How to automate drift detection in CloudFormation StackSets
Jakub Duchoň
Introduction
In this short blog post, we’ll explore how to automate AWS CloudFormation StackSet drift detection to enhance governance and security across multi-account AWS environments. At the end of the blogpost, I will also provide a link to a GitHub repository with a ready-to-deploy solution written in CDK and Python.
Before we start
👋🏼 Hi! Found this helpful? Let's connect on LinkedIn! I'm always open to discussing AWS automation, governance, and security solutions with fellow AWS engineers.
https://www.linkedin.com/in/imduchy
Why should we monitor StackSets for drift?
Drift is the difference between the expected configuration defined in a CloudFormation template and the actual configuration of a deployed resource. A resource enteres the drifted state when modified outside of CloudFormation.
StackSets are often used by security and cloud operations teams to deploy standardised infrastructure components, IAM resources for access control, and security guardrails. Automating detection and alerting helps teams proactively identify drift and address it before it becomes a security or compliance issue.
How to automatically detect drift in StackSets?
CloudFormation StackSets include a drift detection feature that must be manually triggered for each StackSet—just like with single Stacks. When triggered, CloudFormation checks every stack instance (each stack deployed per account per region) inside a StackSet before returning the drift status.
This process might take anywhere from minutes to hours, depending on the number of stack instances within the StackSet. Once complete, we can manually review the results in the AWS Console or by calling the describe-stack-set-operation API.
Rather than manually triggering drift detection and returning later to check the results, we can:
Trigger drift detection on a specified schedule (e.g., every Monday at 5 AM)
Process relevant events published to the default event bus
Send alerts when drift is detected
Breakdown of the solution
EventBridge scheduler(s) are configured to call
detectStackSetDriftoperation on a set scheduleWe take advantage of events being published by CloudFormation to the default EventBridge event bus
EventBridge rules filter out events we are interested in (StackSet Operation Status Change) and send them for further processing to a Lambda function
Inside of the Lambda function’s handler method, we observe the event payload and, if the StackSet is in the DRIFTED state, publish a message to the SNS topic
The solution fully automates the process of triggering drift detection, processing results, and sending alerts when drift is detected. It is completely serverless, event-driven, and cost-free even at a high scale.
You can find the ready-to-be-deployed solution at https://github.com/imduchy/stackset-drift-detection.
Conclusion
Automating drift detection for CloudFormation StackSets is a simple way to strengthen governance and security across your AWS organization. By using EventBridge, Lambda, and SNS, you can spot and respond to configuration changes quickly—without manual effort.
✋🏼 Before you go
If you have any questions or want to share your own experiences, feel free to reach out or connect on LinkedIn. And don’t forget to check out the GitHub repo for the full, ready-to-deploy implementation!
Subscribe to my newsletter
Read articles from Jakub Duchoň directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jakub Duchoň
Jakub Duchoň
Hi, I'm Jakub 👋🏼 I'm an AWS consultant and full-stack developer, currently working as an AWS consultant. I've been involved in AWS since the beginning of my career, working primarily in "cloud enablement" teams, focusing on identity and access management, landing zones, governance, security, automation, and DevOps. Occasionally, I write about the interesting things I came across while helping clients on their AWS journey. This blog is where I share lessons learned, ideas, and tips, hoping some find it useful.