Overview

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after). The package includes:

  • Managed AWS Config Rule for CloudFormation Drift Detection. The rule runs on a schedule (every 24 hours) and when it detects changes are made to CloudFormation stacks, and it will trigger Drift Status Check for each CloudFormation stack.
  • An IAM role to provide the Config rule with the necessary permissions to run Cloudformation drift detection.
  • (Optional) CloudWatch Event Rule to detect and notify on changes in Config rule compliance events. If enabled, the rule will notify on all Config rules' compliance status changes.
  • (Optional) SNS Topic to configure the destination for email notifications. (Make sure to change from the default email@example.com)
  • (Optional) Enable AWS Config which is required for the AWS Config rule. (Includes configuration for the required IAM role and S3 bucket)

Note: You might have to increase the limit for Drift Detection runtimes if your account contains a large number of CloudFormation stacks, contact AWS support to request limit increases. 

Configure & Deploy

Configuration Presets

  • Enables Config rule and corresponding IAM role only
  • Assumes that AWS Config must be enabled in the account

Configuration Template

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
Items
2
Size
1.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: cloudformation-stack-drift-detection-check
      Description: >-
        A config rule that checks whether an AWS CloudFormation stack's actual
        configuration differs, or has drifted, from it's expected configuration.
        A stack is considered to have drifted if one or more of its resources
        differ from their expected configurati...
      Scope:
        ComplianceResourceTypes:
          - 'AWS::CloudFormation::Stack'
      InputParameters:
        cloudformationRoleArn:
          'Fn::GetAtt':
            - IamRole
            - Arn
      Source:
        Owner: AWS
        SourceIdentifier: CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK
      MaximumExecutionFrequency: TwentyFour_Hours
  IamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      Policies:
        - PolicyName: AllowAccessToDriftDetection
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'cloudformation:DetectStackResourceDrift'
                  - 'cloudformation:DescribeStackDriftDetectionStatus'
                  - 'cloudformation:DetectStackDrift'
                Resource: '*'
      RoleName: CfnDriftDetectionRole
Parameters: {}
Metadata: {}
Conditions: {}