My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Configuration Packages

Automatic CloudFormation Drift Monitoring

A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after). The package includes:

  • Managed AWS Config Rule for CloudFormation Drift Detection. The rule runs on a schedule (every 24 hours) and when it detects changes are made to CloudFormation stacks, and it will trigger Drift Status Check for each CloudFormation stack.
  • An IAM role to provide the Config rule with the necessary permissions to run Cloudformation drift detection.
  • (Optional) CloudWatch Event Rule to detect and notify on changes in Config rule compliance events. If enabled, the rule will notify on all Config rules' compliance status changes.
  • (Optional) SNS Topic to configure the destination for email notifications. (Make sure to change from the default email@example.com)
  • (Optional) Enable AWS Config which is required for the AWS Config rule. (Includes configuration for the required IAM role and S3 bucket)

Note: You might have to increase the limit for Drift Detection runtimes if your account contains a large number of CloudFormation stacks, contact AWS support to request limit increases. 

A premium subscription is required for this content
You can browse individual security control configurations for AWS CloudFormation in our repository for free! Go to Library

Items
2
Size
1.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: cloudformation-stack-drift-detection-check
      Scope:
        ComplianceResourceTypes:
          - 'AWS::CloudFormation::Stack'
      Description: 'A config rule that checks whether an AWS CloudFormation stack''s actual configuration differs, or has drifted, from it''s expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configurati...'
      InputParameters:
        cloudformationRoleArn:
          'Fn::GetAtt':
            - IamRole
            - Arn
      Source:
        Owner: AWS
        SourceIdentifier: CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK
      MaximumExecutionFrequency: TwentyFour_Hours
  IamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: CfnDriftDetectionRole
      Description: IAM role for CloudFormation Drift Detection
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      Policies:
        - PolicyName: AllowAccessToDriftDetection
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'cloudformation:DetectStackResourceDrift'
                  - 'cloudformation:DescribeStackDriftDetectionStatus'
                  - 'cloudformation:DetectStackDrift'
                Resource: '*'
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT

© 2024 asecurecloud. All rights reserved.