May 05, 2025
How to automate drift detection in CloudFormation StackSets
Jakub Duchon
Background
In this short blog post, we’ll explore how to automate AWS CloudFormation StackSet drift detection to enhance governance and security across multi-account AWS environments. At the end of the blogpost, I will also provide a link to a GitHub repository with a ready-to-deploy solution written in CDK and Python.
Why should we monitor StackSet for drift?
Drift is the difference between the expected configuration defined in a CloudFormation template and the actual configuration of a deployed resource. A resource enteres the drifted state when modified outside of CloudFormation.
StackSets are often used by security and cloud operations teams to deploy standardised infrastructure components, IAM resources for access control, and security guardrails. Automating detection and alerting helps teams proactively identify drift and address it before it becomes a security or compliance issue.
How to automatically detect drift in StackSets?
CloudFormation StackSets include a drift detection feature that must be manually triggered for each StackSet—just like with single Stacks. When triggered, CloudFormation checks every stack instance (each stack deployed per account per region) inside a StackSet before returning the drift status.
This process might take anywhere from minutes to hours, depending on the number of stack instances within the StackSet. Once complete, we can manually review the results in the AWS Console or by calling the describe-stack-set-operation API.
Rather than manually triggering drift detection and returning later to check the results, we can:
- Trigger drift detection on a specified schedule (e.g., every Monday at 5 AM)
- Process relevant events published to the default event bus
- Send alerts when drift is detected
Breakdown of the solution
- EventBridge scheduler(s) are configured to call detectStackSetDrift operation on a set schedule
- We take advantage of events being published by CloudFormation to the default EventBridge event bus
- EventBridge rules filter out events we are interested in (StackSet Operation Status Change) and send them for further processing to a Lambda function
- Inside of the Lambda function’s handler method, we observe the event payload and, if the StackSet is in the DRIFTED state, publish a message to the SNS topic
The solution fully automates the process of triggering drift detection, processing results, and sending alerts when drift is detected. It is completely serverless, event-driven, and cost-free even at a high scale.
You can find the ready-to-be-deployed solution at Virtuability’s stackset drift detection repository
Conclusion
Automating drift detection for CloudFormation StackSets is a simple way to strengthen governance and security across your AWS organization. By using EventBridge, Lambda, and SNS, you can spot and respond to configuration changes quickly—without manual effort.
References
Here are some helpful resources related to the solution: