> ## Documentation Index > Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt > Use this file to discover all available pages before exploring further. # Demo Utilizing Drift detection with a StackSet > Demonstrates using AWS CloudFormation StackSet drift detection to identify, simulate, and remediate resource drift across accounts and regions using an S3 bucket example. This lesson shows how to use AWS CloudFormation drift detection on a StackSet and its stack instances. You'll see the full flow: start drift detection from the StackSet console, make an out-of-band change to an S3 bucket to simulate drift, re-run detection to identify drift, then revert the change and re-check until the StackSet returns to IN\_SYNC. Key concepts covered: * CloudFormation drift detection for StackSets * How stack instance divergence is reported across accounts and regions * Correcting drift and validating compliance Useful links: * [CloudFormation drift detection overview](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) * [StackSets concepts and management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html) * [S3 buckets documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) ## Step 1 — Start drift detection on the StackSet 1. Open the AWS CloudFormation console and select your StackSet. 2. From the Actions menu choose Detect drift. 3. The console will request and begin the detection. Depending on the number of stack instances (across accounts and regions), detection may take several minutes. Detect drift at the StackSet level compares the StackSet template configuration against each stack instance managed by that StackSet. Results are reported at both the StackSet and stack instance levels across accounts and regions. When detection completes with no differences, the StackSet status will display IN\_SYNC, indicating the live resources match the template. Here is the CloudFormation template resource used in this demo (the S3 bucket resource in the StackSet template): ```yaml theme={null} Resources: MyBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub 'stackset-bucket-${AWS::Region}-${AWS::AccountId}' Tags: - Key: Status Value: "Active" ``` The S3 buckets created by this StackSet should match the template properties above. You can confirm the buckets in the S3 console: A screenshot of the Amazon S3 console showing the "General purpose buckets" view with a list of three S3 buckets, their AWS regions, IAM Access Analyzer links, and creation dates, plus a "Create bucket" button.

A screenshot of the Amazon S3 console showing the "General purpose buckets" view with a list of three S3 buckets, their AWS regions, IAM Access Analyzer links, and creation dates, plus a "Create bucket" button.

## Step 2 — Simulate drift with an out-of-band change To simulate a drift scenario, make a manual edit to one of the S3 buckets that is not reflected in the StackSet template: 1. Open the bucket in the S3 console. 2. Go to Properties → Tags. 3. Add a tag that is not part of the StackSet template (for example, Key: developer, Value: Arno). 4. Save the changes. This manual edit makes the live S3 resource diverge from the CloudFormation template; when drift detection runs again, the associated stack instance will be reported as DRIFTED. ## Step 3 — Re-run drift detection on the StackSet 1. Return to the CloudFormation StackSets console. 2. Select the StackSet, open Actions, and choose Detect drift again. 3. Wait for the detection job to complete, then refresh the StackSet view. After detection finishes, the StackSet drift status should display DRIFTED because of the additional tag added directly in the S3 console: A screenshot of the AWS CloudFormation StackSets console showing one StackSet called "DemoStackSet" with a SELF_MANAGED permission model and a Drift status marked "DRIFTED." The browser window and Windows taskbar are visible around the console.

A screenshot of the AWS CloudFormation StackSets console showing one StackSet called "DemoStackSet" with a SELF_MANAGED permission model and a Drift status marked "DRIFTED." The browser window and Windows taskbar are visible around the console.

## Step 4 — Revert the change and confirm IN\_SYNC To resolve the detected drift: 1. Remove the extra tag you added to the S3 bucket so it matches the template again. 2. In the StackSet console, run Detect drift from Actions and wait for completion. 3. After the detection finishes, verify that both the stack instance and the StackSet status have returned to IN\_SYNC. This confirms the live resources once again match the CloudFormation template. Drift detection is read-only and only identifies differences. To remediate drift at scale, use StackSet operations such as Update StackSet or targeted stack instance operations to bring instances back into compliance with the template. ## Drift status quick reference | Drift status | Meaning | Suggested action | | ------------ | ------------------------------------------------------------------ | ----------------------------------------------------- | | IN\_SYNC | Live resources match the CloudFormation template | No action required | | DRIFTED | One or more resources in a stack instance differ from the template | Investigate and reconcile (manual or StackSet update) | | NOT\_CHECKED | Detection has not been run for the StackSet or instance | Run Detect drift from the console or API | ## References * [CloudFormation drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) * [StackSets overview and management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html) * [S3 bucket resource documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) That completes this demo on using CloudFormation drift detection with a StackSet.