hands-on lab

Automating CloudFormation Stack Drift Remediation Using AWS Lambda and Amazon EventBridge

Difficulty: Advanced
Duration: Up to 1 hour and 30 minutes
Students: 234
Rating: 5/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.

Description

To deploy resources with AWS CloudFormation, a stack template is used to specify unique configurations for each resource. Once deployed, resources can be updated through a CloudFormation stack update, or manually using the AWS console, CLI, or APIs. However, this freedom to update deployed resources outside of CloudFormation can impact the consistency of the resource configurations and should be avoided.

With that being said, if an unmanaged update occurs to a resource outside of CloudFormation, developers can utilize the built-in drift detection feature. Drift detection can be used to detect stack and resource level changes that misalign resource configurations from their definitions in the stack template. Once stack drift is detected, developers can manually update the configurations to bring them back in sync with a stack or develop an automated solution to handle the entire drift detection and remediation process.

In this lab, you will use an AWS Lambda function and an Amazon EventBridge schedule, to continuously monitor a CloudFormation stack using drift detection. When stack drift is detected, your Lambda function will automatically restore the resource settings to realign them with the settings defined in the stack template.

Note: The general solution architecture covered in this hands-on lab can be attributed to the Implement automatic drift remediation for AWS CloudFormation using Amazon CloudWatch and AWS Lambda AWS blog post. For more architecture examples that relate to Cloud Operations and DevOps on AWS, check out the following AWS blogs:

Learning Objectives

Upon completion of this advanced-level lab, you will be able to:

  • Deploy an AWS Security Group with AWS CloudFormation
  • Detect unmanaged resource updates with AWS CloudFormation Drift Detection
  • Create an AWS Lambda function that remediates drifted resource configurations
  • Schedule automatic drift detection and remediation with an Amazon EventBridge Schedule

Intended Audience

  • Candidates for the AWS Certified DevOps Engineer - Professional Exam
  • DevOps Engineers
  • Cloud Architects
  • Software Engineers

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • AWS CloudFormation
  • AWS Lambda
  • Amazon EventBridge

The following content can be used to fulfill the prerequisite:

Updates

June 1st, 2023 - Resolved permission issue

January 10th, 2023 - Updated the lab instructions and screenshots to reflect the latest UI

Environment before

Environment after

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Deploying a Simple AWS CloudFormation Stack
Detecting Unmanaged Resource Changes with Drift Detection
Restoring Drifted Resource Settings with AWS Lambda
Scheduling Automatic Drift Remediation with the Amazon EventBridge Scheduler