Which solution will meet these requirements?
Configure the existing EventBridge rule to also target the SNS topic. Configure an SNS subscription filter policy to match the CloudFormation stack. Attach the subscription filter policy to the SNS topic.
Create a second Lambda function to query the CloudFormation API for the drift detection results for the stack. Configure the second Lambda function to publish a message to the SNS topic if drift is detected. Adjust the existing EventBridge rule to also target the second Lambda function.
Configure Amazon GuardDuty in the account with drift detection for all CloudFormation stacks. Create a second EventBridge rule that reacts to the GuardDuty drift detection event finding for the specific CloudFormation stack. Configure the SNS topic as a target of the second EventBridge rule.
Configure AWS Config in the account. Use the cloudformation-stack-drift-detection-check managed rule. Create a second EventBridge rule that reacts to a compliance change event for the CloudFormation stack. Configure the SNS topic as a target of the second EventBridge rule.
Explanations:
The EventBridge rule cannot directly target the SNS topic in this context to send drift detection notifications. An SNS subscription filter policy is not suitable for filtering drift detection results from CloudFormation.
Adding a second Lambda function to query CloudFormation’s drift detection API introduces unnecessary complexity. The existing Lambda already initiates the drift detection, and there is no need for a second Lambda function.
GuardDuty does not offer drift detection for CloudFormation stacks. GuardDuty focuses on security threats, not configuration drift detection for CloudFormation.
AWS Config’scloudformation-stack-drift-detection-checkrule monitors CloudFormation stack drift. Using an EventBridge rule to react to compliance changes and targeting an SNS topic provides real-time notifications for drift detection events.