AWS CloudFormation Drift Detection

More Info:

Your AWS CloudFormation stacks should not be drifted from their expected template configuration. A CloudFormation stack is considered to have drifted from its configuration if one or more of its resources have been drifted.

Risk Level

Medium

Address

Operational Maturity, Reliability

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

AWS CloudFormation Drift Detection is a feature that helps you identify resources that have drifted away from their expected configurations. Once you have identified the resources that have drifted, you can use the AWS CLI to remediate the drift.Here are the steps to remediate AWS CloudFormation Drift Detection using AWS CLI:

Identify the stack that has drifted by running the following command:

aws cloudformation detect-stack-drift --stack-name <stack-name>

Once you have identified the resources that have drifted, you can generate a drift report by running the following command:

aws cloudformation describe-stack-resource-drifts --stack-name <stack-name>

Review the drift report to identify the resources that have drifted and the expected and actual configurations.
To remediate the drift, update the stack with the expected configuration by running the following command:

aws cloudformation update-stack --stack-name <stack-name> --template-body file://<path-to-template> --parameters file://<path-to-parameters>

Replace <path-to-template> and <path-to-parameters> with the file paths to the updated CloudFormation template and parameters file.

Wait for the stack update to complete by running the following command:

aws cloudformation wait stack-update-complete --stack-name <stack-name>

Verify that the stack has been remediated by running the following command:

aws cloudformation describe-stack-resources --stack-name <stack-name>

This will show you the current configuration of the resources in the stack. If the resources have been remediated, the expected and actual configurations should match.

Using Python

To remediate AWS CloudFormation drift detection using Python, follow these steps:

Import the required libraries: boto3, json

import boto3
import json

Create a boto3 client for AWS CloudFormation:

client = boto3.client('cloudformation')

Get the list of stacks:

stacks = client.list_stacks(StackStatusFilter=['CREATE_COMPLETE', 'UPDATE_COMPLETE'])['StackSummaries']

Loop through the stacks and check for drift:

for stack in stacks:
    stack_drift = client.detect_stack_drift(StackName=stack['StackName'])
    if stack_drift['StackDriftStatus'] == 'DRIFTED':
        print('Stack {} has drifted'.format(stack['StackName']))

If a stack has drifted, remediate it by updating the stack:

response = client.update_stack(StackName=stack['StackName'], UsePreviousTemplate=True)
print('Stack {} has been remediated'.format(stack['StackName']))

Note: Make sure to test the script thoroughly before running it in a production environment.

Additional Reading:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/detect-drift-stack.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS CloudFormation Drift Detection

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: