3.3.2.5. Remediating a Non-Desired System State

When your system drifts from its desired state — whether from manual changes, failed deployments, or configuration corruption — you need automated mechanisms to detect and correct the drift.

Detection mechanisms:

CloudFormation drift detection: Compares actual resource configuration against the template
Config rules: Continuously evaluate resource compliance
SSM State Manager: Checks association compliance on schedule
Terraform plan: Shows differences between state file and actual infrastructure

Remediation strategies by drift type:

Drift Type	Detection	Remediation
CloudFormation resource modified	CFN drift detection	Stack update to revert changes
Security group rule added manually	Config rule `restricted-ssh`	SSM Automation removes rule
Instance missing required package	State Manager association failure	State Manager re-applies on next run
S3 bucket encryption disabled	Config rule `s3-bucket-encryption`	Lambda enables encryption
Tags missing on new resource	Config rule + tag policy	Lambda applies default tags

CloudFormation drift remediation:

# Detect drift
aws cloudformation detect-stack-drift --stack-name MyStack

# After detection completes, review drifted resources
aws cloudformation describe-stack-resource-drifts \
  --stack-name MyStack \
  --stack-resource-drift-status-filters MODIFIED DELETED

# Remediate by updating the stack (reimports actual state or reverts)
aws cloudformation update-stack --stack-name MyStack \
  --use-previous-template

Exam Trap: CloudFormation can detect drift but cannot automatically remediate it. Drift detection shows what changed; you must decide whether to update the template to match reality (accept the drift) or update the stack to revert the change (reject the drift). If the exam asks about automatic drift remediation, the answer is Config rules + SSM Automation, not CloudFormation drift detection alone.

Written byAlvin Varughese•Founder•15 professional certifications