Automating CloudFormation Stack Drift Remediation Using AWS Lambda and Amazon EventBridge

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Deploying a Simple AWS CloudFormation Stack
lock
Detecting Unmanaged Resource Changes with Drift Detection
lock
Restoring Drifted Resource Settings with AWS Lambda
lock
Scheduling Automatic Drift Remediation with Amazon EventBridge Rules

The hands-on lab is part of this learning path

Ready for the real environment experience?

DifficultyAdvanced
Time Limit1h 30m
Students88
Ratings
5/5
starstarstarstarstar

Description

To deploy resources with AWS CloudFormation, a stack template is used to specify unique configurations for each resource. Once deployed, resources can be updated through a CloudFormation stack update, or manually using the AWS console, CLI, or APIs. However, this freedom to update deployed resources outside of CloudFormation can impact the consistency of the resource configurations and should be avoided.

With that being said, if an unmanaged update occurs to a resource outside of CloudFormation, developers can utilize the built-in drift detection feature. Drift detection can be used to detect stack and resource level changes that misalign resource configurations from their definitions in the stack template. Once stack drift is detected, developers can manually update the configurations to bring them back in sync with a stack, or develop an automated solution to handle the entire drift detection and remediation process.

In this lab, you will use an AWS Lambda function and an Amazon EventBridge rule, to continuously monitor a CloudFormation stack using drift detection. When stack drift is detected, your Lambda function will automatically restore the resource settings to realign them with the settings defined in the stack template.

Note: The general solution architecture covered in this hands-on lab can be attributed to the Implement automatic drift remediation for AWS CloudFormation using Amazon CloudWatch and AWS Lambda AWS blog post. For more architecture examples that relate to Cloud Operations and DevOps on AWS, check out the following AWS blogs:

Learning Objectives

Upon completion of this advanced level lab, you will be able to:

  • Deploy an AWS Security Group with AWS CloudFormation
  • Detect unmanaged resource updates with AWS CloudFormation Drift Detection
  • Create an AWS Lambda function that remediates drifted resource configurations
  • Schedule automatic drift detection and remediation with Amazon EventBridge Rules

Intended Audience

  • Candidates for the AWS Certified DevOps Engineer - Professional Exam
  • DevOps Engineers
  • Cloud Architects
  • Software Engineers

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • AWS CloudFormation
  • AWS Lambda
  • Amazon EventBridge

The following content can be used to fulfill the prerequisite:

Updates

January 10th, 2023 - Updated the lab instructions and screenshots to reflect the latest UI

Environment before
PREVIEW
arrow_forward
Environment after
PREVIEW
About the Author
Students22920
Labs74
Learning paths3

Jun is a Cloud Labs Developer with previous experience as a Software Engineer and Cloud Developer. He holds the AWS Certified Solutions Architect and DevOps Engineer Professional certifications. He also holds the AWS Certified Solutions Architect, Developer, and SysOps Administrator Associate certifications. 

Jun is focused on giving back to the growing cloud community by sharing his knowledge and experience with students and creating engaging content.