AWS CloudFormation
User Guide (API Version 2010-05-15)

Detecting Unmanaged Configuration Changes in Stack Sets

Even as you manage your stacks and the resources they contain through CloudFormation, users can change those resources outside of CloudFormation. Users can edit resources directly by using the underlying service that created the resource. By performing drift detection on a stack set, you can determine if any of the stack instances belonging to that stack set differ, or have drifted, from their expected configuration.

How CloudFormation Performs Drift Detection on a Stack Set

When CloudFormation performs drift detection on a stack set, it performs drift detection on the stack associated with each stack instance in the stack set. To do this, CloudFormation compares the current state of each resource in the stack with the expected state of that resource, as defined in the stack's template and and any specified input parameters. If the current state of a resource varies from its expected state, that resource is considered to have drifted. If one or more resources in a stack have drifted, then the stack itself is considered to have drifted, and the stack instances that the stack is associated with is considered to have drifted as well. If one or more stack instances in a stack set have drifted, the stack set itself is considered to have drifted.

Drift detection identifies unmanaged changes; that is, changes made to stacks outside of CloudFormation. Changes made through CloudFormation to a stack directly, rather than at the stack-set level, are not considered drift. For example, suppose you have a stack that is associated with a stack instance of a stack set. If you use CloudFormation to update that stack to use a different template, that is not considered drift, even though that stack now has a different template than any other stacks belonging to the stack set. This is because the stack still matches its expected template and parameter configuration in CloudFormation.

For detailed information on how CloudFormation performs drift detection on a stack, see Detecting Unmanaged Configuration Changes to Stacks and Resources.

Because CloudFormation performs drift detection on each stack individually, it takes any overridden parameter values into account when determining whether a stack has drifted. For more information on overriding template parameters in stack instances, see Override Parameters on Stack Instances.

If you perform drift detection directly on a stack that is associated with a stack instance, those drift results are not available from the StackSets console page.

To detect drift on a stack set using the AWS Management Console

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the StackSets page, select the stack set on which you want to perform drift detection.

  3. From the Actions menu, select Detect drifts.

    CloudFormation displays an information bar stating that drift detection has been initiated for the selected stack set.

  4. Optional: To monitor the progress of the drift detection operation:

    1. Click the stack set name to display the Stackset details page.

    2. Select the Operations tab, select the drift detection operation, and then select View drift details.

    CloudFormation displays the Operation details dialog box.

  5. Wait until CloudFormation completes the drift detection operation. When the drift detection operation completes, CloudFormation updates Drift status and Last drift check time for your stack set. These fields are listed on the Overview tab of the StackSet details page for the selected stack set.

    The drift detection operation may take some time, depending on the number of stack instances included in the stack set, as well as the number of resources included in the stack set. You can only run a single drift detection operation on a given stack set at one time. CloudFormation continues the drift detection operation even after you dismiss the information bar.

  6. To review the drift detection results for the stack instances in a stack set, select the Stack instances tab.

    The Stack name column lists the name of the stack associated with each stack instance, and the Drift status column lists the drift status of that stack. A stack is considered to have drifted if one or more of its resources have drifted.

  7. To review the drift detection results for the stack associated with a specific stack instances:

    1. Note the AWS account, Stack name, and AWS region for the stack instance.

    2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

      Log into the AWS account containing the stack instance.

    3. Select the AWS region containing the stack instance.

    4. From the left-hand navigation pane, select Stacks.

    5. Select the stack you wish to view, and then select Drifts.

      CloudFormation displays the Drifts page for the stack associated with the specified stack instance.

    In the Resource drift status section, CloudFormation lists each stack resource, its drift status, and the last time drift detection was initiated on the resource. The logical ID and physical ID of each resource is displayed to help you identify them. In addition, for resources with a status of MODIFIED, CloudFormation displays resource drift details.

    You can sort the resources based on their drift status using the Drift status column.

    1. To view the details on a modified resource.

      1. With the modified resource selected, select View drift details.

        CloudFormation displays the drift detail page for that resource. This page lists the resource's expected and current property values, and any differences between the two.

        To highlight a difference, in the Differences section select the property name.

        • Added properties are highlighted in green in the Current column of the Details section.

        • Deleted properties are highlighted in red in the Expected column of the Details section.

        • Properties whose value have been changed are highlighted in yellow in the both Expected and Current columns.

    
                    The Resource drift status section of the Drift Details page, which
                        contains drift information for each resource in the stack that supports
                        drift detection. Details include drift status and expected and current
                        property values.

To detect drift on a stack set using the AWS CLI

To detect drift on an entire stack using the AWS CLI, use the following aws cloudformation commands:

  • detect-stack-set-drift to initiate a drift detection operation on a stack.

  • describe-stack-set-operation to monitor the status of the stack drift detection operation.

  • Once the drift detection operation has completed, use the following command to return drift information you want:

    • Use describe-stack-set to return detailed informaiton about the stack set, including detailed information about the last completed drift operation performed on the stack set. (Information about drift operations that are in progress is not included.)

    • Use list-stackinstances to return a list of stack instances belonging to the stack set, including the drift status and last drift time checked of each instance.

    • Use describe-stack-instance to return detailed information about a specific stack instance, including its drift status and last drift time checked.

  1. Use detect-stack-set-drift to detect drift on an entire stack set and its associated stack instances.

    PROMPT> aws cloudformation detect-stack-set-drift --stack-set-name my-stack-with-resource-drift
  2. Because stack set drift detection operations can be a long-running operation, use describe-stack-set-operation to monitor the status of drift operation. This command takes the stack set operation ID returned by the detect-stack-set-drift command.

    PROMPT> aws cloudformation describe-stack-set-operation --stack-set-name my-stack-with-resource-drift --operation-id 624af370-311a-11e8-b6b7-500cexample
  3. When the stack set drift detection operation is complete, use the describe-stack-set, list-stackinstances, and describe-stack-instance commands to review the results.

    PROMPT> aws cloudformation describe-stack-set --stack-set-name my-stack-with-resource-drift
    PROMPT> aws cloudformation list-stackinstances --stack-set-name my-stack-with-resource-drift
    PROMPT> aws cloudformation describe-stack-instance --stack-set-name my-stack-with-resource-drift --stack-instance-account 123456789012 --stack-instance-region us-west-2

Stopping Drift Detection on a Stack Set

Because drift detection on a stack set can be a long-running operation, there may be instances when you want to stop a drift detection operation that is currently running on a stack set.

To stop drift detection on a stack set using the AWS Management Console

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the StackSets page, select the name of the stack set.

    CloudFormation displays the StackSets details page for the selected stack set.

  3. On the StackSets details page, select the Operations tab, and then select the drift detection operation.

  4. Select Stop operation.

To stop drift detection on a stack set using the the AWS CLI

  • Use the stop-stack-set-operation command. You can supply either the stack set name, or the operation ID of the drift detection stack set operation.

    PROMPT> aws cloudformation stop-stack-set-operation --stack-set-name my-stack-with-resource-drift --operation-id 624af370-311a-11e8-b6b7-500cexample