Description:

AWS CloudFormation is a service that helps you model and set up your Amazon web services resources, It takes care of provisioning and configuring the resources. It helps you to easily control and track changes in your infrastructure. It quickly replicates your infrastructure over and over in multiple regions. Cloud Formation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion. When we manage related resources as a single unit when we use CloudFormation then this single unit is called a stack.


Rational:

AWS CloudFormation allows you to detect if configuration changes were made to your stack resources outside of CloudFormation via the AWS Management Console, CLI, and SDKs. Drift is the difference between the expected configuration values of stack resources defined in CloudFormation templates and the actual configuration values of these resources in the corresponding CloudFormation stacks. This allows you to better manage your CloudFormation stacks and ensure consistency in your resource configurations.


Impact: 

After check the drift detection in the stack, we can identify stack resources that have been reconfigured outside Amazon CloudFormation service management.

Default Value:

Not all the resources in the AWS supports drift detectionthe default version of the resource type that you have registered in your account must be provisional.


Audit:

  • Login to AWS Console Management and go to CloudFormation at https://console.aws.amazon.com/cloudformation

  • In the CloudFormation click on Stack

  • Choose Stack to examine

  • In the stack info section, you can see Drift status either checked or Not checked

Via CLI:

To check a drift detection operation's status

aws cloudformation detect-stack-drift
  --region us-east-1
  --stack-name <name of stack>
  --query 'StackDriftDetectionId


Remediation Steps:

Pre-requisites:

  • You must have a Stack in the CloudFormation

  • Implementation steps only if you did not perform drift detection in the CloudFront Stacks or perform more than 30 days


Implementation Steps :

  • Login to AWS Console Management and go to CloudFormation at https://console.aws.amazon.com/cloudformation

  • In the CloudFormation click on Stack

  • Choose Stack 

  • Click on Stack action and then click on Detect drift (it check or detect drift in your stack)

     

  • Now it initiates the drift detection in your Cloudformation stacks

  • Wait until CloudFormation completes the drift detection operation,

  • Now you can see Drift status and Last drift check time in the Stack info section

Via CLI:

To initiate a drift detection operation on a stack

aws cloudformation detect-stack-drift --stack-name my-stack-with-resource-drift


Backout plan:

It is not a reversible process, when you initiate a check for drift detection, cloud formation compares the current stack configuration to the one specified in the template and creates or updates the stack, and reports on any differences. So you need to make sure from your organization to perform this task.

References :

  1. AWS Management Tools Workshop 

  2. AWS CloudFormation template snippets - AWS CloudFormation