What is a CloudFormation change set and a drift detection?
AWS · Advanced level
Answer
A CloudFormation change set previews stack changes before execution. Drift detection compares live resource configuration with the stack's expected configuration to find manual or external changes.
Technical explanation
A change set protects before deployment; drift detection finds differences after deployment.
Infrastructure as code should use reviewable plans/change sets, reusable modules, policy checks, drift detection, and controlled rollout pipelines.
Architecture reviews should produce prioritized risk remediation with owners and dates, not just high-level best-practice statements.
State, stack outputs, secrets, and deployment permissions must be secured because IaC pipelines often have powerful privileges.
Hands-on example
1. Model the resource or architecture through CloudFormation or Terraform rather than console changes.
2. Review the plan/change set for replacements, deletes, security exposure, and cost-impacting changes.
3. Apply in non-production, run validation tests, then promote through approval to production.
4. Run drift detection or state comparison afterward and remediate manual changes through code.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?