AWS Cloudformation and manual changes

CloudFormation only creates or modifies AWS resources during deployment, update, or deletion of a stack. It does not continually 'check and enforce' individual stack resources' configuration states - drift can definitely occur.

As an example, if I deploy a CF Stack and then later manually modify an Inbound Rule on one of its Security Groups, this modification will persist until I run an explicit CF Update or redeploy the stack.

Here are some helpful snippets / links:

Q: Can I manage individual AWS resources that are part of an AWS CloudFormation stack?

Yes. AWS CloudFormation does not get in the way; you retain full control of all elements of your infrastructure. You can continue using all your existing AWS and third-party tools to manage your AWS resources.

AWS CloudFormation Stacks Updates: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html

Prevent Updates to Stack Resources: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

Please note the last link is only referring to protecting resources during a CloudFormation Update action, not ad-hoc changes made via the Management Console or API to individual resources.


If you mess with resources that Cloudformation deploys, the resources wont be recovered/restored/put into compliance, if you really need to enforce integrity you will need to redeploy the stack.