Which solution will meet this requirement?
Add a Conditions section statement in the source YAML file of the template. Run the CloudFormation stack.
Perform a drift detection operation on the CloudFormation stack.
Execute a change set for the CloudFormation stack.
Use Amazon Detective to detect the modifications.
Explanations:
Adding a Conditions section in the CloudFormation template does not track or report changes that have been made to resources after the stack was created. It only affects how resources are created or modified in the stack itself, not how existing resources have been altered post-deployment.
Performing a drift detection operation on the CloudFormation stack will compare the current state of the resources in the stack with the last known configuration defined in the CloudFormation template. This will identify any modifications made to the security groups or any other resources.
Executing a change set for the CloudFormation stack allows users to preview changes that will be made if the stack is updated. However, it does not provide information on modifications made outside of CloudFormation after the stack was created. Change sets are primarily for planned updates, not for detecting existing changes.
Amazon Detective is a service that helps analyze and investigate security issues and suspicious activities in AWS environments, but it is not designed to detect configuration changes in resources like security groups. It focuses more on security incident investigation rather than resource configuration tracking.