Automating CloudFormation Stack Drift Remediation Using AWS Lambda and Amazon EventBridge
To deploy resources with AWS CloudFormation, a stack template is used to specify unique configurations for each resource. Once deployed, resources can be updated through a CloudFormation stack update, or manually using the AWS console, CLI, or APIs. However, this freedom to update deployed resources outside of CloudFormation can impact the consistency of the resource configurations and should be avoided.
With that being said, if an unmanaged update occurs to a resource outside of CloudFormation, developers can utilize the built-in drift detection feature. Drift detection can be used to detect stack and resource level changes that misalign resource configurations from their definitions in the stack template. Once stack drift is detected, developers can manually update the configurations to bring them back in sync with a stack or develop an automated solution to handle the entire drift detection and remediation process.
In this lab, you will use an AWS Lambda function and an Amazon EventBridge schedule, to continuously monitor a CloudFormation stack using drift detection. When stack drift is detected, your Lambda function will automatically restore the resource settings to realign them with the settings defined in the stack template.
Note: The general solution architecture covered in this hands-on lab can be attributed to the Implement automatic drift remediation for AWS CloudFormation using Amazon CloudWatch and AWS Lambda AWS blog post. For more architecture examples that relate to Cloud Operations and DevOps on AWS, check out the following AWS blogs:
Learning Objectives
Upon completion of this advanced-level lab, you will be able to:
- Deploy an AWS Security Group with AWS CloudFormation
- Detect unmanaged resource updates with AWS CloudFormation Drift Detection
- Create an AWS Lambda function that remediates drifted resource configurations
- Schedule automatic drift detection and remediation with an Amazon EventBridge Schedule
Intended Audience
- Candidates for the AWS Certified DevOps Engineer - Professional Exam
- DevOps Engineers
- Cloud Architects
- Software Engineers
Prerequisites
Familiarity with the following will be beneficial but is not required:
- AWS CloudFormation
- AWS Lambda
- Amazon EventBridge
The following content can be used to fulfill the prerequisite:
Updates
June 1st, 2023 - Resolved permission issue
January 10th, 2023 - Updated the lab instructions and screenshots to reflect the latest UI
Environment before
Environment after
Jun is a Cloud Labs Developer with previous experience as a Software Engineer and Cloud Developer. He holds the AWS Certified Solutions Architect and DevOps Engineer Professional certifications. He also holds the AWS Certified Solutions Architect, Developer, and SysOps Administrator Associate certifications.
Jun is focused on giving back to the growing cloud community by sharing his knowledge and experience with students and creating engaging content.