Guided Walkthroughs

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Configuration Packages

Strategy Guides

Other

Security Monitoring and Compliance

Automatic CloudFormation Drift Monitoring

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after). The package includes:

  • Managed AWS Config Rule for CloudFormation Drift Detection. The rule runs on a schedule (every 24 hours) and when it detects changes are made to CloudFormation stacks, and it will trigger Drift Status Check for each CloudFormation stack.
  • An IAM role to provide the Config rule with the necessary permissions to run Cloudformation drift detection.
  • (Optional) CloudWatch Event Rule to detect and notify on changes in Config rule compliance events. If enabled, the rule will notify on all Config rules' compliance status changes.
  • (Optional) SNS Topic to configure the destination for email notifications. (Make sure to change from the default email@example.com)
  • (Optional) Enable AWS Config which is required for the AWS Config rule. (Includes configuration for the required IAM role and S3 bucket)

Note: You might have to increase the limit for Drift Detection runtimes if your account contains a large number of CloudFormation stacks, contact AWS support to request limit increases. 

Items
2
Size
1.8 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "cloudformation-stack-drift-detection-check"
      Scope:
        ComplianceResourceTypes:
          - "AWS::CloudFormation::Stack"
      Description: "A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configurati..."
      InputParameters:
        cloudformationRoleArn:
          Fn::GetAtt:
            - "IamRole"
            - "Arn"
      Source:
        Owner: "AWS"
        SourceIdentifier: "CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK"
      MaximumExecutionFrequency: "TwentyFour_Hours"
  IamRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "CfnDriftDetectionRole"
      Description: "IAM role for CloudFormation Drift Detection"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "config.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
      Policies:
        - PolicyName: "AllowAccessToDriftDetection"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "cloudformation:DetectStackResourceDrift"
                  - "cloudformation:DescribeStackDriftDetectionStatus"
                  - "cloudformation:DetectStackDrift"
                Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT