Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A DevOps engineer has developed an AWS Lambda function.The Lambda function starts an AWS CloudFormation drift detection operation on all supported resources for a specific CloudFormation stack.The Lambda function then exits its invocation.The DevOps engineer has created an Amazon EventBridge scheduled rule that invokes the Lambda function every hour.An Amazon Simple Notification Service (Amazon SNS) topic already exists in the AWS account.The DevOps engineer has subscribed to the SNS topic to receive notifications.The DevOps engineer needs to receive a notification as soon as possible when drift is detected in this specific stack configuration.

Which solution will meet these requirements?

Configure the existing EventBridge rule to also target the SNS topic. Configure an SNS subscription filter policy to match the CloudFormation stack. Attach the subscription filter policy to the SNS topic.

Create a second Lambda function to query the CloudFormation API for the drift detection results for the stack. Configure the second Lambda function to publish a message to the SNS topic if drift is detected. Adjust the existing EventBridge rule to also target the second Lambda function.

Configure Amazon GuardDuty in the account with drift detection for all CloudFormation stacks. Create a second EventBridge rule that reacts to the GuardDuty drift detection event finding for the specific CloudFormation stack. Configure the SNS topic as a target of the second EventBridge rule.

Configure AWS Config in the account. Use the cloudformation-stack-drift-detection-check managed rule. Create a second EventBridge rule that reacts to a compliance change event for the CloudFormation stack. Configure the SNS topic as a target of the second EventBridge rule.

Explanations:

The EventBridge rule cannot directly target the SNS topic in this context to send drift detection notifications. An SNS subscription filter policy is not suitable for filtering drift detection results from CloudFormation.

Adding a second Lambda function to query CloudFormation’s drift detection API introduces unnecessary complexity. The existing Lambda already initiates the drift detection, and there is no need for a second Lambda function.

GuardDuty does not offer drift detection for CloudFormation stacks. GuardDuty focuses on security threats, not configuration drift detection for CloudFormation.

AWS Config’scloudformation-stack-drift-detection-checkrule monitors CloudFormation stack drift. Using an EventBridge rule to react to compliance changes and targeting an SNS topic provides real-time notifications for drift detection events.

2025-10-08

1 Comment

  1. Mark
    Author

    As I understand it, the answer is:
    Configure AWS Config in the account. Use the cloudformation-stack-drift-detection-check managed rule. Create a second EventBridge rule that reacts to a compliance change event for the CloudFormation stack. Configure the SNS topic as a target of the second EventBridge rule.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − 4 =