AWS CloudFormation drift detection is a powerful feature that allows addressing the situation when resources controlled and originally deployed using stack has been modified outside the CloudFormation (for example manually using AWS Console).
Drift can be detected on an entire stack or on a particular resource(s). This information can be used to provide necessary changes to bring the resource back into compliance, as appropriate.

The above feature can be triggered as a part of AWS Config Manager Rule which checks periodically stack(s) compliance.

IAM role including inline policy to be assumed by AWS Config.

AWS Config managed rule to detect CloudFormation drift in selected stacks (tagged by KEY/VALUE defined in parameters)

EventBridge Trigger used to trigger Lambda/SQS/SNS once CF drift is detected

1.Deploy the solution

Use scripts located in terraform or cloudformation to deploy solution in your environment.

2.Check AWS Config Rule

Using AWS Config Console confirm if the rule has been created successfully.

3.Deploy test CloudFormation stack

Using following code deploy example CloudFormation stack.

Resources:
    RadkowskiTestPolicy:
        Type: "AWS::IAM::ManagedPolicy"
        Properties:
            ManagedPolicyName: "RadkowskiDriftTest"
            PolicyDocument:
                Version: "2012-10-17"
                Statement:
                  -
                    Sid: "EC2FullAccess"
                    Effect: "Allow"
                    Action: "ec2:*"
                    Resource: "*"

4.Check test CloudFormation stack

Confirm if the stack has been deployed successfully and drift status is displayed as NOT_CHECKED.

5.Check test CloudFormation stack tags

As AWS Config rule will monitor the only stack with proper tags, confirm if test stack has been configured properly.

6.Re-evaluate AWS Config rule

Using AWS Config Console, re-evaluate the rule. Please bear in mind that rule will be re-evaluated every 60 mins or on-demand using AWS Console.

7.Check Compliance

As there were no manual changes in resources created by stack, iAWS Config should classify it as Compliant.

8.Check Drift Status

Come back to CloudFormation Console. Confirm, if drift status for previously created stack is IN_SYNC.

9.Manually update resource 

Using IAM Console, enter manual change in Policy created by test stack.

10.Re-evaluate AWS Config rule, again 

Re-evaluate AWS Config rule, again. This time, resource should be marked as Noncompliant.

11.Check stack drift status, again 

Using CloudFormation Console, check stack drift status. It should changed to DRIFTED.

12.Display change details using Timeline 

To get more details about changes, use Timeline feature from AWS Config Console.

13.Display change details using drift status #1

CloudFormation Console can provide extra detailed information about drift. It can be selected using view drift results.

14.Display change details using drift status #2

Differences can be tracked directly using Expected vs Actual views.