Configuration Change History
Understanding how your cloud resources change over time is critical for security auditing, troubleshooting incidents, and maintaining compliance. CloudYali records configuration snapshots for your cloud resources and lets you navigate through versions and compare changes side by side.
How Change History Works
CloudYali captures resource configuration snapshots during each sync cycle. When a resource's configuration changes between scans, a new version is recorded. You can:
- View the full configuration at any point in time
- Compare any two versions side by side
- See exactly which fields were added, removed, or modified
Viewing Change History
- Navigate to Asset Inventory and find a resource using the table or filters
- Click the resource row to open the Resource Detail Dialog
- Select the Configuration History tab
Timeline Navigation
The timeline on the left side shows all recorded configuration versions:
- Latest badge — The most recent version is marked with a "Latest" label
- Version numbers — Each snapshot is numbered sequentially (v1, v2, v3, ...)
- Timestamps — Each milestone shows when the change was detected
- Click any milestone to view that version's full configuration
Version Comparison (Diff View)
To compare two versions side by side:
- Select a version from the timeline to view it
- Select a second version to enter comparison mode
- A side-by-side diff view appears with highlighted changes
Understanding the Diff
The diff summary at the top shows three types of changes:
| Indicator | Meaning | Color |
|---|---|---|
| Added (+) | Fields present in the newer version but not the older | Green |
| Removed (-) | Fields present in the older version but not the newer | Red |
| Modified | Fields that changed value between versions | Yellow |
Changed field paths are shown as clickable chips (e.g., SecurityGroups.0.GroupId, Tags.Environment) for quick navigation to the specific change in the JSON tree.
Click Exit Compare to return to single-version view.
Change History by Provider
Different cloud providers offer different levels of change tracking depth:
| Provider | History Type | History Depth | Change Metadata |
|---|---|---|---|
| AWS | Configuration snapshots via CloudTrail/Config sync | Full history (retention-dependent) | Timestamp only |
| GCP | Snapshot-based via Cloud Asset Inventory API | Up to 35-day window from CAI | Timestamp only |
| Azure | Native change tracking via Azure Resource Graph | Full history | Who changed, how it was changed |
| Fastly | Current state only | No history | — |
| Anthropic | Current state only | No history | — |
AWS Change History
AWS resource configurations are captured during each snapshot sync cycle. When a resource's configuration changes between scans, a new version is created in the timeline. Checksums are used to detect changes efficiently.
Rapid changes that occur between scan intervals may not be individually captured. Only the state at each scan time is recorded.
GCP Change History
GCP uses the Cloud Asset Inventory API which provides a rolling 35-day history window. CloudYali retrieves the full history on the first sync and fetches incremental changes on subsequent runs.
Configurations older than 35 days are retained by CloudYali based on your subscription retention policy, but no new historical snapshots can be retrieved beyond the CAI window.
Azure Change History
Azure provides the richest change metadata through Azure Resource Graph's native change tracking. In addition to the configuration diff, Azure change records include:
- Who — The identity (user email or application ID) that made the change
- How — The method used to make the change (e.g., Azure Portal, Azure CLI, Terraform, ARM template)
- Change Type — Whether the change was a Create, Update, or Delete operation
This additional context is displayed in the change history timeline alongside the configuration diff.
Fastly and Anthropic
Fastly and Anthropic resources show only the current configuration snapshot. The Configuration History tab displays the current JSON configuration without a timeline. As change history support is added for these providers, historical tracking will become available automatically.
Use Cases
Security Auditing
Review changes to security-sensitive resources like security groups, IAM policies, network configurations, or key vault settings. Identify unauthorized modifications by comparing versions and checking who made the change (Azure).
Incident Troubleshooting
When an issue occurs, compare the current configuration with a known-good version to identify what changed. The diff view makes it easy to spot the exact fields that were modified — helping you pinpoint the root cause faster.
Compliance Evidence
Maintain an auditable record of configuration changes for compliance frameworks that require change tracking. The version timeline provides evidence of when configurations were in specific states.
Related Documentation
- Unified Asset Inventory Overview — Main inventory documentation
- Filtering and Tag Search — Find the resource you want to inspect
- Supported Cloud Providers — See which providers support change history
- Permissions and Security Overview — Understand access controls