When cloud infrastructure grows to hundreds of resources, it becomes impossible for a human to directly answer "is our environment in a safe state right now?" Yesterday every S3 bucket had Block Public Access (BPA) on, but what if someone flipped one bucket to public today? Yesterday every EBS volume was encrypted, but what if a newly created volume is plaintext? This "drift away from the desired state" accumulates over time, and that one gap becomes the entryway for a security incident. The core problem is twofold — first, how do you continuously detect drift; second, when you find drift, how do you automatically remediate it.
AWS splits these two problems across two services