# Set up CloudFormation drift detection in a multi-Region, multi-account organization Set up drift detection and reporting *Ram Kandaswamy, Amazon Web Services* ## Summary Amazon Web Services (AWS) users often look for an efficient way to detect resource configuration mismatches, including drift in AWS CloudFormation stacks, and fix them as soon as possible. This is especially the case when AWS Control Tower is used. This pattern provides a prescriptive solution that efficiently solves the problem by using consolidated resource configuration changes and acting on those changes to generate results. The solution is designed for scenarios where there are several CloudFormation stacks created in more than one AWS Region, or in more than one account, or a combination of both. The goals of the solution are the following: + Simplify the drift detection process + Set up notification and alerting + Set up consolidated reporting ## Prerequisites and limitations **Prerequisites ** + AWS Config enabled in all the Regions and accounts that must be monitored **Limitations ** + The report generated supports only the comma-separated values (CSV) and JSON output formats. ## Architecture The following diagram shows AWS Organizations set up with multiple accounts. AWS Config rules communicate between the accounts.   ![\[Five-step process for monitoring stacks in two AWS Organizations accounts.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/735d0987-b953-47f8-a9bc-b02a88957ee5/images/340cee9a-5a4e-49ea-bd73-d37dcea5e098.png) The workflow includes the following steps: 1. The AWS Config rule detects drift. 1. Drift detection results that are found in other accounts are sent to the management account. 1. The Amazon CloudWatch rule calls an AWS Lambda function. 1. The Lambda function queries the AWS Config rule for aggregated results. 1. The Lambda function notifies Amazon Simple Notification Service (Amazon SNS), which sends email notification of the drift. **Automation and scale** The solution presented here can scale for both additional Regions and accounts. ## Tools **AWS services** + [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. + [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time. + [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use. + [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses. ## Epics ### Automate drift detection for CloudFormation | Task | Description | Skills required | | --- | --- | --- | | Create the aggregator. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-aws-cloudformation-drift-detection-in-a-multi-region-multi-account-organization.html) | Cloud architect | | Create an AWS managed rule. | Add the `cloudformation-stack-drift-detection-check` AWS** **managed rule. The rule needs one parameter value: `cloudformationArn`. Enter the IAM role Amazon Resource Name (ARN) that has permissions to detect stack drift. The role must have a trust policy that enables AWS Config to assume the role. | Cloud architect | | Create the advanced query section of the aggregator. | To fetch drifted stacks from multiple sources, create the following query:
SELECT resourceId, configuration.driftInformation.stackDriftStatus WHERE resourceType = 'AWS::CloudFormation::Stack'  AND configuration.driftInformation.stackDriftStatus IN ('DRIFTED')
| Cloud architect, Developer | | Automate running the query and publish. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-aws-cloudformation-drift-detection-in-a-multi-region-multi-account-organization.html) | Cloud architect, Developer | | Create a CloudWatch rule. | Create a schedule-based CloudWatch rule to call the Lambda function, which is responsible for alerting. | Cloud architect | ## Related resources **Resources** + [What Is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) + [Multi-account multi-Region data aggregation](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html) + [Detecting unmanaged configuration changes to stacks and resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) + [IAM: Pass an IAM role to a specific AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) + [What is Amazon SNS?](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) ## Additional information **Considerations** We recommend using the solution presented in this pattern instead of using custom solutions that involve API calls at specific intervals to initiate drift detection on each CloudFormation stack or stack set. Custom solutions that use API calls at specific intervals can lead to a large number API calls and affect performance. Because of the number of API calls, throttling can occur. Another potential issue is a delay in detection if resource changes are identified based on schedule only. Because stack sets are made of stacks, you can use this solution. Stack instance details are also available as part of the solution. ## Attachments To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/735d0987-b953-47f8-a9bc-b02a88957ee5/attachments/attachment.zip)