Which strategy should be used to meet these requirements?
Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.
Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.
Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.
Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.
Explanations:
CloudFormation drift detection can detect changes in resources but does not continuously monitor for drift. It needs to be triggered manually or on a schedule, and it does not provide automated alerts.
While AWS Config rules can detect configuration changes in resources, this option lacks constraints that enforce pre-approved templates, making it less secure for controlled resource deployment.
AWS Service Catalog allows for controlled deployment using pre-approved templates, and AWS Config rules provide continuous monitoring for configuration drift, meeting both compliance and security needs.
EventBridge notifications can alert on certain events but are not intended for continuous drift detection, and template constraints are less suited to enforce template selection compared to launch constraints.