Skip to main content
Welcome — in this lesson we’ll explore StackSet drift detection in AWS CloudFormation: what it is, how it works, and practical steps to detect and remediate configuration drift across accounts and regions. StackSet drift detection applies the same principles as standard CloudFormation drift detection but at the StackSet level. When enabled and run, CloudFormation compares each stack instance (the individual stacks deployed from a StackSet into member accounts and regions) against the StackSet template and reports any differences between the deployed resources and the template. When a stack instance matches the template, CloudFormation reports it as IN_SYNC. If a manual or out-of-band change has been made to a resource property (for example, an EC2 instance type changed from t3.micro to t3.large in one account/region), the affected stack instance is reported as DRIFTED and CloudFormation will enumerate the specific resource properties that differ.
A diagram showing AWS CloudFormation StackSet deployed to multiple Organizational Units and member accounts with stack instances in different regions. It illustrates checking those deployed stacks against the CloudFormation template to detect drift.

How StackSet drift detection works

  • Scope: For each stack instance, CloudFormation compares the live resource configuration (the properties CloudFormation manages) with the StackSet template and the recorded stack template for that instance.
  • Granularity: Detection is per stack instance. A single manual change in a single account or region marks that instance as DRIFTED while other instances can remain IN_SYNC.
  • Output: CloudFormation reports which resources drifted and which specific properties differ. This lets you choose to update the StackSet (or the affected instance) to restore conformity or accept the divergence.
  • Consistency: Detecting drift helps enforce consistent configuration across multiple accounts and regions by flagging manual or out-of-band changes.
Key statuses and recommended actions:
StatusMeaningTypical action
IN_SYNCDeployed resources match the StackSet template for that instanceNo action required
DRIFTEDOne or more resources differ from the templateInspect drift details and either update the StackSet/instance or accept the manual change
NOT_CHECKEDDrift detection has not been run for this instanceRun drift detection for the StackSet or individual instances
A presentation slide titled "StackSet Drift Detection" showing two cards: one about detecting manual changes that can cause configuration inconsistencies, and the other about ensuring consistency across multiple stacks and environments.

Practical workflow

  1. Enable drift detection for your StackSet (drift detection runs against stack instances).
  2. Start drift detection for the StackSet.
  3. Monitor the drift detection operation status and review the detected differences by instance and resource.
  4. Remediate by updating the StackSet (or the individual stack instance) to match the desired template, or accept the change if appropriate.
Example CLI commands (start detection and check status): 
# Start drift detection for a StackSet
aws cloudformation detect-stack-set-drift --stack-set-name MyStackSet

# Check the status of a drift detection operation (use the returned detection ID)
aws cloudformation describe-stack-set-drift-detection-status --stack-set-name MyStackSet --drift-detection-id <detection-id>
For detailed per-instance drift results and remediation steps, consult the CloudFormation console or the API/CLI documentation linked below.
Not all AWS resource types and properties are supported by CloudFormation drift detection. Some runtime attributes or provider-managed values may not be compared. Always review the drift results and consult the CloudFormation documentation for the current list of supported resource types and limitations.

Remediation strategies

  • Update the StackSet template and perform a StackSet operation to push the desired configuration to all affected instances.
  • Update a single stack instance if the change should only apply to one account/region.
  • If the manual change is intended, document and accept it, or update the StackSet/template to reflect the new desired state.

Where to learn more

This extends CloudFormation’s drift model from individual stacks to the distributed footprint created by StackSets, helping you detect and manage manual changes across organizational units, accounts, and regions.

Watch Video