Ensure that your AWS CloudFormation stacks are not drifted from their expected template configuration. A CloudFormation stack is considered to have drifted from its configuration if one or more of its resources have been drifted. A stack resource is considered to have drifted if its actual property values differ from the expected property values specified as stack template parameters. This includes if the property or resource has been deleted. For each resource within the stack that supports drift detection, Amazon CloudFormation compares the actual configuration of the resource with its expected template configuration. Only resource properties explicitly defined in the stack template are checked for drift.
With the right permissions, users can implement direct changes to the AWS resources (and their properties) within CloudFormation stacks, without updating the templates. A stack configuration change made outside Amazon CloudFormation can be anything from fixing an AWS Auto Scaling Group parameter to updating an IAM permission or changing an EC2 instance type. Some of these changes may be intentionally made to respond to time-sensitive operational events and some of them may be accidental. Regardless, configuration changes performed outside of CloudFormation are usually problematic and can complicate stack update or deletion operations. Using drift detection feature, you can identify stack resources that have been reconfigured outside Amazon CloudFormation service management. Once drifts are detected, you can then take corrective actions to ensure configuration consistency and successful CloudFormation stack operations.
To determine if your Amazon CloudFormation stack configurations have been drifted, perform the following actions:
Remediation / Resolution
To remediate an AWS CloudFormation stack configuration that has been drifted, you have to update the necessary stack using a template with the expected configuration. Cloud Conformity strongly recommends that you correct any drifted stack configurations using CloudFormation templates, rather than updating the stack resources directly so these can be in accordance with their template definition. To update your Amazon CloudFormation stack configuration, perform the following actions:Note: As example, this conformity rule demonstrates how to update a drifted CloudFormation stack configuration where an EC2 instance size has been changed (upgraded) outside CloudFormation management.
- AWS Documentation
- Working with Stacks
- Detecting Unmanaged Configuration Changes to Stacks and Resources
- Detect Drift on an Entire CloudFormation Stack
- AWS Command Line Interface (CLI) Documentation
- AWS Blog(s):
- New – CloudFormation Drift Detection
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
AWS CloudFormation Drift Detection
Risk level: Medium