Best Practices for Monitoring CloudFormation Stack Drifts

Detecting and Notifying Drifts in AWS CloudFormation Stacks

Prev Question Next Question

Question

You are responsible for maintaining several AWS CloudFormation templates.

Last month, there were two incidents that resources in existing CloudFormation stacks that someone has changed without any alerts or notifications.

Because of that, the potential changes may have negative impacts on the stacks, and the changes may be lost if the stacks are re-deployed.

This is not compliant with company policy.

Your team lead asked you to warn the team whenever a drift in the CloudFormation stack appears.

What is the best way to achieve that?

Answers

A. Use a Lambda function to check the drift status in each CloudFormation stack every 10 minutes. If there is a drift, send the team an email via AWS SES service.

B. Create a rule in AWS Config to evaluate if the stack is considered to have drifted for its resources. If the rule is NON_COMPLIANT, notify the team via an SNS notification.

C. Create a CloudWatch event rule for CloudFormation. If any event happens for CloudFormation, trigger an email notification by SNS.

D. Enable CloudTrail. Use a Lambda function to analyze the CloudTrail logs. Send an email if it is found that the resources in CloudFormation stacks are modified.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

In AWS Config, there is an AWS managed rule (cloudformation-stack-drift-detection-check.

To check if there is a drift, refer to.

https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html

for details.

Option A is incorrect: Because this is not as straightforward as Option.

And SES is unsuitable to be a notification service.

It should be SNS.

Option B is CORRECT: Because it can quickly set up a rule to manage the drift status, and users can understand if the stacks are compliant or not.

Option C is incorrect: Because it should not be any event for the CloudWatch Event rule since the question only asks for the situation of stack drift.

Option D is incorrect: Extra efforts are required such as creating a Lambda function.

Option B is much simpler as the AWS Config rule can easily identify a drift via an AWS managed rule.

The best way to achieve this is by using AWS Config to monitor and track the state of the CloudFormation stacks. AWS Config provides a continuous monitoring of the configuration of the AWS resources in your account, and it can be used to ensure that the CloudFormation stacks are in compliance with the company policy.

Option A is not the best way because it requires running a Lambda function every 10 minutes, which may result in unnecessary costs if the CloudFormation stacks do not change frequently.

Option B is the best way to achieve this goal. It involves creating a rule in AWS Config to evaluate the drift status of each CloudFormation stack's resources. If the rule detects a drift, it will mark the stack as NON_COMPLIANT and send a notification to the team via SNS.

Option C involves using CloudWatch events to trigger a notification whenever an event happens for CloudFormation. However, this may result in notifications being sent for events that are not related to drift, such as when a stack is created or deleted.

Option D involves enabling CloudTrail and analyzing the logs to detect any modifications to the CloudFormation stacks. However, this approach is not as efficient as using AWS Config because it requires additional configuration and may result in higher costs.

In conclusion, the best approach to achieve the goal of detecting drift in the CloudFormation stacks and notifying the team is to create a rule in AWS Config to evaluate the drift status of the resources in each stack and send a notification via SNS when a stack is marked as NON_COMPLIANT.

Prev Question Next Question