail-on | (none) | Exit non-zero on drift: any, critical, or high. |
--baseline-update | false | Overwrite the baseline with the current state after comparing. Use to "roll forward" the baseline at the start of each comparison window. |
--notify | (none) | Notification target (future: Slack webhook URL). Currently a no-op placeholder. |
CI exit codes
Pair --fail-on with your build's failure threshold:
| Setting | Exits non-zero when… |
|---|---|
--fail-on any | Any drift detected (degradation / improvement / change) |
--fail-on critical | At least one critical-severity drift |
--fail-on high | At least one high-severity or above |
Typical pattern: weekly cron in CI with --fail-on critical, so the
build only breaks on serious regressions. High-severity changes get
filed as work; low-severity churn (new tags, capacity changes) stays
informational.
Baseline lifecycle
The baseline is just an evidence directory from ankos scan. Common
patterns:
- Weekly window. Scan on Sunday → that's the baseline for the week. Daily drift checks reference it. The next Sunday's scan replaces the baseline.
- Quarterly window. Use last quarter's evidence package as the baseline; daily drift checks surface anything that drifted since the last QSA review.
- Rolling. Run
ankos drift ./baseline --baseline-updatedaily; the baseline always represents "yesterday."
For options 1 and 2, store the baseline in S3 or your CI artifact storage and pull it before each drift run. For option 3, the baseline is local to the runner.
Output
In text format, drift opens with a Direction line (↓ Degrading, ↑ Improving, or → Stable) summarizing the overall posture move, then groups changes into three sections:
- Degradations — PCI posture worsened (encryption disabled, public access enabled, MFA removed, a new public bucket, etc.)
- Improvements — PCI posture improved since the baseline
- Changes — informational infrastructure changes that don't move posture in either direction
In JSON format, the same data is structured per-collector (with a
posture_direction summary field) for easy machine processing.
What drift catches
A non-exhaustive list of common drift events you'll see flagged:
- A new public S3 bucket appears
- CloudTrail logging is disabled in a region
- An IAM user is granted administrative permissions
- An EC2 security group adds 0.0.0.0/0 ingress on a CDE port
- KMS key rotation is disabled
- A WAF rule is deleted
- A new EKS cluster appears that wasn't covered by the baseline
Limitations
- Read-only. Like all Ankos commands, drift never modifies your AWS environment. It reports; your team remediates.
- Single baseline at a time. Multi-baseline comparison (3-way diff)
isn't supported; combine
ankos report --diffif you need that shape. - Notification webhook is a stub.
--notifyis a placeholder for a future Slack/webhook integration. For now, post-process the--format jsonoutput in your CI script.
ankos report
Generate a PCI DSS evidence-readiness report from a collected evidence directory. Text, JSON, CSV, HTML, or GitHub-summary output with an at-a-glance score, score-over-time trend, and CI-friendly exit codes.
ankos docs
Generate Word policy documents pre-filled with your AWS infrastructure data. All 10 templates are free — encryption, access control, logging, vulnerability management, incident response, and more.