nerdexam
Amazon

DVA-C02 · Question #398

A company uses an AWS CloudFormation template to deploy and manage its AWS infrastructure. The CloudFormation template creates Amazon VPC security groups and Amazon EC2 security groups. A manager find

The correct answer is B. Perform a drift detection operation on the CloudFormation stack.. Drift detection (Option B) is the purpose-built CloudFormation feature for identifying when deployed resources have been manually modified outside of CloudFormation - it compares the current live state of stack resources against the last known template-defined state, showing exac

Submitted by lukas.cz· Mar 5, 2026Deployment

Question

A company uses an AWS CloudFormation template to deploy and manage its AWS infrastructure. The CloudFormation template creates Amazon VPC security groups and Amazon EC2 security groups. A manager finds out that some engineers modified the security groups of a few EC2 instances for testing purposes. A developer needs to determine what modifications occurred. Which solution will meet this requirement?

Options

  • AAdd a Conditions section statement in the source YAML file of the template. Run the
  • BPerform a drift detection operation on the CloudFormation stack.
  • CExecute a change set for the CloudFormation stack.
  • DUse Amazon Detective to detect the modifications.

How the community answered

(33 responses)
  • A
    15% (5)
  • B
    76% (25)
  • C
    6% (2)
  • D
    3% (1)

Explanation

Drift detection (Option B) is the purpose-built CloudFormation feature for identifying when deployed resources have been manually modified outside of CloudFormation - it compares the current live state of stack resources against the last known template-defined state, showing exactly what changed on which resources.

Why the distractors are wrong:

  • A is wrong because Conditions sections control whether resources are created/updated based on input parameters - they have nothing to do with detecting post-deployment changes.
  • C is wrong because a change set previews future infrastructure changes before you apply them; it does not inspect what already happened to existing resources.
  • D is wrong because Amazon Detective is a security service for investigating suspicious activity and threat patterns using graph analysis - it's not designed for CloudFormation configuration drift analysis.

Memory tip: Think of drift as "has someone gone off-script?" - CloudFormation drift detection is your "did anyone touch this?" audit tool. Whenever an exam question involves detecting manual, out-of-band changes to CloudFormation-managed resources, the answer is almost always drift detection.

Topics

#CloudFormation#Drift Detection#Configuration Management#Infrastructure as Code (IaC)

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice