(Not v important for the exam)

What’s drift?

• Modifying stuff in the stack, but not from the template
• Now CF template doesn’t reflect topology of the stack
• This is bad for disaster recovery (DR)
• E.g. adding an EIP to ec2 instance, but not in template
  • Deletion will fail

How to detect + avoid drift?

• AWS Config:
  • Run config rule: cloudformation-stack-drift-detection-check
  • Slap some SNS on it
• Limit who can change stack resources