By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Security Monitoring and Compliance

Automatic CloudFormation Drift Monitoring

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after). The package includes:

  • Managed AWS Config Rule for CloudFormation Drift Detection. The rule runs on a schedule (every 24 hours) and when it detects changes are made to CloudFormation stacks, and it will trigger Drift Status Check for each CloudFormation stack.
  • An IAM role to provide the Config rule with the necessary permissions to run Cloudformation drift detection.
  • (Optional) CloudWatch Event Rule to detect and notify on changes in Config rule compliance events. If enabled, the rule will notify on all Config rules' compliance status changes.
  • (Optional) SNS Topic to configure the destination for email notifications. (Make sure to change from the default email@example.com)
  • (Optional) Enable AWS Config which is required for the AWS Config rule. (Includes configuration for the required IAM role and S3 bucket)

Note: You might have to increase the limit for Drift Detection runtimes if your account contains a large number of CloudFormation stacks, contact AWS support to request limit increases. 

Items
2
Size
1.8 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "cloudformation-stack-drift-detection-check"
      Scope:
        ComplianceResourceTypes:
          - "AWS::CloudFormation::Stack"
      Description: "A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configurati..."
      InputParameters:
        cloudformationRoleArn:
          Fn::GetAtt:
            - "IamRole"
            - "Arn"
      Source:
        Owner: "AWS"
        SourceIdentifier: "CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK"
      MaximumExecutionFrequency: "TwentyFour_Hours"
  IamRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "CfnDriftDetectionRole"
      Description: "IAM role for CloudFormation Drift Detection"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "config.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
      Policies:
        - PolicyName: "AllowAccessToDriftDetection"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "cloudformation:DetectStackResourceDrift"
                  - "cloudformation:DescribeStackDriftDetectionStatus"
                  - "cloudformation:DetectStackDrift"
                Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT