CloudFormation drift detection is a powerful feature that allows SysOps administrators to identify when the actual configuration of deployed resources differs from their expected template configuration. Drift occurs when resources are modified outside of CloudFormation, such as through the AWS Cons…CloudFormation drift detection is a powerful feature that allows SysOps administrators to identify when the actual configuration of deployed resources differs from their expected template configuration. Drift occurs when resources are modified outside of CloudFormation, such as through the AWS Console, CLI, or SDK operations.
When you perform drift detection, CloudFormation compares the current state of your stack resources against the template definition that was used to create or update them. Resources can have three drift statuses: IN_SYNC (resource matches template), MODIFIED (resource has been changed), or DELETED (resource has been removed).
To initiate drift detection, you can use the AWS Console, CLI command 'aws cloudformation detect-stack-drift', or the API. The detection process runs asynchronously, and you can check the status using 'describe-stack-drift-detection-status'. Once complete, you can view detailed drift results showing exactly which properties have changed.
Not all resources support drift detection. AWS maintains a list of supported resource types, and this list continues to expand. For supported resources, CloudFormation tracks property-level changes, showing both expected and actual values.
Key use cases for drift detection include compliance auditing, troubleshooting unexpected behavior, and maintaining infrastructure consistency. Organizations often integrate drift detection into their CI/CD pipelines or schedule regular drift checks using EventBridge rules and Lambda functions.
When drift is detected, administrators have several remediation options: manually reverting changes, importing the drifted resource configuration back into the template, or performing a stack update to restore the desired state. Best practices recommend implementing change management policies that discourage out-of-band modifications and establishing regular drift detection schedules to catch unauthorized changes early. This helps maintain the integrity of infrastructure-as-code practices and ensures your deployed resources remain consistent with your version-controlled templates.
CloudFormation Drift Detection: Complete Guide for AWS SysOps Administrator Associate
What is CloudFormation Drift Detection?
CloudFormation drift detection is a feature that allows you to identify when the actual configuration of your stack resources differs from their expected template configuration. Drift occurs when someone makes changes to resources outside of CloudFormation, such as through the AWS Console, CLI, or SDK.
Why is Drift Detection Important?
• Configuration Compliance: Ensures your infrastructure matches your defined templates • Security: Identifies unauthorized or unexpected changes to resources • Troubleshooting: Helps diagnose issues caused by out-of-band modifications • Audit Trail: Supports governance and compliance requirements • Infrastructure as Code Integrity: Maintains the reliability of your IaC practices
How Drift Detection Works
1. Initiate Detection: You can start drift detection on an entire stack or specific resources 2. Comparison Process: CloudFormation compares the current state of each resource against the expected state defined in the template 3. Status Assignment: Each resource receives a drift status 4. Report Generation: A detailed drift report shows differences between expected and actual configurations
Drift Status Values
• IN_SYNC: Resource properties match the expected template configuration • MODIFIED: Resource properties differ from the expected template configuration • DELETED: Resource was removed outside of CloudFormation • NOT_CHECKED: CloudFormation has not checked the resource for drift
Stack Drift Status
• DRIFTED: At least one resource has drifted • IN_SYNC: All resources are in sync with template • NOT_CHECKED: No drift detection has been performed • UNKNOWN: Drift status could not be determined
How to Perform Drift Detection
Via AWS Console: 1. Navigate to CloudFormation console 2. Select your stack 3. Choose Stack Actions → Detect drift 4. View drift results in the Drift status tab
• Not all resource types support drift detection • Only detects drift for resources managed by CloudFormation • Does not detect drift for nested stack resources (must check nested stacks separately) • Some properties within supported resources may not be checked
Resolving Drift
You have several options when drift is detected: • Update the template to match the current resource configuration, then update the stack • Update the resource to match the template by performing a stack update • Import the resource if it was created outside CloudFormation
Exam Tips: Answering Questions on CloudFormation Drift Detection
• Remember that drift occurs from changes made OUTSIDE of CloudFormation - changes through the console, CLI, or SDK that bypass the stack
• Key scenario: When asked about identifying configuration changes or compliance issues with CloudFormation-managed resources, drift detection is the answer
• Drift detection does NOT automatically remediate - it only identifies differences; you must take action to resolve
• Know the four drift status values: IN_SYNC, MODIFIED, DELETED, and NOT_CHECKED
• Nested stacks require separate drift detection - drift detection on a parent stack does not check nested stack resources
• Drift detection is read-only and does not modify any resources
• For questions about preventing drift, consider stack policies or IAM permissions to restrict access to resources
• If asked about automation, remember you can use EventBridge with CloudFormation drift detection and trigger Lambda functions for notifications or remediation workflows
• Cost consideration: Drift detection itself is free, but underlying API calls to check resource states may incur charges