AWS Config Rule: CloudFormation Stack Drift Detection Check

Description: Checks if the actual configuration of a Cloud Formation stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Europe (Stockholm), Europe (Paris), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

A CloudFormation stack will have three statuses when it comes to drift status, which determines if your IAC resources have changed from the configuration defined in the Cloudformation template or stack itself.

To detect drift changes, head on over to the AWS CloudFormation Console and select your stack. In the top right hand side, choose Stack Actions followed by Detect Drift. This will initiate a drift detection for your chosen stack. Once this has run, you can then select View Drift Results from the same Stack Actions box.

AWS will then report on which resources have changed from their initial IAC deployed configuration. In my below example, it looks like I have manually changed an Events Rule. You can even drill down into each resource change, and compare the actual and expected configuration.

You will need to manually revert back these changes if possible, or re-deploy your original CloudFormation template, but the latter could be quite destructive so choose your options with care.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here