from reactive fixes to proactive drift detection.

AWS Drift Detection Implementation

How Cloud Elemental helped a large UK organisation design a scalable, automated approach to detecting and managing infrastructure drift for a mission-critical application on AWS.

The Client

Our client is a large UK-based organisation operating a business-critical cloud platform with high availability and strong governance requirements

As part of preparations to launch a mission-critical application, the client wanted greater confidence that deployed AWS infrastructure remained aligned with approved infrastructure-as-code (IaC). They were particularly concerned about configuration drift – changes made outside of code that could undermine reliability, security, or disaster recovery outcomes.

Cloud Elemental was engaged to assess the problem and design a practical, enterprise-ready drift detection approach.

The Challenge

The client’s platform was deployed using infrastructure-as-code, but there was limited visibility into whether environments continued to match that code once live.

Four specific drift-related challenges were identified:

Undetected Configuration Drift

Manual or ad-hoc changes to AWS resources could go unnoticed, introducing misconfigurations or security gaps that would only surface during an incident or recovery event.

No Automated Drift Detection

There was no standard mechanism to regularly compare deployed infrastructure against the approved IaC baseline across environments.

Reactive, Manual Response

When configuration issues were discovered, remediation required manual investigation and coordination between teams, increasing mean time to resolution.

No Repeatable Pattern

There was no reusable, scalable pattern for detecting drift in environments with higher availability and recovery requirements.

Our Approach

We worked closely with EBS stakeholders to review their infrastructure deployment workflows and identify areas for automation and improved visibility. The engagement aimed to support proactive configuration management without disrupting existing toolchains or operations.

Our recommendation, while not implemented during the engagement, provided EBS with a scalable, low-friction solution for drift detection that aligned with their broader observability and compliance strategy.

Initiation & Readiness

Design & Planning

Risk & Governance Review

Strategic Commitment

01

Environment Discovery Workshops

Objective: Understand existing IaC deployment practices and observability tooling to gauge readiness for drift detection. 

02

Solution Blueprinting

Objective: Define a lightweight, maintainable approach to compare deployed AWS infrastructure with approved code. 

03

Feasibility & Compliance Validity

Objective: Assess operational and compliance implications to ensure the solution could be implemented securely and responsibly. 

04

Delivery Planning

Objective: Provide a clear, ready-to-deploy recommendation that aligns with stakeholder priorities and enterprise tooling.

Outcome: Clarified current-state workflows and identified opportunities to integrate drift detection without major disruption. 

Outcome: Designed a scalable detection pattern using native AWS services, with integration points for Jira and Dynatrace. 

Outcome: Validated the approach against governance expectations and confirmed its value in improving recovery posture. 

Outcome: Delivered an implementation-ready pattern for EBS to adopt as part of a wider infrastructure observability strategy.

Key Takeaways: A targeted assessment helped ground the recommendation in EBS’s real-world tooling and constraints. 

Key Takeaways: Design decisions were shaped by simplicity, scalability, and the ability to integrate seamlessly. 

Key Takeaways: Compliance and operational risk were central to determining solution feasibility. 

Key Takeaways: Gaining alignment early enables smoother adoption when the business is ready to proceed.

Our Solution Recommendation

Drift Detection Pattern

We proposed a lightweight, automated approach to identify and respond to infrastructure drift—ensuring any changes outside of code could be quickly surfaced and remediated.

While this approach was fully scoped and recommended, it was not implemented during this engagement.

Key Elements of the Recommendation

Scheduled Drift Checks

  • A daily job (e.g., 8am) would review AWS infrastructure against the defined IaC baseline.

Conditional Action on Drift

  • If no drift was detected, no action was required. If drift was identified, automated workflows would be triggered.

Integrated Notification Workflow

  • A Jira ticket would be created and linked to relevant observability tools such as Dynatrace or ServiceNow to notify responsible stakeholders.

Support for Custom Remediation Logic

  • Stakeholders could define how each type of drift should be handled, with contextual metadata attached for faster resolution.

Intended Benefits

  • Catch misconfigurations early, before they become incidents
  • Simple to configure and integrate with existing tooling
  • Improve auditability and confidence in infrastructure state
  • Detect potentially malicious or unauthorised changes
  • Reduce recovery times in disaster scenarios

Our Results

By introducing automation and a scalable infrastructure model, Cloud Elemental helped EBS strengthen the resilience and agility of its cloud platform while reducing operational risk. The solution not only addressed current platform needs but also laid the groundwork for future improvements in delivery speed and environment management.

Document with a pencil, symbolising incident response planning and preparation. Represents developing, testing, and updating security plans to handle cyber threats effectively.

Actionable Blueprint for Infrastructure Drift Detection

  • EBS now has a clear path to implement proactive drift monitoring, enabling better governance and control across critical environments
Eye icon with a magnifying glass, symbolising real-time monitoring, auditing, and security traceability in Cloud environments. Represents AWS best practices for detecting and responding to security incidents.

Stronger Observability Framework

  • The recommended pattern extends EBS’s observability capabilities, allowing them to see and respond to configuration changes in near real-time

Reduced Operational Risk

  • Even without implementation, the design improves EBS’s understanding of potential vulnerabilities and offers a tangible next step for platform resilience

Template for Future Projects

  • The drift detection model offers a reusable framework that can be applied across EBS's cloud estate as the organisation continues to scale

This engagement empowered EDF’s EBS branch with the insight and guidance needed to strengthen governance and platform reliability. Cloud Elemental’s consultative approach delivered a simple, scalable recommendation that enables proactive monitoring of infrastructure state—laying the groundwork for greater operational assurance.

Ready to transform your Cloud infrastructure?

Cloud solutions, simplified.

Let's discuss how we can help you achieve your Cloud goals with our expertise and proven methodology.

Schedule a Consultation

Luminus Observability: Simplifying Search with AWS Opensearch

How Cloud Elemental helped Luminus transition from an outdated, on-premise search tool to a scalable, Cloud-based solution for log retention, security, and compliance.

The Client

Luminus is the second-largest electricity generator and energy provider in Belgium, managing power plants and wind farms while securing external energy sources to ensure a reliable power supply for customers.

As a public-facing utility company handling large volumes of customer data, Luminus must comply with strict governance, auditability, and data retention standards – especially when it comes to their operational and application log data.

The Challenge

Before the OpenSearch project, Luminus was facing operational and compliance risks tied to their outdated, on-premise log search solution. Key challenges included:

  • Limited Scalability & Resiliency

Their legacy system couldn’t keep up with the growth of data, particularly as Luminus’ customer base continued to grow

  • Insufficient Governance & Auditability

Their logging system lacked granular access control and long-term storage capabilities

  • Lack of controlled access to Log Data

Multiple teams had too much access — anyone with the right permissions could view all log data, with no practical way to limit or segregate visibility

Our Approach

Assessment & Discovery

  • Ran collaborative sessions with Luminus teams to map existing logging workflows
  • Identified core technical and compliance challenges in their on-prem setup

Architecture Planning

  • Designed a resilient, multi-AZ OpenSearch cluster built for scale and high availability
  • Prioritised governance and lifecycle-aware storage from the outset

Active Directory Integration

  • Integrated Azure Active Directory for secure, centralised access management
  • Enabled custom role-based access aligned to organisational needs

Compliance-first Mindset

  • Built long-term data retention and auditability into the platform design
  • Structured domain-level access to reflect application and team boundaries

What is Opensearch?

OpenSearch is an open-source search and analytics suite used for real-time application monitoring, log analytics, and website search. It offers powerful dashboards and fast access to vast volumes of data.

AWS OpenSearch Service is the fully managed version offered by AWS, simplifying deployment, scaling, and management of OpenSearch clusters while providing enterprise-grade security and availability.

Our Solution

Our tailored implementation of AWS OpenSearch addressed Luminus’ immediate and long-term needs.

Key elements of the solution included:

Multi-AZ Resilient Architecture

We deployed OpenSearch clusters across three AWS Availability Zones, each containing multiple OpenSearch nodes. This ensures high availability and fault tolerance for mission-critical log data.

Tiered Storage for Cost Efficiency

Using data nodes, ultrawarm nodes, and cold storage, logs are automatically moved through lifecycle stages depending on their age. This enables:

  • Fast access to recent logs.

  • Cost-effective retention of older logs.

  • Seamless scaling as log volumes grow.

Secure Access via Azure Active Directory

We integrated Azure AD with AWS OpenSearch Dashboards, enabling:

  • Centralised identity management.

  • Custom role-based access control to log data.

  • Full auditability of user interactions.

Domain-based Access Separation

OpenSearch domains were segmented by application vertical, allowing Luminus to control access on a per-team or per-environment basis, ensuring that only the right people access the right data.

On-Prem & Cloud Log Integration

The OpenSearch platform was designed to aggregate logs from both on-premise systems and AWS workloads, enabling a unified view of operations for observability, security, and compliance.

Our Results

Our collaboration delivered a robust and scalable log analytics platform that continues to support Luminus as their Cloud journey evolves.

  • Improved scalability to support growing AWS adoption
  • Zero-downtime deployments using Blue/Green OpenSearch upgrades
  • Long-term retention with cost-effective cold storage tiers
  • Stronger security posture with Azure AD integration and role-based access
  • Compliance-ready audit trails aligned to governance requirements

Ready to transform your Cloud Infrastructure?

Let’s discuss how we can help you achieve your Cloud goals with our expertise and proven methodology.

Schedule a Consultation