Drift Detection

Correct Answer: Restrict direct resource modifications using least-privilege IAM and Service Control Policies, and require all changes to flow through CloudFormation (for example, via a CI/CD pipeline and CloudFormation execution roles).

Drift occurs when resources managed by CloudFormation are changed outside of CloudFormation. The most effective way to minimize drift is to prevent out-of-band changes by enforcing least-privilege access: use IAM and Service Control Policies to block direct modifications and permit changes only through CloudFormation via controlled roles and a CI/CD pipeline. This makes CloudFormation the single path for updates. Manual monitoring, periodic reviews, or email reminders are reactive and unreliable; they do not prevent drift and are prone to human error.

Correct Answer: Detect the drift to get actionable insights and make sure the stacks are in-sync.

Detecting the drift will provide information on the differences between the actual infrastructure and the defined templates. By understanding these insights, one can implement the necessary actions to ensure the stacks are in-sync. Ignoring drifts, terminating the stack, enabling versioning, and other mentioned options do not provide actionable insights to make the stacks in-sync.

Correct Answer: AWS CloudFormation Drift Detection

AWS CloudFormation Drift Detection compares the live configuration of resources in a CloudFormation stack to what is defined in the template and flags any differences as drift. You can invoke drift detection via the console, CLI, or API and route status change events through Amazon EventBridge to Amazon SNS (or other targets) to notify teams when drift is detected. GuardDuty focuses on threat detection, Elastic Beanstalk is a PaaS for application deployment, and CloudWatch provides monitoring and alarms but does not detect CloudFormation template drift.