Call `aws cloudformation detect-stack-drift --stack-name <STACK_NAME>` to initiate an asynchronous drift detection operation; capture the returned `StackDriftDetectionId`.
Poll `aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id <ID>` until `DetectionStatus` returns `DETECTION_COMPLETE`.
Call `aws cloudformation describe-stack-resource-drifts --stack-name <STACK_NAME> --stack-resource-drift-status-filters MODIFIED DELETED` to list drifted resources with their expected and actual property values.
For each drifted resource, decide whether to remediate by updating the CloudFormation template to match actual state (import the drift) or by re-deploying the stack to restore expected state.
Only resource types that support drift detection report results; check the CloudFormation docs for the list of supported resource types before relying on drift detection for a specific service.
Automate drift detection on a schedule using an EventBridge Scheduler rule that invokes a Lambda function running the detect-stack-drift API call.
Known gotchas
Only one drift detection operation can run on a given stack at a time; concurrent calls return a `OperationInProgressException`.
Drift detection does not check nested stacks automatically; `DetectStackDrift` must be called separately on each nested stack.
Resources manually deleted outside CloudFormation appear as `DELETED` drift status but CloudFormation cannot automatically recreate them; the stack update must be used to reconcile.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp