This chapter covers CloudFormation Drift Detection, a critical feature for maintaining infrastructure as code compliance. For the SOA-C02 exam, understanding drift detection is essential because questions frequently test your ability to identify when drift has occurred, how to detect it, and how to remediate it. Approximately 5-10% of questions in the Deployment domain may touch on drift detection or related CloudFormation operations. Mastering this topic ensures you can manage stack integrity and avoid common pitfalls that lead to exam errors.
Jump to a section
Imagine you are a construction manager who hired an architect to create a detailed blueprint for a house. The blueprint specifies every wall, window, and outlet. You hand the blueprint to a contractor who builds the house exactly as specified. Over time, the owners make changes: they paint a wall, add a window, or move an outlet. The contractor does not update the blueprint. Now you have a discrepancy: the actual building no longer matches the blueprint. This is exactly what happens in CloudFormation. The stack template is your blueprint, and the AWS resources are the building. Drift detection is the process of inspecting the actual building and comparing it to the blueprint to identify any changes that were made outside of CloudFormation. If the owners added a window without telling you, drift detection would flag that as a 'drift'. In AWS, this is crucial because manual changes to resources can cause stack updates to fail or produce unexpected results. Drift detection helps you maintain infrastructure as code integrity by alerting you to unauthorized or accidental modifications.
What is CloudFormation Drift Detection?
CloudFormation Drift Detection is a feature that allows you to determine whether a stack's actual resource configuration has deviated from the expected configuration defined in the stack template and any associated parameter values. Drift occurs when resources are modified outside of CloudFormation management, such as through the AWS Management Console, CLI, or SDK. Drift detection helps you identify these changes so you can take corrective action, ensuring your infrastructure remains consistent with your infrastructure-as-code templates.
Why Drift Detection Exists
In a well-managed environment, all resource changes should be made through CloudFormation stack updates. However, in practice, team members or automated processes may inadvertently modify resources directly. This creates a divergence between the template and the actual state, leading to:
Stack update failures: If you later update the stack, CloudFormation may try to reconcile differences and fail if the manual change conflicts.
Configuration drift: The actual environment no longer reflects the intended configuration, potentially causing security vulnerabilities or performance issues.
Audit and compliance gaps: Without drift detection, it's difficult to prove that infrastructure matches approved templates.
How Drift Detection Works Internally
When you initiate drift detection on a stack, CloudFormation performs the following steps:
1. Resource-level comparison: For each resource in the stack, CloudFormation retrieves the current configuration from the AWS service (e.g., EC2, S3, IAM). It then compares this configuration against the expected properties defined in the stack template, taking into account any resolved parameter values and stack policies.
2. Supported resources: Not all resources support drift detection. AWS maintains a list of resource types that can be checked. For example, AWS::EC2::Instance supports drift detection, but AWS::CloudFormation::Stack (nested stacks) does not. The list is updated as AWS adds support for new resource types.
3. Drift status categories: Each resource is assigned a drift status:
- IN_SYNC: The resource's current configuration matches the template.
- MODIFIED: The resource's current configuration differs from the template.
- DELETED: The resource has been deleted from the stack but was expected to exist.
- NOT_CHECKED: Drift detection was not performed on the resource (e.g., unsupported resource type).
4. Stack-level drift status: The overall stack drift status is determined by the status of its resources:
- DRIFTED: At least one resource has a status of MODIFIED or DELETED.
- IN_SYNC: All resources are IN_SYNC.
- NOT_CHECKED: No drift detection has been performed on the stack.
- UNKNOWN: The stack is in an unknown state (e.g., during drift detection).
Key Components, Values, Defaults, and Timers
- Drift detection operation: You can start drift detection on a stack via the AWS Management Console, AWS CLI, or API. There is no charge for drift detection.
- Detection frequency: Drift detection is not automatic; you must manually initiate it. There is no built-in scheduler. However, you can use Amazon EventBridge (formerly CloudWatch Events) to trigger a Lambda function that calls the DetectStackDrift API on a schedule.
- Time to complete: The time depends on the number of resources and the APIs called. Typically, it takes a few seconds to a few minutes for stacks with dozens of resources.
- Output: The result includes a list of drifted resources with details of the differences. For each property that drifted, the output shows the expected value (from the template) and the actual value (from the resource).
- API operations:
- DetectStackDrift: Initiates drift detection on a stack. Returns a StackDriftDetectionId.
- DescribeStackDriftDetectionStatus: Returns the status of a drift detection operation.
- DescribeStackResourceDrifts: Returns drift information for the resources in a stack.
- IAM permissions: To perform drift detection, the IAM user or role needs cloudformation:DetectStackDrift, cloudformation:DescribeStackDriftDetectionStatus, and cloudformation:DescribeStackResourceDrifts. Additionally, read permissions for the resources being checked (e.g., ec2:DescribeInstances, s3:GetBucketPolicy) are required.
Configuration and Verification Commands
To detect drift using the AWS CLI:
aws cloudformation detect-stack-drift --stack-name my-stackThis returns a StackDriftDetectionId, which you use to check the status:
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id <id>To view the drift details for each resource:
aws cloudformation describe-stack-resource-drifts --stack-name my-stackExample output snippet:
{
"StackResourceDrifts": [
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/...",
"LogicalResourceId": "MySecurityGroup",
"PhysicalResourceId": "sg-12345678",
"ResourceType": "AWS::EC2::SecurityGroup",
"ExpectedProperties": "{\"GroupDescription\":\"My security group\",\"SecurityGroupIngress\":[{\"IpProtocol\":\"tcp\",\"FromPort\":22,\"ToPort\":22,\"CidrIp\":\"10.0.0.0/8\"}]}",
"ActualProperties": "{\"GroupDescription\":\"My security group\",\"SecurityGroupIngress\":[{\"IpProtocol\":\"tcp\",\"FromPort\":22,\"ToPort\":22,\"CidrIp\":\"0.0.0.0/0\"}]}",
"PropertyDifferences": [
{
"PropertyPath": "/SecurityGroupIngress/0/CidrIp",
"ExpectedValue": "10.0.0.0/8",
"ActualValue": "0.0.0.0/0",
"DifferenceType": "NOT_EQUAL"
}
],
"DriftStatus": "MODIFIED"
}
]
}How Drift Detection Interacts with Related Technologies
StackSets: Drift detection can be performed on individual stack instances within a StackSet. However, the StackSet itself does not have a drift detection operation. You must detect drift on each stack instance separately.
Change Sets: Before performing a stack update, you can create a change set to preview changes. Drift detection is independent; you can detect drift before or after a change set execution.
Nested Stacks: Drift detection on a parent stack does not automatically detect drift on nested stacks. You must explicitly run drift detection on each nested stack. Note that the resource type AWS::CloudFormation::Stack is not supported for drift detection.
Stack Policies: Drift detection respects stack policies that protect resources from updates. However, drift detection itself is not blocked by stack policies; it only reports differences. Stack policies only affect stack updates.
Resource Import: If you import a resource into a stack, drift detection can help verify that the resource's configuration matches the template after import.
Remediation Options
When drift is detected, you have several options: - Update the stack: Modify the stack template to match the actual resource configuration, then perform a stack update. This reconciles the template with reality. - Revert the manual change: Manually change the resource back to the expected configuration using the appropriate AWS service console or CLI. - Ignore the drift: If the drift is intentional and you want to keep the manual change, you can update the template to reflect the new configuration. - Delete and recreate the resource: If the resource is fully drifted and cannot be corrected, you may need to delete it and let CloudFormation recreate it.
Limitations and Considerations
Not all resources are supported: Check the AWS documentation for the current list of supported resource types. Common unsupported ones include AWS::CloudFormation::Stack, AWS::RDS::DBCluster, and AWS::Lambda::EventSourceMapping.
Properties that are not compared: Some resource properties are not checked for drift, such as those that are read-only or system-generated (e.g., CreationTime, PhysicalResourceId).
Drift detection is eventually consistent: There may be a slight delay between a manual change and when drift detection reflects it, due to eventual consistency of AWS APIs.
Cost: Drift detection is free, but the API calls to describe resources may incur charges if they exceed free tier limits.
Best Practices
Regular drift detection: Schedule drift detection using EventBridge and Lambda to run periodically (e.g., daily or weekly).
Automate remediation: Use Lambda functions to automatically revert drift or notify administrators via SNS.
Integrate with CI/CD: Run drift detection as part of your deployment pipeline to catch unauthorized changes before they cause issues.
Monitor drift status: Use Amazon CloudWatch to monitor the DriftStatus metric (if custom metrics are published) or use EventBridge to detect drift detection completion events.
Exam Tips
Remember that drift detection is a manual operation; it is not automatic.
Know the drift statuses: IN_SYNC, MODIFIED, DELETED, NOT_CHECKED, and the stack-level statuses.
Understand that nested stacks require separate drift detection.
Be aware that not all resources support drift detection; the exam may test which resources are supported.
Know how to interpret the PropertyDifferences output to identify exactly what changed.
Understand the difference between drift detection and change sets: drift detection compares current state to template, while change sets compare the current state to a proposed update.
Initiate Drift Detection
The SysOps administrator initiates drift detection on a CloudFormation stack using the AWS Management Console, CLI, or API. The command `aws cloudformation detect-stack-drift --stack-name my-stack` sends a request to CloudFormation. CloudFormation returns a unique `StackDriftDetectionId` that identifies the operation. This operation is asynchronous; CloudFormation begins the process of comparing each resource's current configuration against the template. The administrator can then use the detection ID to poll the status.
CloudFormation Retrieves Resource Configurations
CloudFormation iterates over each resource in the stack. For each resource, it calls the relevant AWS service's Describe* API to fetch the current configuration. For example, for an `AWS::EC2::Instance`, it calls `ec2:DescribeInstances`; for an `AWS::S3::Bucket`, it calls `s3:GetBucketPolicy` and `s3:GetBucketTagging`, etc. This step requires that the IAM role performing drift detection has read permissions for those resources. The retrieved properties are compared against the expected properties from the stack template, after resolving parameters and pseudo-parameters.
Compare Expected vs Actual Properties
For each resource, CloudFormation compares the expected property values (from the template) with the actual values (from the AWS service). It identifies differences at the property level. For example, if the template specifies `CidrIp: 10.0.0.0/8` for a security group ingress rule, but the actual rule shows `0.0.0.0/0`, that property is flagged as `NOT_EQUAL`. CloudFormation records the property path, expected value, actual value, and difference type (e.g., `NOT_EQUAL`, `ADDED`, `REMOVED`).
Assign Drift Status to Each Resource
Based on the comparison, CloudFormation assigns a drift status to each resource: `IN_SYNC` if no differences found, `MODIFIED` if at least one property differs, `DELETED` if the resource no longer exists (e.g., manually deleted), or `NOT_CHECKED` if the resource type is not supported for drift detection. This status is stored in the `StackResourceDrift` data structure.
Determine Stack-Level Drift Status
After all resources are evaluated, CloudFormation aggregates the resource statuses to determine the overall stack drift status. If any resource is `MODIFIED` or `DELETED`, the stack status is `DRIFTED`. If all resources are `IN_SYNC`, the stack status is `IN_SYNC`. If no drift detection has ever been run, the status is `NOT_CHECKED`. The stack status is returned when you call `DescribeStackDriftDetectionStatus` or can be viewed in the console.
Review and Remediate Drift
The administrator reviews the drift details using the CLI command `aws cloudformation describe-stack-resource-drifts --stack-name my-stack` or via the console. The output shows which resources drifted and the specific property changes. The administrator then decides on remediation: update the template to accept the change, revert the manual change, or perform a stack update to restore the expected state. The exam may ask about the appropriate action based on the scenario.
Enterprise Scenario 1: Compliance Auditing in a Financial Services Company
A financial services company uses CloudFormation to deploy and manage its PCI DSS-compliant infrastructure. The security team mandates that all security group rules must be reviewed and approved. Despite strict change management, an engineer accidentally opens a security group port to 0.0.0.0/0 via the console. Drift detection, scheduled weekly via EventBridge and Lambda, catches this change. The security team receives an SNS notification and reverts the rule. Without drift detection, the unauthorized change could go unnoticed for weeks, leading to a compliance violation.
Enterprise Scenario 2: Multi-Account Environment with StackSets
A large organization uses AWS Organizations and CloudFormation StackSets to deploy a standard VPC configuration across hundreds of accounts. After a regional outage, a network engineer in one account manually modifies a route table to add a temporary route. The central cloud team runs drift detection on all stack instances using a script that iterates through accounts. They discover the drifted route table in one account. They then update the StackSet template to include the temporary route permanently (if needed) or remove the manual route. Drift detection here is critical for maintaining consistency across accounts.
Performance and Scale Considerations
For stacks with thousands of resources, drift detection can take several minutes. The API calls to describe resources can be throttled if too many are made in a short time. To avoid throttling, you can implement exponential backoff in your automation scripts. Additionally, some resources, like AWS::Lambda::Function, have many properties; drift detection compares all supported properties, which can be time-consuming. It's best to run drift detection during off-peak hours.
Common Misconfigurations
Insufficient IAM permissions: The IAM role used for drift detection must have read permissions for all resources in the stack. If permissions are missing, the resource will show as NOT_CHECKED or the operation may fail.
Relying on console-only drift detection: The console provides a nice UI, but for automation, you need CLI or API. Many engineers forget to automate and only check manually, leading to missed drifts.
Not checking nested stacks: A common mistake is running drift detection only on the parent stack. Nested stacks must be checked individually. The exam often tests this nuance.
Ignoring `NOT_CHECKED` resources: If a resource type is unsupported, you cannot assume it is in sync. You must use other methods (e.g., AWS Config rules) to monitor those resources.
What SOA-C02 Tests on Drift Detection
The SOA-C02 exam objectives under Deployment (Objective 3.1) include "Implement and manage CloudFormation drift detection." Questions test your ability to:
Identify the correct drift status for a resource or stack.
Understand the difference between drift detection and change sets.
Know which resources support drift detection.
Interpret drift detection output to find the specific property that changed.
Determine the appropriate remediation action.
Recognize that nested stacks require separate drift detection.
Common Wrong Answers and Why Candidates Choose Them
"Drift detection automatically reverts changes." This is false. Drift detection only detects and reports; it does not automatically remediate. Candidates confuse detection with remediation.
"Drift detection checks all resource types." Not true. Some resources are unsupported (e.g., AWS::CloudFormation::Stack). Candidates assume all resources are checked.
"Running drift detection on a parent stack also checks nested stacks." Wrong. You must run drift detection on each nested stack separately. Candidates think nesting is transparent.
"A stack with `NOT_CHECKED` status means no drift." NOT_CHECKED means drift detection has never been run. Candidates misinterpret this as being in sync.
Specific Numbers, Values, and Terms
Drift statuses: IN_SYNC, MODIFIED, DELETED, NOT_CHECKED (resource); DRIFTED, IN_SYNC, NOT_CHECKED, UNKNOWN (stack).
API calls: DetectStackDrift, DescribeStackDriftDetectionStatus, DescribeStackResourceDrifts.
CLI command: aws cloudformation detect-stack-drift --stack-name <value>.
Detection ID: Returned as a string; used to poll status.
Property difference types: NOT_EQUAL, ADDED, REMOVED.
Edge Cases and Exceptions
Deleted resources: If a resource is manually deleted, drift detection shows DELETED status. The exam may ask what happens if you try to update the stack after deletion — it will fail because the resource is missing.
Resources with dynamic properties: Some properties, like Endpoint for an S3 bucket, are not checked because they are system-generated.
StackSets: Drift detection on a StackSet itself is not possible; you must detect drift on each stack instance.
Drift detection on stacks in `UPDATE_ROLLBACK_FAILED` state: Drift detection can still be run, but the stack may be in an inconsistent state.
How to Eliminate Wrong Answers
If an answer says drift detection is automatic, eliminate it.
If an answer implies all resources are checked, eliminate it unless the question specifically says "supported resources."
If an answer says nested stacks are included, eliminate it.
If an answer confuses drift detection with change sets (e.g., "shows what will change during an update"), eliminate it.
Focus on the fact that drift detection is a read-only, non-intrusive operation.
Drift detection is a manual, read-only operation that compares actual resource configuration to the CloudFormation template.
Stack drift status is DRIFTED if any resource is MODIFIED or DELETED; otherwise IN_SYNC if all are IN_SYNC.
Not all resource types support drift detection; check the AWS documentation for the supported list.
Nested stacks require separate drift detection; they are not automatically checked by the parent stack.
To automate drift detection, use Amazon EventBridge to trigger a Lambda function that calls DetectStackDrift on a schedule.
The CLI command to detect drift is: aws cloudformation detect-stack-drift --stack-name <stack-name>.
Drift detection output includes PropertyDifferences with expected and actual values for each drifted property.
Remediation options: update the template, revert the manual change, or delete and recreate the resource.
IAM permissions needed: cloudformation:DetectStackDrift, DescribeStackDriftDetectionStatus, DescribeStackResourceDrifts, plus read permissions for the resources.
Drift detection is free, but API calls to describe resources may incur charges if they exceed free tier limits.
These come up on the exam all the time. Here's how to tell them apart.
Drift Detection
Compares current resource state to the stack template.
Detects changes made outside of CloudFormation.
Does not modify resources; only reports.
Can be run at any time, independent of updates.
Output shows actual vs expected property values.
Change Sets
Compares current resource state to a proposed template update.
Previews changes that will be applied during a stack update.
Does not modify resources until executed.
Created as part of the update workflow.
Output shows what will be added, modified, or deleted.
Mistake
Drift detection automatically fixes any differences it finds.
Correct
Drift detection only reports differences; it does not modify any resources. Remediation must be done manually or via automation scripts.
Mistake
All AWS resources support drift detection.
Correct
Only a subset of resource types support drift detection. For example, `AWS::CloudFormation::Stack` (nested stacks) and `AWS::RDS::DBCluster` are not supported. Always check the current list.
Mistake
Running drift detection on a parent stack automatically checks nested stacks.
Correct
Nested stacks are separate stacks. You must run drift detection on each nested stack individually. The parent stack's drift detection does not descend into nested stacks.
Mistake
A stack with a drift status of NOT_CHECKED is in sync.
Correct
NOT_CHECKED means no drift detection has ever been performed. The stack could be drifted or in sync; you cannot assume anything.
Mistake
Drift detection can be scheduled natively in CloudFormation.
Correct
CloudFormation does not provide a built-in scheduler for drift detection. You must use external services like EventBridge and Lambda to run it periodically.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can run drift detection on a stack in any state, including `UPDATE_ROLLBACK_FAILED` or `CREATE_FAILED`. However, the results may be incomplete if some resources were never created. Drift detection will check only the resources that exist. This is useful for diagnosing why a stack is in a failed state.
Drift detection works on individual stack instances within a StackSet, but there is no built-in operation to detect drift on the entire StackSet at once. You must iterate over each stack instance (each account/region combination) and run `DetectStackDrift` on each. The StackSet itself does not have a drift status.
Use Amazon EventBridge to create a scheduled rule (e.g., every 24 hours) that triggers an AWS Lambda function. The Lambda function calls the `DetectStackDrift` API for each stack you want to monitor. You can then process the results, send notifications via SNS, or automatically remediate using other Lambda functions.
If a property is not supported, it is simply not compared. The resource may still be checked for other properties. The unsupported property will not appear in the `PropertyDifferences` list. For example, the `Endpoint` property of an S3 bucket is system-generated and not checked.
No, drift detection only works on resources that are part of a CloudFormation stack. For resources outside of CloudFormation, you should use AWS Config rules to monitor configuration changes.
Drift detection is specific to CloudFormation stacks and compares resource configurations against the stack template. AWS Config is a broader service that records resource configurations and evaluates them against custom rules. Both can detect configuration changes, but drift detection is template-focused, while AWS Config is rule-based and applies to all resources in an account.
The `PropertyDifferences` array contains objects with `PropertyPath` (JSON path to the property), `ExpectedValue` (value from the template), `ActualValue` (current value from the resource), and `DifferenceType` (e.g., `NOT_EQUAL`, `ADDED`, `REMOVED`). For example, if a security group rule was added manually, the difference type would be `ADDED` with the actual value showing the new rule.
You've just covered CloudFormation Drift Detection — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?