Description:
AWS CloudFormation is a service that helps you model and set up your Amazon web services resources, It takes care of provisioning and configuring the resources. It helps you to easily control and track changes in your infrastructure. It quickly replicates your infrastructure over and over in multiple regions. Cloud Formation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion. When we manage related resources as a single unit when we use CloudFormation then this single unit is called a stack.
Rational:
AWS CloudFormation allows you to detect if configuration changes were made to your stack resources outside of CloudFormation via the AWS Management Console, CLI, and SDKs. Drift is the difference between the expected configuration values of stack resources defined in CloudFormation templates and the actual configuration values of these resources in the corresponding CloudFormation stacks. This allows you to better manage your CloudFormation stacks and ensure consistency in your resource configurations.
Impact:
After checking the drift detection in the stack, we can identify stack resources that have been reconfigured outside Amazon CloudFormation service management.
Default Value:
Not all the resources in the AWS supports drift detection. the default version of the resource type that you have registered in your account must be provisional.
Pre-requisites:
You must have a Stack in the CloudFormation
Implementation steps only if you did not perform drift detection in the CloudFront Stacks or perform more than 30 days
Remediation:
Test Plan:
Login to AWS Console Management and go to CloudFormation at https://console.aws.amazon.com/cloudformation
In the CloudFormation click on Stack
Choose Stack to examine
In the stack info section, you can see Drift status either checked or Not checked
Using AWS CLI:
To check a drift detection operation's status
aws cloudformation detect-stack-drift
--region us-east-1
--stack-name <name of stack>
--query 'StackDriftDetectionId
Implementation Steps :
Login to AWS Console Management and go to CloudFormation at https://console.aws.amazon.com/cloudformation
In the CloudFormation click on Stack
Choose Stack
Click on Stack action and then click on Detect drift (it checks or detects drift in your stack)
Now it initiates the drift detection in your Cloudformation stacks
Wait until CloudFormation completes the drift detection operation,
Now you can see Drift status and Last drift check time in the Stack info section
Using AWS CLI:
To initiate a drift detection operation on a stack
aws cloudformation detect-stack-drift --stack-name my-stack-with-resource-drift
Backout plan:
It is not a reversible process, when you initiate a check for drift detection, cloud formation compares the current stack configuration to the one specified in the template and creates or updates the stack, and reports on any differences. So you need to make sure from your organization performs this task.