Guided Walkthroughs

Configuration Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

Configuration Packages

Automatic CloudFormation Drift Monitoring

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after). The package includes:

  • Managed AWS Config Rule for CloudFormation Drift Detection. The rule runs on a schedule (every 24 hours) and when it detects changes are made to CloudFormation stacks, and it will trigger Drift Status Check for each CloudFormation stack.
  • An IAM role to provide the Config rule with the necessary permissions to run Cloudformation drift detection.
  • (Optional) CloudWatch Event Rule to detect and notify on changes in Config rule compliance events. If enabled, the rule will notify on all Config rules' compliance status changes.
  • (Optional) SNS Topic to configure the destination for email notifications. (Make sure to change from the default email@example.com)
  • (Optional) Enable AWS Config which is required for the AWS Config rule. (Includes configuration for the required IAM role and S3 bucket)

Note: You might have to increase the limit for Drift Detection runtimes if your account contains a large number of CloudFormation stacks, contact AWS support to request limit increases. 

A premium subscription is required for this content
You can browse individual security control configurations for AWS CloudFormation in our repository for free! Go to Library

Items
2
Size
1.8 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "cloudformation-stack-drift-detection-check"
      Scope:
        ComplianceResourceTypes:
          - "AWS::CloudFormation::Stack"
      Description: "A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configurati..."
      InputParameters:
        cloudformationRoleArn:
          Fn::GetAtt:
            - "IamRole"
            - "Arn"
      Source:
        Owner: "AWS"
        SourceIdentifier: "CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK"
      MaximumExecutionFrequency: "TwentyFour_Hours"
  IamRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "CfnDriftDetectionRole"
      Description: "IAM role for CloudFormation Drift Detection"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "config.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"
      Policies:
        - PolicyName: "AllowAccessToDriftDetection"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "cloudformation:DetectStackResourceDrift"
                  - "cloudformation:DescribeStackDriftDetectionStatus"
                  - "cloudformation:DetectStackDrift"
                Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT