Welcome — in this lesson we’ll explore StackSet drift detection in AWS CloudFormation: what it is, how it works, and practical steps to detect and remediate configuration drift across accounts and regions. StackSet drift detection applies the same principles as standard CloudFormation drift detection but at the StackSet level. When enabled and run, CloudFormation compares each stack instance (the individual stacks deployed from a StackSet into member accounts and regions) against the StackSet template and reports any differences between the deployed resources and the template. When a stack instance matches the template, CloudFormation reports it as IN_SYNC. If a manual or out-of-band change has been made to a resource property (for example, an EC2 instance type changed from t3.micro to t3.large in one account/region), the affected stack instance is reported as DRIFTED and CloudFormation will enumerate the specific resource properties that differ.Documentation Index
Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
How StackSet drift detection works
- Scope: For each stack instance, CloudFormation compares the live resource configuration (the properties CloudFormation manages) with the StackSet template and the recorded stack template for that instance.
- Granularity: Detection is per stack instance. A single manual change in a single account or region marks that instance as DRIFTED while other instances can remain IN_SYNC.
- Output: CloudFormation reports which resources drifted and which specific properties differ. This lets you choose to update the StackSet (or the affected instance) to restore conformity or accept the divergence.
- Consistency: Detecting drift helps enforce consistent configuration across multiple accounts and regions by flagging manual or out-of-band changes.
| Status | Meaning | Typical action |
|---|---|---|
| IN_SYNC | Deployed resources match the StackSet template for that instance | No action required |
| DRIFTED | One or more resources differ from the template | Inspect drift details and either update the StackSet/instance or accept the manual change |
| NOT_CHECKED | Drift detection has not been run for this instance | Run drift detection for the StackSet or individual instances |
Practical workflow
- Enable drift detection for your StackSet (drift detection runs against stack instances).
- Start drift detection for the StackSet.
- Monitor the drift detection operation status and review the detected differences by instance and resource.
- Remediate by updating the StackSet (or the individual stack instance) to match the desired template, or accept the change if appropriate.
Not all AWS resource types and properties are supported by CloudFormation drift detection. Some runtime attributes or provider-managed values may not be compared. Always review the drift results and consult the CloudFormation documentation for the current list of supported resource types and limitations.
Remediation strategies
- Update the StackSet template and perform a StackSet operation to push the desired configuration to all affected instances.
- Update a single stack instance if the change should only apply to one account/region.
- If the manual change is intended, document and accept it, or update the StackSet/template to reflect the new desired state.
Where to learn more
- AWS CloudFormation drift detection: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html
- AWS CloudFormation StackSets: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html