I think it’s safe to say that the majority of AWS developers’ preference is to use CloudFormation because of its ease, flexibility and scalability. It is therefore key that the stacks created remain as they were first designed.
This said it can be tempting for any user to make changes like updating IAM permissions or changing EC2 instance types outside of CloudFormation when there are time or budget constraints. The unfortunate reality of this method, however, is that not updating the template can cause complications to stack updates or deletion operations in the future. A potentially worse scenario is the next time the stack is deployed it won’t have the manual changes and will have to be updated again - all of this defeats the purpose of Infrastructure as Code (IaC).
The lesson: wherever possible ensure all changes go into the template and version your templates. This way you only need to fix things once and the quality of your infrastructure will increase over time.
You should also have a look at Cloud Conformity’s CloudFormation template scanning tool. By using this, each template resource is checked against hundreds of industry best practices including AWS Well-Architected Framework, Centre for Internet Security (CIS), Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR).
Here are some examples of easily and commonly missed misconfigurations that are checked:
- Opening too many TCP ports within EC2 security groups
- Granting permission without applying the principle of least privilege
- Granting permissions to wrong IAM users and roles
- Allowing public access to S3 buckets storing sensitive data
- Forgetting to encrypt RDS databases and EBS volumes
- Exposing APIs to the internet
A CloudFormation stack is considered to have drifted if its actual property values differ from the expected property values specified as stack template parameters. This includes any resource that has been deleted and only resource properties explicitly defined in the stack template are checked for drift.
Cloud Conformity’s new CloudFormation Drift Detection feature means you can identify stack resources that have been reconfigured outside of Amazon’s CloudFormation service management. Once drifts are detected, you can take corrective actions to ensure configuration consistency and successful CloudFormation stack operations.
When it comes to remediating, we strongly recommend you correct any drifted stacks using CloudFormation templates instead of updating the resource directly. This ensures all changes stay in line with their template definition, keeping everything consistent and more manageable.
You’ll find all of the details of this new CloudFormation Drift Detection rule on our Knowledge Base, including audit methods via the AWS Console and AWS CLI, as well as the remediation steps.