AWS CloudFormation Drift Detection
A feature that identifies discrepancies between AWS CloudFormation stacks and their associated resources.
Description
AWS CloudFormation Drift Detection is a powerful tool within AWS that enables users to detect changes made to CloudFormation stacks that are not reflected in the template used to create them. When a CloudFormation stack is created, it provisions resources based on a specified template. Over time, these resources may be modified directly through the AWS Management Console, CLI, or SDKs, leading to a state that diverges from the original template. This divergence is known as 'drift'. Drift Detection allows administrators to assess the current state of their resources against the defined template, providing a clear view of any changes that have occurred. By running a drift detection operation on a stack, users receive a detailed report indicating whether any resources have drifted and what specific properties have changed. This capability is essential for maintaining compliance, ensuring that infrastructure remains consistent with defined standards, and facilitating troubleshooting and management of AWS resources.
Examples
- A company uses CloudFormation to deploy a multi-tier application. After some time, a developer manually changes the instance type of an EC2 instance in the console. Drift Detection flags this change, allowing the operations team to address it.
- An organization sets up a CloudFormation stack for a VPC, but later modifies the security group rules directly in the AWS console. Running drift detection reveals these unauthorized changes, prompting a review of the security posture.
Additional Information
- Drift Detection can be run on individual resources or the entire stack, providing flexibility depending on the user's needs.
- AWS CloudFormation Drift Detection is available through the AWS Management Console, AWS CLI, and AWS SDKs, making it accessible for automation and integration into CI/CD pipelines.