AWS Certified Developer – Associate (DVA-C02) — Question 405

A company uses an AWS CloudFormation template to deploy and manage its AWS infrastructure. The CloudFormation template creates Amazon VPC security groups and Amazon EC2 security groups.

A manager finds out that some engineers modified the security groups of a few EC2 instances for testing purposes. A developer needs to determine what modifications occurred.

Which solution will meet this requirement?

Answer options

• A. Add a Conditions section statement in the source YAML file of the template. Run the CloudFormation stack.
• B. Perform a drift detection operation on the CloudFormation stack.
• C. Execute a change set for the CloudFormation stack.
• D. Use Amazon Detective to detect the modifications.

Correct answer: B

Explanation

AWS CloudFormation drift detection is specifically designed to identify stack resources that have been modified outside of CloudFormation management, allowing developers to see the exact differences between the template and the actual state. Creating a change set is used to preview proposed changes before applying them to a stack, which does not show manual out-of-band modifications. Amazon Detective and CloudFormation Conditions do not provide a mechanism to compare current resource states against their original CloudFormation templates.